Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DS Record not properly handled when "upstream DNS server" is set #6156

Closed
4 tasks done
lekoOwO opened this issue Aug 30, 2023 · 3 comments
Closed
4 tasks done

DS Record not properly handled when "upstream DNS server" is set #6156

lekoOwO opened this issue Aug 30, 2023 · 3 comments
Assignees
@EugeneOne1
Labels
bug P3: Medium
Milestone
v0.107.39

Comments

@lekoOwO
Copy link

lekoOwO commented Aug 30, 2023
edited
Loading

Prerequisites

Platform (OS and CPU architecture)

Linux, AMD64 (aka x86_64)

Installation

GitHub releases or script from README

Setup

On one machine

AdGuard Home version

v0.107.36

Action

I've set up like

1.1.1.1
[/my.internal.domain/]192.168.0.1

to make queries to my.internal.domain forward to 192.168.0.1
but this makes the query for DS records of my.internal.domain forwarded to 192.168.0.1 too.

RFC3658 says that "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex", thus the query for DS record of my.internal.domain should be forwarded to where we query internal.domain, that is, 1.1.1.1 .

Expected result

The query for DS record of my.internal.domain should be forwarded to where we query internal.domain, that is, 1.1.1.1

Actual result

The query for DS record is forwarded to 192.168.0.1

Additional information and/or screenshots

No response
@EugeneOne1 EugeneOne1 self-assigned this Aug 31, 2023
@EugeneOne1 EugeneOne1 added the needs investigation Needs to be reproduced reliably. label Aug 31, 2023
@lekoOwO
Copy link
Author

lekoOwO commented Sep 1, 2023
edited
Loading

BTW, PowerDNS Recursor advises that user add their own DS records/NTA to its config file

IMPORTANT: When using DNSSEC validation (which is default), forwards to non-delegated (e.g. internal) zones that have a DNSSEC signed parent zone will validate as Bogus. To prevent this, add a Negative Trust Anchor (NTA) for this zone in the lua-config-file with addNTA("your.zone", "A comment"). If this forwarded zone is signed, instead of adding NTA, add the DS record to the lua-config-file. See the DNSSEC in the PowerDNS Recursor information.

Quoted from https://doc.powerdns.com/recursor/settings.html#forward-zones

but i think it can be done better by querying the DS records from the parent zone

adguard pushed a commit that referenced this issue Oct 11, 2023
@EugeneOne1
Pull request 2030: 6156 upd proxy
0fb6d61 
Merge in DNS/adguard-home from 6156-upd-proxy to master

Updates #6156.

Squashed commit of the following:

commit 8e765f7
Merge: b18d0ae 3ec76cd
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Mon Oct 9 15:51:22 2023 +0300

    Merge branch 'master' into 6156-upd-proxy

commit b18d0ae
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Mon Oct 9 13:06:42 2023 +0300

    all: upd proxy
@EugeneOne1 EugeneOne1 added bug P3: Medium and removed needs investigation Needs to be reproduced reliably. labels Oct 11, 2023
@EugeneOne1
Copy link
Member

@lekoOwO, hello and apologies for the late reply. We've finally pushed the fix for this, so could you please try installing the edge release and see if it now redirects DS requests to where they should go?

@ainar-g ainar-g added this to the v0.107.39 milestone Oct 11, 2023
@EugeneOne1
Copy link
Member

@lekoOwO, it's released within the v0.107.39. Consider reopening this issue if you'll face any bugs with our implementation.

annguyen0 pushed a commit to annguyen0/AdGuardHome that referenced this issue Nov 27, 2023
@EugeneOne1 @annguyen0
Pull request 2030: 6156 upd proxy
00834ba 
Merge in DNS/adguard-home from 6156-upd-proxy to master

Updates AdguardTeam#6156.

Squashed commit of the following:

commit 8e765f7
Merge: b18d0ae 3ec76cd
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Mon Oct 9 15:51:22 2023 +0300

    Merge branch 'master' into 6156-upd-proxy

commit b18d0ae
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Mon Oct 9 13:06:42 2023 +0300

    all: upd proxy
ehsan11100 pushed a commit to ehsan11100/AdGuard that referenced this issue Mar 26, 2024
@EugeneOne1
Pull request 183: doc ds upstream config
fc96870 
Merge in GO/adguard-home-wiki from doc-ds-upstream-config to master

Updates AdguardTeam/AdGuardHome#6156.

Squashed commit of the following:

commit cabb4325803ebdb51ff3a749c0b788e62e03b1ee
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Thu Oct 12 18:03:52 2023 +0300

    Configuration: screen spec chars

commit f3de47b618166d1ca407bd55e7b0945016407393
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Thu Oct 12 17:59:03 2023 +0300

    Configuration: imp txt

commit 52c43fa8e4f14db15ad3457a40f6e5c346f9780e
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Thu Oct 12 17:48:19 2023 +0300

    Configuration: mention ds
@EugeneOne1 EugeneOne1 mentioned this issue May 6, 2024
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EugeneOne1 EugeneOne1

Labels
bug P3: Medium
Projects
None yet
Milestone
v0.107.39
Development

No branches or pull requests
3 participants
@ainar-g @lekoOwO @EugeneOne1