Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

13.2 Issues - Attack detected! DNSSEC validation failed due to invalid signature [SignatureNotYetValid] for owner name: com/SOA #1118

Open
xXAzazelXx opened this issue Nov 20, 2024 · 1 comment
Open

13.2 Issues - Attack detected! DNSSEC validation failed due to invalid signature [SignatureNotYetValid] for owner name: com/SOA #1118

xXAzazelXx opened this issue Nov 20, 2024 · 1 comment

Comments

@xXAzazelXx
Copy link

xXAzazelXx commented Nov 20, 2024
edited
Loading

Hey Guys,

I have two Technitium servers on x2 RPI running on the latest Raspbian and after the upgrade, I am getting this on both now , with DNS-over-TLS using CF or Google.

Is anyone else having this? Was working fine on older version

[2024-11-21 06:00:59 Local] DNS Server failed to resolve the request 'www.gstatic.com. AAAA IN' using forwarders: cloudflare-dns.com (1.1.1.1), cloudflare-dns.com (1.0.0.1), cloudflare-dns.com ([2606:4700:4700::1111]), cloudflare-dns.com ([2606:4700:4700::1001]).

TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to invalid signature [SignatureNotYetValid] for owner name: com/SOA
   at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList`1 records, IReadOnlyList`1 dnsKeyRecords, IReadOnlyList`1 unsignedZones, DnssecValidateSignatureParameters parameters, Boolean isAuthoritySection, Boolean isAdditionalSection) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3104
   at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList`1 dnsKeyRecords, IReadOnlyList`1 unsignedZones) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2944
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass77_0.<<GetDSForAsync>b__0>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3381
--- End of stack trace from previous location ---
@ShreyasZare
Copy link
Member

Thanks for the post. It seems that your RPi's system clock is running behind and needs to be updated. This is due to RPi not having a real time clock and it needs to sync time using NTP each time it restarts.

If you have removed the default "ntp.org" forwarder zone then that could be an issue preventing RPi to sync time since the domain is signed and will fail DNSSEC validation if system time is not set. You will need to add the "ntp.org" forwarder zone which forwards to This Server with DNSSEC Validation disabled to make it work again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ShreyasZare @xXAzazelXx