Could we add an option to enable dnssec?
Description
Description
Details
Details
- Difficulty level
- Unknown (require assessment)
- Version
- -
- Why the issue appeared?
- Will be filled on close
Event Timeline
Comment Actions
This feature is great but it looks buggy to me.
I set the dnssec value to log-fail but the server returns me SERVFAIL.
I run the same command to my DNS resolver and the VyOS router which use the previous DNS resolver.
Here is the command to call the VyOS DNS service:
dig dnssec-debugger.verisignlabs.com +dnssec +multi @192.168.1.50
Which returns:
; <<>> DiG 9.13.5 <<>> dnssec-debugger.verisignlabs.com +dnssec +multi @192.168.1.50 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6898 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dnssec-debugger.verisignlabs.com. IN A ;; Query time: 28 msec ;; SERVER: 192.168.1.50#53(192.168.1.50) ;; WHEN: mer. janv. 09 17:56:00 CET 2019 ;; MSG SIZE rcvd: 50
And if I run the same command to the initial resolver:
dig dnssec-debugger.verisignlabs.com +dnssec +multi @192.168.1.10
I got:
; <<>> DiG 9.13.5 <<>> dnssec-debugger.verisignlabs.com +dnssec +multi @192.168.1.10 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7998 ;; flags: qr; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dnssec-debugger.verisignlabs.com. IN A ;; ANSWER SECTION: dnssec-debugger.verisignlabs.com. 2160 IN CNAME webapps.verisignlabs.com. webapps.verisignlabs.com. 2160 IN A 209.112.118.114 webapps.verisignlabs.com. 2160 IN A 69.36.150.30 ;; Query time: 0 msec ;; SERVER: 192.168.1.10#53(192.168.1.10) ;; WHEN: mer. janv. 09 17:56:06 CET 2019 ;; MSG SIZE rcvd: 200
Is it a VyOS bug or not?
My setup is pretty simple at this level and I don't know where this can come from.
Any idea where this can come from?
Thank you for all
Comment Actions
Thank you for this very quick response.
I will be out for the night after this message.
Here is my full service > dns configuration:
dns { forwarding { cache-size 0 dnssec log-fail domain mabbox.bytel.fr { server 192.168.77.1 } listen-address 192.168.1.50 name-server 192.168.1.10 } }
It's very simple.
Is there an issue?