DNSSEC: error on .de-Domains

[digitalwolke]

Hi,

I'm hosting my domains with Technitium DNS as Authoritive Name Server.

Recently I'm wanted to change a domain (add DNSSEC) and have no luck, because the update didn't go through.
So, in my case it is a .de-Domain from DENIC. As always I look at the Predelegation Check (nast.denic.de) whats going on.
For all my nameservers (that served by Technitium DNS), the output is:

218 | Received invalid answer to a DO-Bit query
Parameter:
found: DO-Bit missing

After some digging around, I see, thats on all of my Domains! Also them, there be DNSSEC always activated.
I think it could a problem with the new update? Or I do something wrong, but I don't know?!

If you need a testdomain, you can check with zonetransfer.de

Thanks for help!

Some more information:
Technitium DNS 15.2
no problems with zones without DNSSEC
Only the DENIC predelagation shows the error - Verisigin Analyzer, Zonemaster, etc. says all is good - due to this PREdelegation checks on any update, DNSSEC can not configured (add DNSSEC entry) to the .de-Domain...
DNSSEC zones in Technitium activated with standard settings or NSEC3

I can not check, if it is a problem of 15.2 or was always there before, because I see not possibility to deploy an older version.

[ShreyasZare]

Thanks for the post. The latest version has been working well with DNSSEC signed zones and no issues have been identified. Technitium's own domain names are hosted with Technitium DNS Server and are DNSSEC signed.

Since your domain name in question is unknown, its difficult to analyze the issue. If possible, do share the domain name over email to support@technitium.com so that I can test it independently.

You can also test it yourself using the DNS Client tool on the admin panel itself. Use the tool to query "This Server" for your domain name which is a DNSSEC signed zone on the same server and check the "Enable DNSSEC Validation" option before you resolve. The DNS Client does query independently and does its own DNSSEC validation. The output will show you if the validation succeeded.

You can also use DNS Viz to test your domain if its live.

[xemo-net]

Hi,

I'm having exactly the same problem as @digitalwolke. I can't publish .de domains via DNSEC. Every time I try to sign a domain with DS records at DENIC (via InternetX - AutoDNS), I get the error message "ERROR: 218 Received invalid answer to a DO-Bit query (nameserver, ip, record, found)"

I get the same error message when running a NAST predelegation check. My current test domain is 365shirt.de.

I have no issues with DNSEC for the .com TLD.

[ShreyasZare]

@xemo-net thanks for the feedback. Yesterday I tested domain names shared by @digitalwolke over email and it looked all fine since tools like DNS Viz, etc. did not flag anything.

However, I did some further checks with tests and the DO flag is not getting set in one place. So this indeed is an issue and will get it fixed in the upcoming update.

[AWildLeon]

Hey, I ran into the same issue.
If i apply this patch it works.

diff --git a/DnsServerCore/Dns/ZoneManagers/AuthZoneManager.cs b/DnsServerCore/Dns/ZoneManagers/AuthZoneManager.cs
index 352ea6c0..41a9a1c7 100644
--- a/DnsServerCore/Dns/ZoneManagers/AuthZoneManager.cs
+++ b/DnsServerCore/Dns/ZoneManagers/AuthZoneManager.cs
@@ -3536,7 +3536,7 @@ namespace DnsServerCore.Dns.ZoneManagers
                     }
                 }
 
-                return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, true, false, request.RecursionDesired, isRecursionAllowed, false, false, rCode, request.Question, answer, authority, additional, udpPayloadSize: _dnsServer.UdpPayloadSize, options: eDnsOptions);
+                return new DnsDatagram(request.Identifier, true, DnsOpcode.StandardQuery, true, false, request.RecursionDesired, isRecursionAllowed, false, false, rCode, request.Question, answer, authority, additional, _dnsServer.UdpPayloadSize, request.DnssecOk ? EDnsHeaderFlags.DNSSEC_OK : EDnsHeaderFlags.None, eDnsOptions);
             }
         }
 

[ShreyasZare]

@AWildLeon Yes, that's the correct fix for this issue.

[AWildLeon]

FYI: Im one of two maintainers in nixpkgs for Technitium.
Thanks for this awesome DNS server! Is there an ETA for a patch release? I'm wondering whether to wait for the official release or carry this as a patch in nixpkgs in the meantime.

[ShreyasZare]

@AWildLeon You're welcome. Nice to know about nixpkgs. I am planning for the next update to be around end of this month. Working on a few more issues for the upcoming release.

[AWildLeon]

Ok, I'll carry the patch downstream in nixpkgs until the next release. Just a heads-up in case any NixOS users find their way into this issue.