DNSSEC fails with no DNS-server set on "computer mode", IPv6 fails

ssdnvv · December 4, 2023, 5:40pm

Hi,

I just setup a new access point (Turris Omnia 2GB RAM Indiegogo-version) with factory image and 4-LED-reset and

found the following bug:

I disabled all forwarding via reforis:
disabled dnsmasq/odhcp/firewall via luci
entered IPv4-addresses for gateway and dns-server

→ DNSSEC works

root@turris:~# check_connection
Pinging 192.168.1.1 ... OK
IPv4 Gateway: OK
Pinging 217.31.205.50 ... OK
Pinging 198.41.0.4 ... OK
Pinging 199.7.83.42 ... OK
Pinging 8.8.8.8 ... OK
IPv4: OK
IPv6 Gateway: UNKNOWN
Pinging 2001:1488:0:3::2 ... FAILED
Pinging 2001:500:3::42 ... FAILED
Pinging 2001:500:2d::d ... FAILED
Pinging 2606:2800:220:6d:26bf:1447:1097:aa7 ... FAILED
IPv6: FAILED
Resolving repo.turris.cz ... OK
Resolving www.nic.cz ... OK
Resolving c.root-servers.net ... OK
DNS: OK
Resolving www.rhybar.cz ... OK
DNSSEC: OK

Then I looked closer to a note below the dns-server line in reforis stating the following:
grafik
I therefore deleted the entry and run the check_connection/click the button in reforis again and get the following as result:

root@turris:~# check_connection
Pinging 192.168.1.1 ... OK
IPv4 Gateway: OK
Pinging 217.31.205.50 ... OK
Pinging 198.41.0.4 ... OK
Pinging 199.7.83.42 ... OK
Pinging 8.8.8.8 ... OK
IPv4: OK
IPv6 Gateway: UNKNOWN
Pinging 2001:1488:0:3::2 ... FAILED
Pinging 2001:500:3::42 ... FAILED
Pinging 2001:500:2d::d ... FAILED
Pinging 2606:2800:220:6d:26bf:1447:1097:aa7 ... FAILED
IPv6: FAILED
Resolving repo.turris.cz ... OK
Resolving www.nic.cz ... OK
Resolving c.root-servers.net ... OK
DNS: OK
Resolving www.rhybar.cz ... FAILED
DNSSEC: FAILED

As can be seen the DNSSEC now fails. So it seems this sentence in reforis is wrong and should be removed? Otherwise this is bug and I would report it via gitlab.
Side note: not disabling services for firewall/dhcp/odhcp will let the DNSSEC fail even though a dns server is specified.

have IPv6 connectivity issues (and this happens to all of my Turris devices, that are setup as dump access points)

IPv6 connectivity of the AP fails (just like above)
IPv6 connectivity of all connected devices is fine (android, IoT, Windows)
main configuration:
- disabled following services: firewall/odhcp/dhcp
- added option dns 192.168.1.1

What needs to be done for my AP to connect correctly via IPv6?

AreYouLoco · December 4, 2023, 7:23pm

You need to add second logical interface on your br-lan preferably with dhcpv6 client

ssdnvv · December 4, 2023, 7:53pm

Nice, lan6 rocks
Why is that not setup by default - for wan it is…

vcunat · December 5, 2023, 5:27am

You switched DNSSEC off in reForis and wonder why DNSSEC check fails?

vcunat · December 5, 2023, 5:28am

I mean, the UI can be confusing – why should checks verify that DNSSEC works when the user switched it off, but otherwise I fail to see any issue in there.

ssdnvv · December 5, 2023, 7:26am

This device is a dump access point, the routing and DNS is done on router level, where it is for sure turned on.
Kindly read again

vcunat · December 5, 2023, 7:42am

I did reread carefully and I still don’t get it. Well, whatever. If I don’t get it, there’s no use in trying to help, whatever’s the cause of the misunderstanding. Let’s hope someone else goes better.

ssdnvv · December 5, 2023, 10:53am

@vcunat I am sorry I did not make the structure clear enough.

Network topology:

Router with activated DNSSEC (via 1.1.1.1)/firewall/dnsmasq/odhcp
Several “dump” access points with deactivated DNSSEC/firewall/dnsmasq/odhcp

When entering a DNS-server (the router’s IP-address) in the field
grafik
of the access points (which equals ˋoption dns 192.168.1.1ˋ in network config-file), DNSSEC works on the access points. When leaving it empty/removing it (via GUI or SSH), DNSSEC fails.

But the description below the field states that entering a DNS-server is NOT mandatory. So DNSSEC failing is either a bug (it should work without entering a DNS server) or the sentence mentioned is wrong (in this case the sentence should be something like “field is not mandatory, but necesarry for DNSSEC to work”).

Hope this is clearer.

(I myself never used reforis to setup DNS/DNSSEC, I just explored it when setting up my third TO access point. If intention of Turris team is to ease up usage for beginners, information given in GUI needs to be clear/correct).

vcunat · December 7, 2023, 5:38pm

I believe it’s not required for DNSSEC to work. I think DNSSEC doesn’t work in that case because you deactivated it.

ssdnvv · December 7, 2023, 8:46pm

Well - that is what I wrote at the very beginning. With DNSSEC disabled and DNS server entered DNSSEC works. When I empty the mentioned line, DNSSEC does not work anymore. These are settings done on an access point, the DNS-server for my network (and thus the machine responsible for DNSSEC) is my router.

vcunat · December 8, 2023, 7:34am

If all DNS is forwarded to servers that check DNSSEC, DNSSEC will “work in tests” even if you don’t check it locally. Perhaps that’s what’s confusing you?

EDIT: I mean, the point of checking DNSSEC is to SERVFAIL on some domains. (those that don’t provide sufficient proofs) That is what all validation checkers do – create some bogus domains and check that they fail to resolve.