starred/hickory-dns
1
0
Fork 0
mirror of https://github.com/hickory-dns/hickory-dns.git synced 2026-04-25 03:05:51 +03:00
Code Issues 373 Projects Releases 6 Packages Wiki Activity

[GH-ISSUE #2514] DNSSEC Not Working as Expected #1009

New issue
Open
opened 2026-03-16 01:15:21 +03:00 by kerem · 11 comments
kerem commented 2026-03-16 01:15:21 +03:00
Owner
Copy link

Originally created by @ngocnha on GitHub (Oct 17, 2024).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2514

Upon successful DNSSEC configuration on my hickory-dns server, I anticipated receiving an NSEC record in response to a query for a non-existent RRset. However, the server is only returning an SOA record.
I'm certain DNSSEC is configured correctly. I'm using the latest hickory-dns version pulled from the git repository. What could I be missing?

Originally created by @ngocnha on GitHub (Oct 17, 2024). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2514 Upon successful DNSSEC configuration on my hickory-dns server, I anticipated receiving an NSEC record in response to a query for a non-existent RRset. However, the server is only returning an SOA record. I'm certain DNSSEC is configured correctly. I'm using the latest hickory-dns version pulled from the git repository. What could I be missing?
kerem commented 2026-03-16 01:15:33 +03:00
Author
Owner
Copy link

@djc commented on GitHub (Oct 17, 2024):

Do you have a minimal reproduction?

<!-- gh-comment-id:2418498905 --> @djc commented on GitHub (Oct 17, 2024): Do you have a minimal reproduction?
kerem commented 2026-03-16 01:15:38 +03:00
Author
Owner
Copy link

@ngocnha commented on GitHub (Oct 17, 2024):

The parameters I used to build hickory-dns are in this command line

cargo build --target x86_64-unknown-linux-musl --release -p hickory-dns --no-default-features --features sqlite,dnssec,dnssec-ring,dns-over-quic

I've configured a server on ip addr 45.63.4.93. You can query it to verify.

dig @45.63.4.93 -p 1053 abcdef.pro-service.top A +dnssec +multiline

<!-- gh-comment-id:2418551830 --> @ngocnha commented on GitHub (Oct 17, 2024): The parameters I used to build hickory-dns are in this command line cargo build --target x86_64-unknown-linux-musl --release -p hickory-dns --no-default-features --features sqlite,dnssec,dnssec-ring,dns-over-quic I've configured a server on ip addr 45.63.4.93. You can query it to verify. dig @45.63.4.93 -p 1053 abcdef.pro-service.top A +dnssec +multiline
kerem commented 2026-03-16 01:15:43 +03:00
Author
Owner
Copy link

@marcus0x62 commented on GitHub (Oct 18, 2024):

This is related to the issue(s) addressed in #2502. Right now, the recursor does not do any dnssec processing of any error response (which include negative responses.)

There are also some bugs related to nsec3 record validation that are not addressed in that PR, but for the basic case of properly delegated secure zone returning a nodata response with an nsec proof, 2502 should provide a complete fix.

<!-- gh-comment-id:2421079715 --> @marcus0x62 commented on GitHub (Oct 18, 2024): This is related to the issue(s) addressed in #2502. Right now, the recursor does not do any dnssec processing of any error response (which include negative responses.) There are also some bugs related to nsec3 record validation that are not addressed in that PR, but for the basic case of properly delegated secure zone returning a nodata response with an nsec proof, 2502 should provide a complete fix.
kerem commented 2026-03-16 01:15:48 +03:00
Author
Owner
Copy link

@marcus0x62 commented on GitHub (Oct 20, 2024):

Hi @ngocnha, I've merged #2502 into our main branch. Please check this out and see if it fixes the problem you are seeing. Note: the domain you included in your example does not appear to return NSEC records, at least not for abcdef.pro-service.top. If you query against google dns, it will return an EDE error code 12 - NSEC Missing. I rebuilt a server from the current main branch and verified a query against that server did return NSEC records for another domain which I know is configured correctly.

<!-- gh-comment-id:2425149016 --> @marcus0x62 commented on GitHub (Oct 20, 2024): Hi @ngocnha, I've merged #2502 into our main branch. Please check this out and see if it fixes the problem you are seeing. Note: the domain you included in your example does not appear to return NSEC records, at least not for abcdef.pro-service.top. If you query against google dns, it will return an EDE error code 12 - NSEC Missing. I rebuilt a server from the current main branch and verified a query against that server *did* return NSEC records for another domain which I know is configured correctly.
kerem commented 2026-03-16 01:15:53 +03:00
Author
Owner
Copy link

@ngocnha commented on GitHub (Oct 21, 2024):

I pulled the code from the main branch and built it. I configured DNSSEC according to the example template, and it can automatically generate RRSIG records, but I don't know why it still can't automatically generate NSEC records.

<!-- gh-comment-id:2425514316 --> @ngocnha commented on GitHub (Oct 21, 2024): I pulled the code from the main branch and built it. I configured DNSSEC according to the example template, and it can automatically generate RRSIG records, but I don't know why it still can't automatically generate NSEC records.
kerem commented 2026-03-16 01:15:58 +03:00
Author
Owner
Copy link

@marcus0x62 commented on GitHub (Oct 21, 2024):

Can you post your named.toml file?

<!-- gh-comment-id:2426458813 --> @marcus0x62 commented on GitHub (Oct 21, 2024): Can you post your named.toml file?
kerem commented 2026-03-16 01:16:03 +03:00
Author
Owner
Copy link

@ngocnha commented on GitHub (Oct 21, 2024):

This is my config file

[[zones]]
zone = "localhost"
zone_type = "Primary"
file = "default/localhost.zone"

[[zones]]
zone = "0.0.127.in-addr.arpa"
zone_type = "Primary"
file = "default/127.0.0.1.zone"

[[zones]]
zone = "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
zone_type = "Primary"
file = "default/ipv6_1.zone"

[[zones]]
zone = "255.in-addr.arpa"
zone_type = "Primary"
file = "default/255.zone"

[[zones]]
zone = "0.in-addr.arpa"
zone_type = "Primary"
file = "default/0.zone"

[[zones]]
zone = "pro-service.top"
zone_type = "Primary"
enable_dnssec = true
stores = { type = "sqlite", zone_file_path = "pro-service.top.zone", journal_file_path = "pro-service.top_dnssec_update.jrnl", allow_update = true }

[[zones.keys]]
key_path = "dnssec/zsk_rsa_2048.pem"
algorithm = "RSASHA256"
is_zone_signing_key = true
is_zone_update_auth = false

[[zones.keys]]
# Requires --features=ring
key_path = "dnssec/update/ed25519.priv.pk8"
algorithm = "ED25519"
is_zone_signing_key = false
is_zone_update_auth = true

pro-service.top.zone

@                   IN SOA   ns1.pro-service.top. hostmaster.pro-service.top. 2024100805 10000 2400 604800 600

                    IN NS    ns1.pro-service.top.
                    IN NS    ns2.pro-service.top.

ns1                 IN CNAME m2410.pro-service.top.
ns2                 IN CNAME m2410.pro-service.top.

@                   IN A     45.63.4.93
m2410               IN A     45.63.4.93

mail                IN CNAME m2410.pro-service.top.
autoconfig          IN CNAME m2410.pro-service.top.
autodiscover        IN CNAME m2410.pro-service.top.
mta-sts             IN CNAME m2410.pro-service.top.

@                   IN MX    10 m2410.pro-service.top.

@                   IN TXT   "v=spf1 mx ra=postmaster -all"
m2410               IN TXT   "v=spf1 a ra=postmaster -all"

202410e._domainkey  IN TXT   "v=DKIM1; s=email; k=ed25519; p=LAMT7C3N7PkvZH/zoU+79aTPw/LAb5JmsYWYSPzH+Rc="
202410r._domainkey  IN TXT   "v=DKIM1; s=email; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx1V5nnaxWFaFzBbZ621yIFAyYh8eViXKxDObYxHZ31VljVWgIOEBBA7th4F8cOLP1WET9ZopH4cFVbfQcQt1XSCI>

_dmarc              IN TXT   "v=DMARC1; p=reject; rua=mailto:postmaster@pro-service.top; ruf=mailto:postmaster@pro-service.top; aspf=s; adkim=s"

_mta-sts            IN TXT   "v=STSv1; id=13664471781970075432"
_smtp._tls          IN TXT   "v=TLSRPTv1; rua=mailto:postmaster@pro-service.top"

@                   IN CAA   0 issue "letsencrypt.org"
@                   IN CAA   0 issuewild "letsencrypt.org"

_25._tcp.m2410      IN TLSA  3 0 1 f6d46814195160a1b65b911c6846a6a2e02e0deef01f1e406ac0906eea2be0e1
_25._tcp.m2410      IN TLSA  3 0 2 8200bdaa7618fbe720051f58da39789bed74a567c19de86c04c01e08477f47f5d0bcafa103a5cfc030a50816257880b82f11f47aad489b4910b1c3947ac55bfb
_25._tcp.m2410      IN TLSA  3 1 1 2687653821943f6012010a6950219afeccc79667a15527d6372c55cb2a02e237
_25._tcp.m2410      IN TLSA  3 1 2 1fb999f1270c683154d8d5d4e9da34f8a92a81ad393a1adb81cd33dbe99a4df04a232cbec8f14315b2c2632b881e45668b907972fadf32a10cf39f04a7f2057d
_25._tcp.m2410      IN TLSA  2 0 1 5dfdb3cf31b26f23d87c09f3a0cef642f64069a9fb7cfe29270bb5dc0f1e16bb
_25._tcp.m2410      IN TLSA  2 0 2 4e32b7ee52c9bd2a15b2df3cae5e3b060d737d71faaaac25336c5f193cbdb52ed2fdf38b29aea9fb97f59c8f86e75b5c364309a232623a99e638116ed66063fd
_25._tcp.m2410      IN TLSA  2 1 1 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8
_25._tcp.m2410      IN TLSA  2 1 2 a1ef14fea3ca15a552d42665d2fe685672cfdd903de4b370b0d7d87c6d31b5df07142483f36e0e15e16b58f9ba1cbdeeebd4bcb8d74ab7ea32a087db2105f402

and my build command

cargo build --target x86_64-unknown-linux-musl --release -p hickory-dns \
--no-default-features \
--features sqlite,dnssec,dnssec-openssl,dnssec-ring
<!-- gh-comment-id:2426502100 --> @ngocnha commented on GitHub (Oct 21, 2024): ### This is my config file ``` [[zones]] zone = "localhost" zone_type = "Primary" file = "default/localhost.zone" [[zones]] zone = "0.0.127.in-addr.arpa" zone_type = "Primary" file = "default/127.0.0.1.zone" [[zones]] zone = "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" zone_type = "Primary" file = "default/ipv6_1.zone" [[zones]] zone = "255.in-addr.arpa" zone_type = "Primary" file = "default/255.zone" [[zones]] zone = "0.in-addr.arpa" zone_type = "Primary" file = "default/0.zone" [[zones]] zone = "pro-service.top" zone_type = "Primary" enable_dnssec = true stores = { type = "sqlite", zone_file_path = "pro-service.top.zone", journal_file_path = "pro-service.top_dnssec_update.jrnl", allow_update = true } [[zones.keys]] key_path = "dnssec/zsk_rsa_2048.pem" algorithm = "RSASHA256" is_zone_signing_key = true is_zone_update_auth = false [[zones.keys]] # Requires --features=ring key_path = "dnssec/update/ed25519.priv.pk8" algorithm = "ED25519" is_zone_signing_key = false is_zone_update_auth = true ``` ### pro-service.top.zone ``` @ IN SOA ns1.pro-service.top. hostmaster.pro-service.top. 2024100805 10000 2400 604800 600 IN NS ns1.pro-service.top. IN NS ns2.pro-service.top. ns1 IN CNAME m2410.pro-service.top. ns2 IN CNAME m2410.pro-service.top. @ IN A 45.63.4.93 m2410 IN A 45.63.4.93 mail IN CNAME m2410.pro-service.top. autoconfig IN CNAME m2410.pro-service.top. autodiscover IN CNAME m2410.pro-service.top. mta-sts IN CNAME m2410.pro-service.top. @ IN MX 10 m2410.pro-service.top. @ IN TXT "v=spf1 mx ra=postmaster -all" m2410 IN TXT "v=spf1 a ra=postmaster -all" 202410e._domainkey IN TXT "v=DKIM1; s=email; k=ed25519; p=LAMT7C3N7PkvZH/zoU+79aTPw/LAb5JmsYWYSPzH+Rc=" 202410r._domainkey IN TXT "v=DKIM1; s=email; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx1V5nnaxWFaFzBbZ621yIFAyYh8eViXKxDObYxHZ31VljVWgIOEBBA7th4F8cOLP1WET9ZopH4cFVbfQcQt1XSCI> _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:postmaster@pro-service.top; ruf=mailto:postmaster@pro-service.top; aspf=s; adkim=s" _mta-sts IN TXT "v=STSv1; id=13664471781970075432" _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:postmaster@pro-service.top" @ IN CAA 0 issue "letsencrypt.org" @ IN CAA 0 issuewild "letsencrypt.org" _25._tcp.m2410 IN TLSA 3 0 1 f6d46814195160a1b65b911c6846a6a2e02e0deef01f1e406ac0906eea2be0e1 _25._tcp.m2410 IN TLSA 3 0 2 8200bdaa7618fbe720051f58da39789bed74a567c19de86c04c01e08477f47f5d0bcafa103a5cfc030a50816257880b82f11f47aad489b4910b1c3947ac55bfb _25._tcp.m2410 IN TLSA 3 1 1 2687653821943f6012010a6950219afeccc79667a15527d6372c55cb2a02e237 _25._tcp.m2410 IN TLSA 3 1 2 1fb999f1270c683154d8d5d4e9da34f8a92a81ad393a1adb81cd33dbe99a4df04a232cbec8f14315b2c2632b881e45668b907972fadf32a10cf39f04a7f2057d _25._tcp.m2410 IN TLSA 2 0 1 5dfdb3cf31b26f23d87c09f3a0cef642f64069a9fb7cfe29270bb5dc0f1e16bb _25._tcp.m2410 IN TLSA 2 0 2 4e32b7ee52c9bd2a15b2df3cae5e3b060d737d71faaaac25336c5f193cbdb52ed2fdf38b29aea9fb97f59c8f86e75b5c364309a232623a99e638116ed66063fd _25._tcp.m2410 IN TLSA 2 1 1 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8 _25._tcp.m2410 IN TLSA 2 1 2 a1ef14fea3ca15a552d42665d2fe685672cfdd903de4b370b0d7d87c6d31b5df07142483f36e0e15e16b58f9ba1cbdeeebd4bcb8d74ab7ea32a087db2105f402 ``` ### and my build command ``` cargo build --target x86_64-unknown-linux-musl --release -p hickory-dns \ --no-default-features \ --features sqlite,dnssec,dnssec-openssl,dnssec-ring ```
kerem commented 2026-03-16 01:16:08 +03:00
Author
Owner
Copy link

@divergentdave commented on GitHub (Oct 21, 2024):

I think you may need to add nx_proof_kind = "nsec" or nx_proof_kind = { nsec3 = { iterations = 0 } } below enable_dnssec = true to generate those records. (I haven't tested this myself FWIW)

<!-- gh-comment-id:2426668424 --> @divergentdave commented on GitHub (Oct 21, 2024): I think you may need to add `nx_proof_kind = "nsec"` or `nx_proof_kind = { nsec3 = { iterations = 0 } }` below `enable_dnssec = true` to generate those records. (I haven't tested this myself FWIW)
kerem commented 2026-03-16 01:16:13 +03:00
Author
Owner
Copy link

@marcus0x62 commented on GitHub (Oct 21, 2024):

I just tested it. @divergentdave is correct.

<!-- gh-comment-id:2426677526 --> @marcus0x62 commented on GitHub (Oct 21, 2024): I just tested it. @divergentdave is correct.
kerem commented 2026-03-16 01:16:18 +03:00
Author
Owner
Copy link

@ngocnha commented on GitHub (Oct 21, 2024):

Thank @marcus0x62 and @divergentdave for your support. I think I'm missing something, but I couldn't find this option in the document and examples. I just tried searching based on your suggestion and found it somewhere in the testing code.

<!-- gh-comment-id:2426702600 --> @ngocnha commented on GitHub (Oct 21, 2024): Thank @marcus0x62 and @divergentdave for your support. I think I'm missing something, but I couldn't find this option in the document and examples. I just tried searching based on your suggestion and found it somewhere in the testing code.
kerem commented 2026-03-16 01:16:24 +03:00
Author
Owner
Copy link

@marcus0x62 commented on GitHub (Oct 21, 2024):

@ngocnha I don't think you missed anything. I think our documentation is a bit behind the code, and for this case we should probably have a default instead of requiring a selection for each zone. Sorry for the confusion.

<!-- gh-comment-id:2426729942 --> @marcus0x62 commented on GitHub (Oct 21, 2024): @ngocnha I don't think you missed anything. I think our documentation is a bit behind the code, and for this case we should probably have a default instead of requiring a selection for each zone. Sorry for the confusion.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
david/conformance-dnssec-negative-tests
prepare-0.26.1
release/0.26
query-api
opt-types
cname-nsec
no-cname-recursion
conformance-min-ttl
dname-base
drop-message-request
no-error-queries
cpu-sig0-rm-message-sig_dev
cpu-tsig-test-update_dev
windows-config
dnssec-net
release/0.25
opp-enc-persist
integration-test
cpu-tidying-recursor-opts_dev
happy-eyeballs
david/authoritative-zone-storage-trait
dnssec-ad
no-authority
release/0.24
pvdrz/remove-top-file
pvdrz/h3-handshake-timeout
pvdrz/quic-handshake-timeout
nxdomain-for-recursor
ja-test-merque-queue
ja-fix-ci-again
sz-add-ede-tests
sz-test-tc-bit-with-large-response
sz-fix-tokio-dependency
gh-2275-test-rrsig-signature
refactor-sign-zone-file
fix-1.79-cleanliness
update-nightly-hash
release/0.23
gh-pages
use-just-for-server-toml
release/0.22
revert-1874-cpu-zone-parse-default-class
disable-bind-compatibility-tests
disable-test_tls_client_stream_ipv4
update-native-tls-0.2.11
recursor-tests
fix-clippy-self
release/0.20
saethlin-fix-rdata-zero
release/0.19
flat_name
drop_unused_futures
release/0.18
release-r0.12-cs0.17
release/r0.12-cs0.17
trust-dns-book
r0.10
test-connections-not-dropped
fix_exec_status_on_rs_files
release-0.9
add-mutex-to-integration-tests
0.8_release
bfry/dns-crypt
v0.26.0
v0.26.0-beta.4
v0.26.0-beta.3
v0.26.0-beta.2
v0.26.0-beta.1
v0.26.0-alpha.1
v0.25.2
v0.25.1
v0.25.0
v0.24.4
v0.24.3
v0.25.0-alpha.5
v0.24.2
v0.25.0-alpha.4
v0.25.0-alpha.3
v0.25.0-alpha.2
v0.25.0-alpha.1
v0.24.1
v0.23.2
v0.24.0
v0.23.1
v0.23.0
v0.23.0-alpha.5
v0.23.0-alpha.4
v0.23.0-alpha.3
v0.22.1
v0.23.0-alpha.2
v0.23.0-alpha.1
v0.22.0
v0.21.2
v0.21.1
v0.21.0
v0.21.0-alpha.5
v0.20.4
v0.21.0-alpha.4
v0.21.0-alpha.3
v0.21.0-alpha.2
v0.21.0-alpha.1
v0.20.3
v0.20.2
v0.20.1
v0.19.7
v0.20.0
0.19.6
v0.20.0-alpha.3
v0.20.0-alpha.2
v0.20.0-alpha.1
0.19.5
0.19.4
0.19.3
0.19.0
0.18.1
0.18
0.18.0.alpha.2
r0.12_cs0.17
r0.11.1
cs0.16.1
r0.11
cs0.16
r0.10.1
r0.10.0
cs0.15.0
r0.9.1
v0.14.0
r0.9.0
r0.8.1
r0.8.0
v0.13.0
r0.7.0
c0.12.0
r0.6.0
r0.5.0
resolver.0.4.0
0.11.0
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.1
0.8.0
0.7.3
0.7.2
0.7.1
0.7.0
0.6.0
0.5.3
0.5.1
0.5.0
0.4.0
0.3.1
0.3.0
0.2.1
0.2.0
0.1.0
Labels
Clear labels   
blocked

   
breaking-change

   
bug

   
bug:critical

   
bug:tests

   
cleanup

   
compliance

   
compliance

   
compliance

   
crate:all

   
crate:client

   
crate:native-tls

   
crate:proto

   
crate:recursor

   
crate:resolver

   
crate:resolver

   
crate:rustls

   
crate:server

   
crate:util

   
dependencies

   
docs

   
duplicate

   
easy

   
easy

   
enhance

   
enhance

   
enhance

   
feature:dns-over-https

   
feature:dns-over-quic

   
feature:dns-over-tls

   
feature:dnsssec

   
feature:global_lb

   
feature:mdns

   
feature:tsig

   
features:edns

   
has workaround

   
ops

   
perf

   
platform:WASM

   
platform:android

   
platform:fuchsia

   
platform:linux

   
platform:macos

   
platform:windows

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
test

   
tools

   
tools

   
trust

   
unclear

   
wontfix
No labels
blocked
breaking-change
bug
bug:critical
bug:tests
cleanup
compliance
compliance
compliance
crate:all
crate:client
crate:native-tls
crate:proto
crate:recursor
crate:resolver
crate:resolver
crate:rustls
crate:server
crate:util
dependencies
docs
duplicate
easy
easy
enhance
enhance
enhance
feature:dns-over-https
feature:dns-over-quic
feature:dns-over-tls
feature:dnsssec
feature:global_lb
feature:mdns
feature:tsig
features:edns
has workaround
ops
perf
platform:WASM
platform:android
platform:fuchsia
platform:linux
platform:macos
platform:windows
pull-request
question
test
tools
tools
trust
unclear
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hickory-dns#1009
No description provided.