TechnitiumSoftware/DnsServer

13.2 Issues - Attack detected! DNSSEC validation failed due to invalid signature [SignatureNotYetValid] for owner name: com/SOA

Closed this issue · 1 comments

Hey Guys,

I have two Technitium servers on x2 RPI running on the latest Raspbian and after the upgrade, I am getting this on both now , with DNS-over-TLS using CF or Google.

Is anyone else having this? Was working fine on older version

[2024-11-21 06:00:59 Local] DNS Server failed to resolve the request 'www.gstatic.com. AAAA IN' using forwarders: cloudflare-dns.com (1.1.1.1), cloudflare-dns.com (1.0.0.1), cloudflare-dns.com ([2606:4700:4700::1111]), cloudflare-dns.com ([2606:4700:4700::1001]).

TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to invalid signature [SignatureNotYetValid] for owner name: com/SOA
   at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList`1 records, IReadOnlyList`1 dnsKeyRecords, IReadOnlyList`1 unsignedZones, DnssecValidateSignatureParameters parameters, Boolean isAuthoritySection, Boolean isAdditionalSection) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3104
   at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList`1 dnsKeyRecords, IReadOnlyList`1 unsignedZones) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2944
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass77_0.<<GetDSForAsync>b__0>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3381
--- End of stack trace from previous location ---

Thanks for the post. It seems that your RPi's system clock is running behind and needs to be updated. This is due to RPi not having a real time clock and it needs to sync time using NTP each time it restarts.

If you have removed the default "ntp.org" forwarder zone then that could be an issue preventing RPi to sync time since the domain is signed and will fail DNSSEC validation if system time is not set. You will need to add the "ntp.org" forwarder zone which forwards to This Server with DNSSEC Validation disabled to make it work again.