DNSSEC validation www.raspberrypi.org is ABANDONED

12 posts
by jpgview » Sat Feb 04, 2017 8:38 am
As mentioned earlier in this topic, a DNS administrator @raspberry pi.org has added DNSSEC information to the DNS records of archive.raspberrypi.org.
As a result, when a DNSSEC enabled DNS server retrieves the DNS information, the DNSSEC information is evaluated.
So far, both archive.raspberrypi.org (required to retrieve raspian packages - sudo apt-get update) as well as www.raspberrypi.org (required to use the forum, download raspbian and ...) seem to contain invalid DNSSEC information, resulting in the inability to use the forum or download raspbian, using edge and ie11. Firefox and chrome seem to ignore the DNSSEC result.
A raspbian system can no longer access packages in archive.raspberrypi.org ,the error messages are listed in the topic, mentioned earlier.

Please fix (or remove) the DNSSEC information for the domains and entries indicated above. Unfortunately there is no "responsible person" (RP) information available in DNS, so I have no choice, but to request it here.
Posts: 5
Joined: Fri Feb 03, 2017 11:07 am
by DougieLawson » Sat Feb 04, 2017 9:18 am
Send an email to info@raspberrypi.org rather than spamming the forum with this stuff that's clearly being ignored.
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

Since 2012: 1B*5, 2B*2, B+, A+, Zero*2, 3B*3

Please post ALL technical questions on the forum. Do not send private messages.
User avatar
Posts: 27608
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
by Martin Frezman » Sat Feb 04, 2017 9:26 am
Actually, I find this a lot more interesting to read than just reading the 100zillionth iteration of "I forgot to plug my Pi in and it doesn't boot" or the 200zillionth iteration of "I can't SSH into my headless system anymore (*)".

(*) Because some genius decided to turn SSH off in the image.

I'll be interested to hear how this turns out.
Never wrestle with a porcine creature.
You both get dirty, and the porcine creature likes it.
Posts: 581
Joined: Mon Oct 31, 2016 10:05 am
by jpgview » Sat Feb 04, 2017 9:46 am
I've already sent an email to info@raspberrypi.org, but unfortunately, they do not reply, I don't think they process technical issues.

This may be an issue with dnsmasq. The version (2.72-3+deb8u1) included in the current raspbian distribution is worthless (if you're using DNSSEC), so I've upgraded to version 2.76-5 from stretch. You can find the procedure here, modify to dnsmasq, not deluged. Don't forget to remove the 4 files you created, using the procedure, and run sudo apt-get update again, or you will be using stretch packages for ever!

To further resolving this issue, I've also contacted the developer of dnsmasq, inquiring about this problem.

The strange thing is, when validating DNSSEC information on this site, everything seems to be OK

I would very much like other users of dnsmasq (this is all the users of pi hole, and others, to provide feedback, that is, if the're using DNSSEC (optional feature of v2.12, disabled by default)
Posts: 5
Joined: Fri Feb 03, 2017 11:07 am
by PeteMB » Sat Feb 04, 2017 11:16 am
Hi, Pete Stevens @ Mythic Beasts here.

We think it's working, c.f.



I've carried out the DNSSEC resolver test here which confirms my DNSSEC is working,


and I can access the main website


I've checked the bandwidth graphs which show no appreciable drop in traffic.

So this full DNSSEC trace with validation seems to work,

$ dig www.raspberrypi.org +dnssec +trace

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> www.raspberrypi.org +dnssec +trace
;; global options: +cmd
. 91730 IN NS f.root-servers.net.
. 91730 IN NS m.root-servers.net.
. 91730 IN NS g.root-servers.net.
. 91730 IN NS c.root-servers.net.
. 91730 IN NS l.root-servers.net.
. 91730 IN NS k.root-servers.net.
. 91730 IN NS e.root-servers.net.
. 91730 IN NS d.root-servers.net.
. 91730 IN NS b.root-servers.net.
. 91730 IN NS j.root-servers.net.
. 91730 IN NS a.root-servers.net.
. 91730 IN NS i.root-servers.net.
. 91730 IN NS h.root-servers.net.
. 353451 IN RRSIG NS 8 0 518400 20170215050000 20170202040000 61045 . TnW5eXyPGPvD5JT/c2PNAV+VXFf8fysSTefTAjFZSk0HJBno03f4ZTkF f0up8m4XGg7TtQeNdDkn2ZTFQCYKV+atREgb25eyiy+bZRByOFD1UQrh MtWeLVnhZ8XdmjMj3+SWDhXsWvGOuJKa1LBwrqxEglnkaAXaAj+AVzf7 CWYVt0hwTXZrvdg/4ZAcYGRfQ9zO+gNOoonWgznFSBbct1BLtHChYxdd BBHCRdfcDJN96NS33bHEBVvHLtmvU9DNqG6zj3K4eFOH8Z31w33pZan5 ZSM9knx6sX7xuYxWwJHo2RIoIDFipNdqA9E8oqxEoVHYr7Cv3QA87M/a hG/n3Q==
;; Received 1097 bytes from in 41 ms

org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 86400 IN DS 9795 7 1 364DFAB3DAF254CAB477B5675B10766DDAA24982
org. 86400 IN DS 9795 7 2 3922B31B6F3A4EA92B19EB7B52120F031FD8E05FF0B03BAFCF9F891B FE7FF8E5
org. 86400 IN RRSIG DS 8 1 86400 20170217050000 20170204040000 61045 . cC7tSbjabg9EjSEawLg2gsUTHj3KDZrJP8SupdeEhR+UmauU1GLU1zTu YQLORKRdPBgYw9tIavnK7p8ELd1Fz5r3H2njdFJOV4R64DgixZIz+SWE Fz0Qz8VCHoVqWVvq3SMhrI7LSGIq9kHHXTIqDegTHLx0YivHNvidATFC X5M1bSPHVW5zCr7NdcAgWTRztAxujHCyrZ6VSjHs/cECWnbgXdxSBS// ancKcTBKTgN4YFOAxNHKf2OILyNeC5kK5t+xXDk9cl8Xujuw9YL0+Rhi upHj2v8ve34iDp4kFgNLQfw2Ng1yEvfePeb3wwbQEMl0qB5G1DnuCWw3 qjky8w==
;; Received 821 bytes from in 116 ms

raspberrypi.org. 86400 IN NS ns2.mythic-beasts.com.
raspberrypi.org. 86400 IN NS ns1.mythic-beasts.com.
raspberrypi.org. 86400 IN DS 23217 10 2 CB48D0B9836007665F6DADCD93733664CC6E8F3C600D0E027547D82C 462A439D
raspberrypi.org. 86400 IN RRSIG DS 7 2 86400 20170222152815 20170201142815 3947 org. pt6aMsYHKS3vIfAkmngIMTqQRsCjOObzZ+p47zcHNm6IMGKYpoRYp+v7 qdQ9ZGp2R8/hCNNt3Gf2GSjx463D03Mhp3hluF04YoBsbb4upSFeLwED /59yi29i64dzVPf30Kbt7ND5Fzkq8SrfcwOF7tReEIpihkozAX3n4now 24E=
;; Received 312 bytes from 2001:500:e::1#53(2001:500:e::1) in 245 ms

www.raspberrypi.org. 300 IN CNAME lb.raspberrypi.org.
www.raspberrypi.org. 300 IN RRSIG CNAME 10 3 300 20170226222314 20170127213457 52265 raspberrypi.org. G4VZFuvNmifheXSy2ZMFvRulbZSxJhbXI86MwhgOu6dT8ft56foitBAG q06zmAQMXDoZ6DpRYs3hFb0A5AAfUyHOIsXHA5Rf/01TF4SqIoyD9Hei YPsLwgr5m32n+BvoAmWyjxFdjTbkXDNAtXfnURk2HTRqxMEDAOEOPv6s Y4EvCSl0i1ntA9Dvtd3nQgCBe0Fv/kGv1BB/IdtqBKRmzetA7rhnLsya E1MdHUollXmTdLmqqGeZZyRsdSAqA6XdcxWzVJH5KUeuVJ4fElq23ghB YbdFH43dTt/3xcLbPCSGp+lCk0/uKPmAFWTRSYApRd3+AEEgdX5updst AY6f8A==
lb.raspberrypi.org. 300 IN A
lb.raspberrypi.org. 300 IN A
lb.raspberrypi.org. 300 IN A
lb.raspberrypi.org. 300 IN A
lb.raspberrypi.org. 300 IN A
lb.raspberrypi.org. 300 IN A
lb.raspberrypi.org. 300 IN RRSIG A 10 3 300 20170226222048 20170127213456 52265 raspberrypi.org. d+hTeLrsWYfYeSfqeW+8CUYQxnzzwnnF5VC7b3Njxyesg+tkLra4alpZ Ydmb4pEyWLe2AKzjKGZy8VqkDV+hz/507WNTogS1ZBv/tseOPmAgsCYu W+iSzTH2BHLGmkP9/Kq23amHYx6XmIp7cby6k1myapcHI5HGvjMj3O89 G0kQ3KSmIfJjQd0eAJXWYDYJhFi9XJ3mzs8mfHq5RExJF2+AxZD7jSrT gjR0iFkSNYjGIHQ1pIpYs8Sk0ZXuqHlJjNpZGslD1e1hC8KP07i0pPka lxEWvui0JaOC9+KyAPhJbfR/E7hYXZuwl8qEo5g70V56U86x6rOdKK2T zi6nPA==
raspberrypi.org. 86400 IN NS ns2.mythic-beasts.com.
raspberrypi.org. 86400 IN NS ns1.mythic-beasts.com.
raspberrypi.org. 86400 IN RRSIG NS 10 2 86400 20170226221751 20170127213456 52265 raspberrypi.org. X6//j+5b1ZJNsNm4fgVa4geePAph7IXNhsRBtQUxmJ59UybW8B4/0hi5 JPOH4JaOTbtvtVNZuvkKQBohUhyb7z8uBQgwPbyfGe+EPHbzvmyXNplS DskQDolJcEUHT1AlbZGAqS0/7Ma5Mne1PCtXNp8WubR72kz8EaMitB7a 5d++ltwjiVrLyI1+qLwMlpGHzyP5it8Cx6Llo0Gf4CGnbPWGeD+QhtJH BC8vDlwHBOwGGV4sGEA3odyJEP09DxKCvnonoicmtMJDp3ZNS8Crlzno rki58GEaR0bMx2xeGTwQwRoNAdTXoQh9uhblHJh4dQ/FSFktJCHrUHn8 5l+7mA==
;; Received 2431 bytes from in 117 ms

Are you sure it's not a client side issue?
Posts: 3
Joined: Sat Feb 27, 2016 12:09 pm
by jpgview » Sun Feb 05, 2017 7:37 pm
I'm currently communicating with the developers of both dnsmasq and dnscrypt-proxy, in order to find out what is going on. I will post a reply as soon as this leads to a solution. The developer of dnsmasq may have identified a problem (no solution yet).
He made me run the following command (a dnscrypt-proxy is running on IP, port 5552):
dig @ -p 5552 +dnssec http://www.raspberrypi.org
The result:
;; Truncated, retrying in TCP mode.
;; communications error to end of file
This caused him to reply:
I can see how the dnsmasq validation routines would react badly to an upstream server which sometimes just closed the connection in TCP mode: that's probably the cause of the ABANDONED message.
The dnscrypt-proxy developer replied:
Truncated responses are not an error. They tell the client to send the query again using TCP.
In order to avoid amplification, the DNSCrypt protocol requires questions sent using UDP to be at least as large as responses. If this is not the case, a truncated response is sent so that the client retries using TCP.
When it starts, the proxy slowly adjusts the padding of the questions so that less and less queries using TCP are required.
I then started running this script:
Code: Select all
while true
     dig @ -p 5552 +dnssec www.raspberrypi.org
     sleep 30

The error message (from dig) only appears a few times after a reboot, the resolver responds as expected after a while. The validation result (dnsmasq) however, never changes (remains ABANDONED)

To be continued (and hopefully solved)...
Posts: 5
Joined: Fri Feb 03, 2017 11:07 am
by mikerr » Sun Feb 05, 2017 8:58 pm
jpgview wrote:resulting in the inability to use the forum or download raspbian, using edge and ie11. Firefox and chrome seem to ignore the DNSSEC result.

Not sure if there's been a fix applied, or I'm misunderstanding - but I can use the forum and downloads fine on Edge and IE11 here (win10):

Image Image
Android app - Raspi Card Imager - download and image SD cards - No PC required !
User avatar
Posts: 2363
Joined: Thu Jan 12, 2012 12:46 pm
Location: NorthWest, UK
by sudolea » Thu Feb 09, 2017 10:07 pm
Are you sure your time is correct on the RaspberryPI ? If it isn't, DNSSEC is crippled. And ntp fails to fetch the outside world's correct time, as it doesn't have a working named. A chicken-or-egg problem, so to say ...

You might want to have a look at https://www.youtube.com/watch?v=TMiIZNjY3vs&t=4s , a video I made I tought could benefit people experiencing a problem I also encountered recently ...

If it doesn't help, it doesn't harm, does it. And in that case at least it could have (helped), couldn't it ?
Posts: 7
Joined: Thu Feb 09, 2017 9:55 pm
by jpgview » Sat Feb 11, 2017 2:40 pm
In the meantime, I've been communicating with the developer of dnsmasq, he responded to the statement of the dnscrypt-proxy developer, stating: “When local DNSSEC validation is enabled, dnsmasq 2.77 sends multiple queries on the same TCP connection which is incompatible with DNSCrypt”

As a result, the developer of dnsmasq has modified his code and made it available to me (dnsmasq v2.77test3), you can download it here. After compiling this (requires the use of stretch packages), I ended up with functional DNSSEC validation, So the people claiming there is nothing wrong with the raspbian.org DNSSEC domain entries are CORRECT. Apologies for the insinuation.

As to the raspberry pi chicken or the egg time problem, I came up with the following solution:
1. add this to the configuration of dnsmasq: dnssec-no-timecheck
2. create a file ntpcheck.sh (make sure it's executable)
Code: Select all
echo "Waiting for Time Synchronization (NTP)..."
if [[ $EUID -ne 0 ]]; then
   # you are NOT root (not @reboot), no sleep, system already initialized...
   # you are root (@reboot), sleep, let the system initialize...
   sleep 60s
/usr/sbin/ntp-wait -s 10

if [ "$RETVAL" != "0" ];then
   echo "Time NOT synchronized (NTP)!!!"
   exit 1
   echo "Time synchronized established (NTP)."
   /bin/kill -HUP $(ps -e | grep 'dnsmasq' | awk '{print $1}')

create a new crontab file in /etc/cron.d, called ntpcheck (or whatever is clear to you)
Code: Select all
@reboot root PATH="$PATH:/home/pi/" /home/pi/ntpcheck.sh

After a reboot, you can check if ntpcheck.sh is actually running using:
Code: Select all
ps -e | grep sh

something like this should come up:
Code: Select all
  418 ?        00:00:00 sh
  419 ?        00:00:00 ntpcheck.sh
  589 ?        00:00:00 sshd
  689 ?        00:00:00 sshd
  694 ?        00:00:00 sshd
  707 ?        00:00:00 sshd
  712 ?        00:00:00 sshd
  723 ?        00:00:00 bash
  736 ?        00:00:00 sshd
  741 ?        00:00:00 sshd
  743 pts/0    00:00:00 bash

You'll find (at least on my pi) it takes about 15 minutes for time to synchronize. As soon as time is synchronized, the scripts sends a SIGHUP to dnsmasq, causing it to reload with time checks enabled.
You can verify this by checking the log, dnsmasq writes to, for the word timestamps

I'm now happily using this forum, knowing it has been DNSSEC validated...
Posts: 5
Joined: Fri Feb 03, 2017 11:07 am
by sudolea » Sat Feb 11, 2017 8:26 pm
Nice to know, and nice to see it works now. However, without insisting : if you make ntpd.conf DNS- independant (not the hardest thing to do), and insert the statement "ntpd -gq" right before starting the named daemon (in the start- part of /etc/init.d/bind9, see my solution 3), you don't have to wait for some 15 minutes, as your system time is correct immediately thereafter (ntpd may not yet be running yet at that moment)...

Anyway, if it works, and you're happy with the solution, what's there to say more ;)
Posts: 7
Joined: Thu Feb 09, 2017 9:55 pm
by molano » Fri Feb 17, 2017 2:56 pm

I am sorry, but the solution provided does not seem to be easily implimented for novice users.
I have the same issue that apt-get update hangs on "Connecting to archive.raspberrypi.org".

How can we easily solve this without compiling a test-package as described above??

Thanks in advance.
Posts: 1
Joined: Fri Feb 17, 2017 2:50 pm
by jpgview » Mon Mar 20, 2017 9:12 am
molano wrote:How can we easily solve this without compiling a test-package as described above??

You can find a script to compile and install the latest (v2.77test4) dnsmasq on raspberry pi version march 2017 here.
Posts: 5
Joined: Fri Feb 03, 2017 11:07 am