NGINX Bouncer doesn't resolve domain names with DNSSEC enabled
After enabling DNSSEC in Unbound the NGINX Bouncer stopped resolving my LAPI's domain name. DNS is working perfectly fine.
My LAPI domain name supports DNSSEC, so maybe the issue only happens for DNSSEC signed domains?
4 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
The bouncer does not do any resolution by itself, it's performed by nginx (by using the
resolver set in the configuration)
Do you see anything in unbound logs ?I know, but everytime I enable it the bouncer just stops resolving DNSSEC enabled domain names
I don't see any errors in my logs or issues in general, everything else is able to resolve my LAPI domain (Including the agent itself), it's just the NGINX bouncer that's having issues
I tried to reproduce, but no luck.
I've enabled DNSSEC on my domain, created a A record that points to 127.0.0.1, and used that in my openresty bouncer config, no issues, openresty can query LAPI without issue (the machine is using resolved as a resolver (with DNSSEC validation enabled), not unbound, so there's a difference here).
I also had a look at the nginx code, no trace of any attempt to validate or do anything related to DNSSEC, and looking at tcpdump, nginx only does a A/AAAA query, the RRSIG query is made by resolved itself
And just to be sure and exclude a potential issue elsewhere, does a
dig +dnssec @yourresolver lapi.example.net shows the RRSIG record and thead flag when ran from the machine where nginx is running ?