Unable to Switch DNSSEC OFF in Kubernetes, but possible in Docker

[jamesarbrown]

mailu-admin pod is stuck with this message which I appreciate is a DNS issue, but fundamentally blocking getting Mailu admin running.

CRITICAL:root:Your DNS resolver at 10.152.183.10 isn't doing DNSSEC validation; Please use another resolver or enable unbound via https://setup.mailu.io.

DNS Servers (forwarders)
10.152.183.10 CoreDNS (installed on Ubuntu MicroK8S) > 10.8.23.15 MS AD DNS (has domain internal DNS mappings) > PiHole > Google

The coreDNS config with some DNSSEC stuff added looks like this now

  {
	"Corefile": ".:53 {
		    errors
		    health {
		      lameduck 5s
		    }
		    ready
		    log . {
		      class error
		    }
		    kubernetes cluster.local in-addr.arpa ip6.arpa {
		      pods insecure
		      fallthrough in-addr.arpa ip6.arpa
		    }
		    dnssec cluster.local example.org {
		      key file /etc/dnsseckey/kcluster.local
		    }
		    prometheus :9153
		    forward . 10.8.23.15
		    cache 30
		    loop
		    reload
		    loadbalance
		}
		"
  }

Which appears to have worked for cluster.local

; <<>> DiG 9.9.5-9+deb8u19-Debian <<>> cluster.local +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31753
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cluster.local.                 IN      A

;; AUTHORITY SECTION:
cluster.local.          5       IN      SOA     ns.dns.cluster.local. hostmaster.cluster.local. 1650043933 7200 1800 86400 5
cluster.local.          5       IN      RRSIG   SOA 13 2 3600 20220423173225 20220415143225 56765 cluster.local. 9aFGIXRUOSbts+Is4tguR0Tu3YqsFOtGFH7GkOV+8XoEII983N0Na9Oz zEmp+T95tA2m2SVO0URaG76AspnaVw==
cluster.local.          5       IN      RRSIG   NSEC 13 2 3600 20220423175620 20220415145620 56765 cluster.local. tNow/oDtCyxSBFxTe02UPAIVJS4x8qJ1LTf5xX7k1u6oZWumtiuM14ke /bxU34mfSjOeHZTyUF6lJeiLL1OnnQ==
cluster.local.          5       IN      NSEC    \000.cluster.local. NS SOA HINFO MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC DNSKEY TLSA HIP TYPE61 SPF

;; Query time: 2 msec
;; SERVER: 10.152.183.10#53(10.152.183.10)
;; WHEN: Fri Apr 15 17:56:20 UTC 2022
;; MSG SIZE  rcvd: 436

I had hoped the cluster.local entry would make this problem go away, even added example.org as noted that in the start.py script.

Losely also tried entering the pod and changed resolv.conf nameserver to 10.8.23.15 (MS AD machine which I turned DNSSEC signing on) and got same error, different IP.

My DNS knowledge is not enough, but this does seem beyond difficult to resolve and slim to no info out there, yet coreDNS must be a very typical DNS setup in a forwarder role.

[jamesarbrown]

It would appear MS is the issue. I used the start.py in mailu-admin to create a test script I could then run in python3, starting at google and working inwards, it became apparent MS DNS is failing to onpass/dnssec any of the forwarded domains.

Starting to butcher a live AD server and restructure domains is out of the question

Here is the testing script

import dns.resolver
import dns.exception
import dns.flags
import dns.rdtypes
import dns.rdatatype
import dns.rdataclass
import time

resolver = dns.resolver.Resolver()
resolver.flags = dns.flags.AD | dns.flags.RD
resolver.use_edns(0, 0, 1232)
resolver.nameservers = ['10.152.183.10']
result=resolver.resolve('example.com', dns.rdatatype.A, dns.rdataclass.IN, lifetime=10)
print (result.response)
print(result.response.flags & dns.flags.AD)
if result.response.flags & dns.flags.AD:
  print("This is ok")

I am looking now to create a mailu.local domain on the cluster so I can point it to a specific DNS server

Ideally I would like to have run with DNSSEC off, which I think is the centre of this. Its possible in Docker, but not in K8S

[g0dsCookie]

Mailu is complaining here that your resolver (coredns) is not validating DNSSEC and instead relying on the application on doing the verification. You don't need to sign cluster.local.

DNSSEC validation in coredns is currently broken, which is why mailu-admin (and postfix) is complaining.

Currently the mailu version in this chart is set to 1.9.10. You can bump this version to 1.9.20 to at least fix the complaining and get your mailu running.

Also see this comment in another issue: #144 (comment)

[jamesarbrown]

Thanks for that. Will upgrade.

To note I did finally get it up and running by using
forward . 10.8.23.15
in core dns and then "fixing" the Windows Server

https://serverfault.com/questions/862378/dnssec-broken-in-windows-2016s-dns-server

Still it would be good to be able to have a helm chart value

dnssec:
  enabled: false  #Do not use in Production Environments

Somtimes the underlying DNS systems are too difficult to get at and repair.