I am running Unbound 1.9.0 as a recursive caching DNS server for a small branch office. It recurses over TLS towards cloudflare only and it has a typetransparent local-zone (example.com) overriding some of the public records from the public authoritative servers.
I am deploying SSHFP records across my organization and since unbound is not setting the AD flag (DNSSEC) the SSH client says "Matching host key fingerprint found in DNS" but still asks whether i trust the server fingerprint or not. Tested with ssh -o "VerifyHostKeyDNS yes" [email protected]
Evidence of the issue at the end of this post.
The https://dnssec.vs.uni-due.de/ test returns OK from each LAN client.
Test clients are using the following /etc/resolv.conf
(NetworkManager 1.10.6, no systemd-resolved, no dnsmasq).
search example.com
nameserver 192.168.1.100
These are the relevant parts from /etc/unbound/unbound.conf:
interface: 192.168.1.100
interface: 192.168.1.100@853
tls-port: 853
tls-service-key: /etc/unbound/mycert.pem
tls-service-pem: /etc/unbound/mykey.key
max-udp-size: 65536
do-udp: yes
do-tcp: yes
tcp-upstream: no
module-config: "validator iterator"
hide-identity: yes
hide-version: yes
identity: "Not Supported"
version: "0"
qname-minimisation: yes
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
use-caps-for-id: yes
prefetch-key: yes
rrset-roundrobin: yes
minimal-responses: yes
val-clean-additional: yes
val-permissive-mode: no
#FORWARD
forward-zone:
forward-tls-upstream: yes
name: "."
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
#LOCAL ZONE
local-zone: example.com typetransparent
local-data: "gw.example.com A 192.168.1.1"
local-data-ptr: "192.168.1.1 gw.example.com"
Evidence of the issue using dig
# DIRECTLY QUERYING CLOUDFLARE SHOWS THE AD FLAG :
user@testclient:~$ dig -t SSHFP test.example.com +dnssec @1.1.1.1
; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> -t SSHFP test.example.com +dnssec @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54559
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;test.example.com. IN SSHFP
;; ANSWER SECTION:
test.example.com. 300 IN SSHFP 1 2 xxx yyy
test.example.com. 300 IN SSHFP 2 2 xxx yyy
test.example.com. 300 IN SSHFP 3 2 xxx yyy
test.example.com. 300 IN SSHFP 4 2 xxx yyy
test.example.com. 300 IN RRSIG SSHFP 13 3 300 20211017181912 20211015161912 34505 example.com. zzz==
;; Query time: 19 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Oct 16 19:32:33 CEST 2021
;; MSG SIZE rcvd: 334
# AD FLAG MISSING WHEN QUERYING THE LOCAL UNBOUND:
user@testclient:~$ dig -t SSHFP test.example.com +dnssec @192.168.1.100
; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> -t SSHFP test.example.com +dnssec @192.168.1.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54559
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;test.example.com. IN SSHFP
;; ANSWER SECTION:
test.example.com. 2670 IN SSHFP 1 2 xxx yyy
test.example.com. 2670 IN SSHFP 2 2 xxx yyy
test.example.com. 2670 IN SSHFP 3 2 xxx yyy
test.example.com. 2670 IN SSHFP 4 2 xxx yyy
test.example.com. 2670 IN RRSIG SSHFP 13 3 300 20211017181912 20211015161912 34505 example.com. zzz==
;; Query time: 2 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Sat Oct 16 19:32:33 CEST 2021
;; MSG SIZE rcvd: 334