Unexpected BOGUS DNSKEY

[arabesc]

How does dnscrypt-proxy know what server supports DNSSEC?

I have an require_dnssec = true option in my config and expect that all servers in use will support it.

But there was an issue with DNSSEC for miniupnp.tuxfamily.org.
Dnsmasq said its DNSKEY is BOGUS for one resolve. Here is a query log:

dnsmasq[2495]: query[A] miniupnp.tuxfamily.org from 127.0.0.1
dnsmasq[2495]: forwarded miniupnp.tuxfamily.org to 127.0.0.1
dnsmasq[2495]: dnssec-query[DS] tuxfamily.org to 127.0.0.1
dnsmasq[2495]: dnssec-query[DNSKEY] org to 127.0.0.1
dnsmasq[2495]: reply org is BOGUS DNSKEY

and a corresponding dnscrypt-proxy log:

127.0.0.1       miniupnp.tuxfamily.org  A       PASS    86ms    sth-dnscrypt-se
127.0.0.1       tuxfamily.org   DS      PASS    64ms    sth-dnscrypt-se
127.0.0.1       org     DNSKEY  PASS    43ms    hdns
127.0.0.1       miniupnp.tuxfamily.org  A       PASS    52ms    hdn
127.0.0.1       tuxfamily.org   DS      PASS    191ms   hdns

I see the DS records were queried from two different server - sth-dnscrypt-se and hdns.
I've tried to query the DS record myself and got the following results:

query DS for the name: tuxfamily.org

sth-dnscrypt-se

;; AUTHORITY SECTION:
1i870vj5h429vj9pci7ar6e9gki74tr7.org.   86373   IN      NSEC3   1 1 10 332539ee7f95c32a  1i87r64gaju4o91mhkbu7i9ekbs7k8ut NS SOA RRSIG DNSKEY NSEC3PARAM
1i870vj5h429vj9pci7ar6e9gki74tr7.org.   86373   IN      RRSIG   NSEC3 8 2 86400 20211005105418 20210914095418 39681 org. Sk8tp1bbGRxqMNxfC+GCZrb3ePHzmG/+FQe4DAgCMBt816ZWB/71yO2IlltisT0+BFqDGDpcXJTVsSRAY5UucXcEvi7J6RCdC8DaIdGTO06EyQdvPhQ+A9yIWPTJCLSHtZEm5R+vdYT6GXE6IkAECk57duPlSmkry9t1y7hjSHY=
org.    873     IN      SOA     a0.org.afilias-nst.info. noc.afilias-nst.info. 2014515030 1800 900 604800 86400
org.    873     IN      RRSIG   SOA 8 1 900 20211005105418 20210914095418 39681 org. mvcCIkTR8D4S1mkIRQtCkMnZRf3D2FrhldZkyqRTcadWXwijEP2/vpZEKf4XXOsEgrE8vpC13lmH+W8Lx/8DMsggKsLIupnA9cQuu/AWCPTs0K7+9ejqcWp/pfaox1M5M78OgWhCjx1YtzSy4A5UThch3ZaesrjDowI7B+yj5BY=
g3bla21r12m9fur8f44jtnn6d2jlg525.org.   68151   IN      NSEC3   1 1 10 332539ee7f95c32a  g3bnk3pakp4r4150jkdf2ui4ului2qnb NS DS RRSIG
g3bla21r12m9fur8f44jtnn6d2jlg525.org.   68151   IN      RRSIG   NSEC3 8 2 86400 20210930152759 20210909142759 39681 org. Wlb3ZkNM7WcJ4HncpS0mjHLPSbyj2oH/oTdhCqii86yN/RZbsu+ItwMMYtCIJHPvX6lKbKmWtsVDkYXP9NNhCfkq945Tm8Jh12MldbFKZxFgnc4waP/Gv47346eRt9MRq7e6PIHlkB/BhelmanNxT+Ec/SnWYRYMxv+mCanm3t4=

hdns

;; AUTHORITY SECTION:
org.    900     IN      SOA     a0.org.afilias-nst.info. noc.afilias-nst.info. 2014515033 1800 900 604800 86400

query DS for the name: org

sth-dnscrypt-se

;; ANSWER SECTION:
org.    41492   IN      DS      26974 8 2 4fede294c53f438a158c41d39489cd78a86beb0d8a0aeaff14745c0d16e1de32
org.    41492   IN      RRSIG   DS 8 1 86400 20210926170000 20210913160000 26838 . gBK+nnjiLb379xJ3pPWLI7MAvQpufwYVsOe/qFN++c7tLJKSssgF0muvY8IMv5Hy8NTqJta2WApBO9yS03l+t8qOQYBAtc0oj3fE3yCyfxzShj4cEGf4ss5SR3cht7OLm2YrWZfS/26I/KQaiE/gpFrI7Klm729CgDVFSGIDXmRxucdCpPEv5/yb6no49Fl8bFPgODWovzWE7dExRAEKgeTHoDn8WSH47FEH4gASofCQJISubiDkB+igCU/hxHCXT+F85fCNGGwtdi8XMTgGRbojNeteqJ4mAZGgAF3Zqdbgsgn2jFmvz5Z50bgeG0IIiqozxNzaOjJnQjCotnP7Tw==

hdns

;; ANSWER SECTION:
org.    65577   IN      DS      26974 8 2 4fede294c53f438a158c41d39489cd78a86beb0d8a0aeaff14745c0d16e1de32

It seems hdns doesn't support DNSKEY or has some issues.

[jedisct1]

Thanks! The DNSSEC flag was removed from the hdns entry.

[jedisct1]

This is unusual; that resolver returns the DNSSEC flag for . (which is why dnscrypt-proxy -resolve indicates that the resolver supports DNSSEC), but not for other zones.

[arabesc]

Maybe it's possible to implement some heuristic to reject servers that return weird DNSSEC results?