Bug 1279371 - After Hotspot-sign-on still not able to access web page
After Hotspot-sign-on still not able to access web page
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: dnssec-trigger (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Tomáš Hozza
qe-baseos-daemons
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-09 05:12 EST by Radka Skvarilova
Modified: 2015-11-10 08:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-10 08:11:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Radka Skvarilova 2015-11-09 05:12:56 EST
Description of problem:
After enable dnssec-trigger and unbound and reboot, the browser shouldn't be able to access http://www.rhybar.cz/ Which is OK, but if in the dnssec-trigger applet click on "Hotspot sing-on" it should disable the dnssec protection, and the browser should be able to access the page, but it still don't. Only if I stop dnssec-trigger.service it works.


Version-Release number of selected component (if applicable):
unbound-1.4.20-26.el7.x86_64
dnssec-trigger-0.11-21.el7.x86_64


Steps to Reproduce:
1.systemctl enable dnssec-triggerd.service
2.systemctl enable unbound.service
3.reboot
4. Open: http://rhybar.cz 
5. 3. Right-click on dnssec-trigger applet in notification area and select "Hotspot signon". Then try http://rhybar.cz again.


Actual results:
3. http://rhybar.cz is not found/loaded.
5. http://rhybar.cz is not found/loaded.

Expected results:
3. http://rhybar.cz is not found/loaded.
5. http://rhybar.cz IS found/loaded.


Additional info:
Comment 2 Tomáš Hozza 2015-11-09 07:45:28 EST
Please note that the browser has its own cache. If you close and reopen the browser, does this fixes the issue for you?

Also please try to use 'dig' to determine if the address is resolvable or not, rather than browser.
Comment 3 Radka Skvarilova 2015-11-09 08:55:00 EST
If I reopen it after Hotspot sign-on, it don't help, I need to stop service dnssec-triggered to be able to open the page properly.

By using dig is the page resolvable

$ dig +dnssec  http://www.rhybar.cz/

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> +dnssec http://www.rhybar.cz/
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5534
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;http://www.rhybar.cz/.		IN	A

;; AUTHORITY SECTION:
.			5558	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2015110900 1800 900 604800 86400
.			5558	IN	RRSIG	SOA 8 0 86400 20151119050000 20151109040000 62530 . FA7cnDcencrEV9+5fZt/Dll7nmOmVodrBL3sc3P+759AMpReVsrGWnki xRhoqT6j/g7zTIwU5pZiVuUnUSGk0lbMPqwh/vF6gDOznVA5MNeG+Yr/ ftcyoY+W1WIzM5R2lCrrxTmp4n+rpDIsyXmV2zJNxTkolzYqHYwgW+1a PPw=
.			8849	IN	NSEC	aaa. NS SOA RRSIG NSEC DNSKEY
.			8849	IN	RRSIG	NSEC 8 0 86400 20151119050000 20151109040000 62530 . D4KspedN1aIlLuyhHZIGNKLoFaZgqeKrPnx0KmKC3h2fJ/+C/lG9hMVT Qv0jqxwjsxv0ABMZpOmjV6yNuyghyYuewlr9if9AnVdN3NNtS6kyNqkb nVKi1BKVsdFFRWx3nZDqacaKIqKaGYwyllIwKVEc+EAF2IynssyCCaiS 7uA=
cz.			8849	IN	NSEC	dabur. NS DS RRSIG NSEC
cz.			8849	IN	RRSIG	NSEC 8 1 86400 20151119050000 20151109040000 62530 . No4ry7JvMGHSS0O2f+4nKNTcnfJz+rLxZUthp6WMQ3riLlYHCSRzdjv6 WpBHFJ+uhCbzJQJY49Ir5adzVQQAeYwGI91qlkVfFar154IiviqOxzpk d82VylrBLXwh/bQan2vGsQFFhQzfchjsjyeqF07rf9dheRbtCZ8HWkx+ 94I=

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 09 14:52:07 CET 2015
;; MSG SIZE  rcvd: 654
Comment 4 Tomáš Hozza 2015-11-10 02:49:05 EST
(In reply to Radka Skvarilova from comment #3)
> If I reopen it after Hotspot sign-on, it don't help, I need to stop service
> dnssec-triggered to be able to open the page properly.
> 
> By using dig is the page resolvable
> 
> $ dig +dnssec  http://www.rhybar.cz/

Please use dig only for the domain name, IOW 'dig +dnssec www.rhybar.cz'
Comment 5 Radka Skvarilova 2015-11-10 05:11:09 EST
with dnssec-trigger allowed 

$ dig +dnssec www.rhybar.cz

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> +dnssec www.rhybar.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27926
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.rhybar.cz.			IN	A

;; Query time: 416 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 10 10:47:12 CET 2015
;; MSG SIZE  rcvd: 42

with dnssec-trigger Hotspot sign-on
$ dig +dnssec www.rhybar.cz

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> +dnssec www.rhybar.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25443
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.rhybar.cz.			IN	A

;; Query time: 159 msec
;; SERVER: 10.11.5.19#53(10.11.5.19)
;; WHEN: Tue Nov 10 10:47:32 CET 2015
;; MSG SIZE  rcvd: 42
Comment 6 Tomáš Hozza 2015-11-10 08:11:52 EST
(In reply to Radka Skvarilova from comment #5)
> with dnssec-trigger allowed 
> 
> $ dig +dnssec www.rhybar.cz
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> +dnssec www.rhybar.cz
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27926
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.rhybar.cz.			IN	A
> 
> ;; Query time: 416 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Nov 10 10:47:12 CET 2015
> ;; MSG SIZE  rcvd: 42

This shows that the localhost was queried - 127.0.0.1, where the Unbound server is running. The server returned SERVFAIL which is expected when DNSSEC validation fails. So far so good.

> with dnssec-trigger Hotspot sign-on
> $ dig +dnssec www.rhybar.cz
> 
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> +dnssec www.rhybar.cz
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25443
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.rhybar.cz.			IN	A
> 
> ;; Query time: 159 msec
> ;; SERVER: 10.11.5.19#53(10.11.5.19)
> ;; WHEN: Tue Nov 10 10:47:32 CET 2015
> ;; MSG SIZE  rcvd: 42

Here you can see that the localhost was not queried, but some other server (10.11.5.19). This is supposed to be the DNS resolver obtained via DHCP, which it is I presume. This means that dnssec-trigger did what it is supposed to do - replaced the localhost address in /etc/resolv.conf with the IP address of the resolver received in the DHCP reply.

The unfortunate thing here is that the DHCP-provided resolver seems to do the validation too, thus it returns SERVFAIL.

The hotspot signon mode technically does not guarantee that you will be able to resolve domain names with bogus signatures, but only that the DHCP-provided DNS resolvers will be placed into resolv.conf for the time needed to sign into the hotspot. Previously the tests made assumption about the infrastructure and therefore the test case would work.

The more correct approach would be to check if after switching to the signon mode, the /etc/resolv.conf contains the IP addresses of DHCP-provided resolvers.

Closing as NOTABUG.

Feel free to reach out to me, I can help you with reworking the test or explain the behavior further.

Note You need to log in before you can comment on or make changes to this bug.