[jitsi-users] DNSSEC for ICQ/ Sip (maybe anything) could go wrong after Hibernate


#1

I have set DNSSEC to enabled for my icq account, even though
login.icq.com has no DNSSEC record.
I hava also a DNS Server running which has as fallback google's dns 8.8.8.8
192.168.178.1 is my local DNS Server
I am behind a fritz box router.
Google's 8.8.8.8 does have a result if it is asked via dig +dnssec box.
As far as i can remember this happens only after Hibernate/ Standby.

Text of Error message with booth cases:
Jitsi has tried to contact _sips._TCP.iptel.org.fritz.box. /
login.icq.com.fritz.box. This domain has DNSSEC. […]

Wrong data for the DNSSEC signed domain
_sips._TCP.iptel.org.fritz.box. / login.icq.com.fritz.box.
Validataion failure _sips._TCP.iptel.org.fritz.box. /
login.icq.com.fritz.box. SRV IN >: no NSEC3 Records from 192.168.178.1
for DS box. while building chain of trust.

I don't know how the fritz.box. part is added to the Domain to check,
but it looks like a bug. I also don't know why google answers for the
tld box.

Carsten Kirschner


#2

Hello Carsten

I have set DNSSEC to enabled for my icq account, even though
login.icq.com has no DNSSEC record.
I hava also a DNS Server running which has as fallback google's dns

8.8.8.8

192.168.178.1 is my local DNS Server
I am behind a fritz box router.
Google's 8.8.8.8 does have a result if it is asked via dig +dnssec box.
As far as i can remember this happens only after Hibernate/ Standby.

Text of Error message with booth cases:
Jitsi has tried to contact _sips._TCP.iptel.org.fritz.box. /
login.icq.com.fritz.box. This domain has DNSSEC. [.]

Wrong data for the DNSSEC signed domain
_sips._TCP.iptel.org.fritz.box. / login.icq.com.fritz.box.
Validataion failure _sips._TCP.iptel.org.fritz.box. /
login.icq.com.fritz.box. SRV IN >: no NSEC3 Records from 192.168.178.1
for DS box. while building chain of trust.

I don't know how the fritz.box. part is added to the Domain to check,
but it looks like a bug. I also don't know why google answers for the
tld box.

The fritz.box suffix comes from the primary DNS suffix and is supplied by
the Fritz's DHCP. If Jitsi's DNS client is unable to obtain a response for
login.icq.com, it then tries again with login.icq.com. This is because
"login.icq.com" is not an absolute address, it is missing the dot of the
root domain (login.icq.com.). You can disable that behavior by ticking the
"Treat all domain names as absolute" checkbox.

The result you get from Google for box. is the non-existance proof through
NSEC-Pointers. Besides that, last thing I know is that Google's public DNS
server are not DNSSEC capable, they return wrong results for the query for
DS-records [1].

I'll have to check about differences between a fresh start and
hibernate/standby when I'm home against my own Fritzbox to determine whether
there's actually something wrong within Jitsi. Meanwhile you might want to
try with public DNS servers that are known to work correctly, such as those
from DNS OARC [2] or Verizon [3].

Carsten Kirschner

Regards,
Ingo

[1]
http://groups.google.com/group/public-dns-discuss/browse_thread/thread/f6f5e
bf40267cb8c/0d3539e16878c544&usg=AFQjCNFCF9o3S1jQ_XSPsOBiGLx9RcIRig
[2] https://www.dns-oarc.net/oarc/services/odvr
[3] http://www.tech-faq.com/public-dns-servers.html