Unbound DNSSec with unbound_manager?

[dominik]

Hello,
I'm using latest merlinwrt 388.1 on AX86U with unbound manager (v3.22) and can't get DNSSec to work
With unbound turned on DNSSec validation is gone, please take a look at this example:

admin@router:/tmp/home/root# dig @192.168.1.1 +adflag example.org A

; <<>> DiG 9.18.1 <<>> @192.168.1.1 +adflag example.org A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41136
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;example.org.                   IN      A

;; ANSWER SECTION:
example.org.            14040   IN      A       93.184.216.34

;; Query time: 1 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Wed Jan 04 11:48:50 CET 2023
;; MSG SIZE  rcvd: 56

This returns answer without dnssec validation (no AD flag).

Trying same thing on google nameservers (also quad9 are ok):

admin@router:/tmp/home/root# dig @8.8.8.8 +adflag example.org A

; <<>> DiG 9.18.1 <<>> @8.8.8.8 +adflag example.org A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45771
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.org.                   IN      A

;; ANSWER SECTION:
example.org.            13696   IN      A       93.184.216.34

;; Query time: 9 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Wed Jan 04 11:48:59 CET 2023
;; MSG SIZE  rcvd: 56

Also it works when unbound is stopped:

admin@router:/tmp/home/root# dig @192.168.1.1 +adflag example.org A

; <<>> DiG 9.18.7 <<>> @192.168.1.1 +adflag example.org A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56427
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;example.org.                   IN      A

;; ANSWER SECTION:
example.org.            84638   IN      A       93.184.216.34

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Wed Jan 04 12:59:53 CET 2023
;; MSG SIZE  rcvd: 56

I noticed that unbound in it's options recommends turning off DNSSec and DNS Rebind protection:

no matter what is selected there AD flag is missing when unbound is working.
I also checked advanced options for unbound manager, also with DoT - but still AD flag with running unbound is lost

Anybody got it working with DNSSec?

 

[bbunge]

No need for DNSSEC with Unbound as it works as a forwarding resolver. I believe it uses its own secure communications.

 

[chongnt]

I am running on AC86U. Can you try to run the below command and see if you get the same similar output?

admin@RT-AC86U-DBA8:/tmp/home/root# unbound-control get_option port
53535
admin@RT-AC86U-DBA8:/tmp/home/root# dig +dnssec -p 53535

; <<>> DiG 9.18.7 <<>> +dnssec -p 53535
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20668
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1428
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       323476  IN      NS      i.root-servers.net.
.                       323476  IN      NS      j.root-servers.net.
.                       323476  IN      NS      k.root-servers.net.
.                       323476  IN      NS      l.root-servers.net.
.                       323476  IN      NS      m.root-servers.net.
.                       323476  IN      NS      a.root-servers.net.
.                       323476  IN      NS      b.root-servers.net.
.                       323476  IN      NS      c.root-servers.net.
.                       323476  IN      NS      d.root-servers.net.
.                       323476  IN      NS      e.root-servers.net.
.                       323476  IN      NS      f.root-servers.net.
.                       323476  IN      NS      g.root-servers.net.
.                       323476  IN      NS      h.root-servers.net.
.                       323476  IN      RRSIG   NS 8 0 518400 20230114170000 20230101160000 951 . jjT6lEOHlA/x47a2y++jVTGdYV8aJ9g4Pworcv1lHDkzQWEIX4/ie+Nk FjXfzUEWxKGXbDluX/AT1aVum48O8eYUO4gkJ1yOhz6y593t6iFWyw+G cVmVrRU8bOdAmizX6/qxjB4FIiUrepzuhko8MuZgRt5+LasuHMKBTGBu sjnBMkLBd6K6bivYGgmZ10jagUxSyfmqeJFanMcBTO5ysp+nkavxRu2r 4Y1DrGldgMKFpyyYEQK0bx4DJRAmM2Eoqvzped1OukI/7+kGSLpY5q1J vwG2T4cdv55nbcXI/lGFVkALTMCI5ubANbVA0skZN0nibI2VtHOb4tqe sHl+lw==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1) (UDP)
;; WHEN: Wed Jan 04 20:53:45 MYT 2023
;; MSG SIZE  rcvd: 525

You can also run this to check the query counter

unbound-control stats_noreset | grep -F num.query.flags.AD

 

[dominik]

No need for DNSSEC with Unbound as it works as a forwarding resolver. I believe it uses its own secure communications.

One of my services checking for dnssec flags and won't start without it It will fail to start doing dnssec validation and script is looking exactly for this flag inside queries

I am running on AC86U. Can you try to run the below command and see if you get the same similar output?

trying:

admin@router:/tmp/home/root# unbound-control get_option port
53535
admin@router:/tmp/home/root# dig +dnssec -p 53535
;; communications error to 9.9.9.9#53535: host unreachable
;; communications error to 9.9.9.9#53535: host unreachable
;; communications error to 9.9.9.9#53535: host unreachable
;; communications error to 149.112.112.112#53535: host unreachable
;; communications error to 127.0.1.1#53535: connection refused

; <<>> DiG 9.18.7 <<>> +dnssec -p 53535
;; global options: +cmd
;; no servers could be reached

this probably looks for /etc/resolv.conf nameservers (now quad9) and trying to query all of them on given port, I guess that unbound is listening on 127.0.0.1:53535 (not 127.0.1.1)

admin@router:/tmp/home/root# dig +dnssec @127.0.0.1 -p 53535

; <<>> DiG 9.18.7 <<>> +dnssec @127.0.0.1 -p 53535
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14811
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       516072  IN      NS      f.root-servers.net.
.                       516072  IN      NS      g.root-servers.net.
.                       516072  IN      NS      h.root-servers.net.
.                       516072  IN      NS      i.root-servers.net.
.                       516072  IN      NS      j.root-servers.net.
.                       516072  IN      NS      k.root-servers.net.
.                       516072  IN      NS      l.root-servers.net.
.                       516072  IN      NS      m.root-servers.net.
.                       516072  IN      NS      a.root-servers.net.
.                       516072  IN      NS      b.root-servers.net.
.                       516072  IN      NS      c.root-servers.net.
.                       516072  IN      NS      d.root-servers.net.
.                       516072  IN      NS      e.root-servers.net.
.                       516072  IN      RRSIG   NS 8 0 518400 20230117050000 20230104040000 951 . GCWB4LpmDiyF/elU8+NuAhg/Q6RFCHWIQTT09TOOErpP4TZbD99n7/Kw uQcR7OUcVqwpnEaIu+DSWXye5Ee1n4ZmZipsg3JISJDIj41lFsk3t5D8 IRtPJpedAvrehz7hnn4yt7F5wm5N3s5R0PyehS+B8Pxb9tIpSyzt6nB1 B0IS0zugvOTfoJ3LAEkvnKo+q/PGcykjAtm5ZIA82VsVOR+eNXeWV2vC G2Mxx5ld0A7grTEBSracozCDak4SpbQ48b5aoTiR5o9JblZdJn0diqwr 1ihBXE2DcqFPKDNqYdf5S5L6ep36CEv92SPLPhWz4dAwhVWOsOH5gJhW BawM9g==

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1) (UDP)
;; WHEN: Wed Jan 04 14:09:12 CET 2023
;; MSG SIZE  rcvd: 525

this answer got AD flag :/
other settings:

admin@router:/tmp/home/root# unbound-control stats_noreset | grep -F num.query.flags.RD
num.query.flags.RD=173
admin@router:/tmp/home/root# unbound-control stats_noreset | grep -F num.query.edns.DO
num.query.edns.DO=41
admin@router:/tmp/home/root# unbound-control stats_noreset | grep -F num.query.edns.present
num.query.edns.present=43

I also increased verbosity to 3 and checked that unbound receives queries (no errors):

Jan 04 13:55:40 unbound[3965:0] query: 127.0.0.1 example.org. A IN
Jan 04 13:55:40 unbound[3965:0] debug: worker request: max UDP reply size modified (4096 to max-udp-size)
Jan 04 13:55:40 unbound[3965:0] reply: 127.0.0.1 example.org. A IN NOERROR 0.000000 1 227

Seems that unbound is responding with ad flag but only on 127.0.0.1:53535, but same thing is lost at router address :/

 

[chongnt]

...snipped...

I noticed that unbound in it's options recommends turning off DNSSec and DNS Rebind protection:

View attachment 46915

Missed your capture. Any chance you have these options set to Yes in GUI WAN - Internet Connection page?

 

[dave14305]

dnsmasq is likely not passing the ad flag since unbound_manager disables dnsmasq’s dnssec for caching purposes. The dnsmasq proxy-dnssec option would be handy but might not play well with the whole picture.

 

[dominik]

Missed your capture. Any chance you have these options set to Yes in GUI WAN - Internet Connection page?
View attachment 46916

View attachment 46917

Checked those several times trying both on/off:

And current unbound section:

I already know that router built in dnssec will conflict with unbound, all test above are with both options off.