nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is the FBI's DNSSEC broken?

From: Mark Andrews <marka () isc org>
Date: Sat, 31 Aug 2013 09:02:49 +1000

In message <20130830223510.GA10878 () esri com>, Ray Van Dolson writes:

On Fri, Aug 30, 2013 at 10:27:36PM +0000, John Levine wrote:

I don't claim to be a big DNSSEC expert, but this looks just plain
wrong to me, and unbound agrees, turning it into a SERVFAIL.

Here's a lookup that succeeds, an A record for mail.ic.fbi.gov:

$ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7222
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65235
;; QUESTION SECTION:
;mail.ic.fbi.gov.           IN      A

;; ANSWER SECTION:
mail.ic.fbi.gov.    600     IN      A       153.31.119.142
mail.ic.fbi.gov.    600     IN      RRSIG   A 7 4 600 20131124123847 201308

26123847 32497 fbi.gov. dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiG
ryV ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI EZMTcCsnInSIn2IR
b3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU=


;; AUTHORITY SECTION:
fbi.gov.            600     IN      NS      ns3.fbi.gov.
fbi.gov.            600     IN      NS      ns5.fbi.gov.
fbi.gov.            600     IN      NS      ns4.fbi.gov.
fbi.gov.            600     IN      NS      ns2.fbi.gov.
fbi.gov.            600     IN      NS      ns1.fbi.gov.
fbi.gov.            600     IN      NS      ns6.fbi.gov.
fbi.gov.            600     IN      RRSIG   NS 7 2 600 20131124123847 20130

826123847 32497 fbi.gov. l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0Dh
ZfSo 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv UWz15jLa7N7YKYc
cR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY=


Here's a query for the same name, but for AAAA which it doesn't have:

$ dig @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec

; <<>> DiG 9.8.3-P4 <<>> @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41056
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65235
;; QUESTION SECTION:
;mail.ic.fbi.gov.           IN      AAAA

;; AUTHORITY SECTION:
fbi.gov.            600     IN      SOA     ns1.fbi.gov. dns-admin.fbi.gov.

 2013082601 7200 3600 2592000 43200

95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200     IN NSEC3 1 0 10 BBAB 97

S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG

fbi.gov.            600     IN      RRSIG   SOA 7 2 600 20131124123847 2013

0826123847 32497 fbi.gov. QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV
26IPI 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV J7NDY6O5jTb4MM
c9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA=


Shouldn't there be some more stuff there in the authority section,
like an NSEC3 and RRSIG for mail.ic.fbi.gov?


The NSEC3 is there and it is correct.  What is missing is the
signature for the NSEC3.

% nsec3hash BBAB 1 10 mail.ic.fbi.gov
95RIPFTKTJC9I7J8HDAIA7CM6L279FSR (salt=BBAB, hash=1, iterations=10)
% 

Mark


Am I missing something, or is it broken?  The server says it's from
Ultradns.

R's,
John


Hi John;

I don't think you're alone on this!  Ref this thread (an issue we ran
into with accepting mail from ic.fbi.gov due to DNSSEC validation
failure) from July[1].

Have done my best to get someone's attention to fix the issue, but so
far no joy.

Ray

[1] https://lists.isc.org/pipermail/bind-users/2013-July/091140.html


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org
Previous By Date Next
Previous By Thread Next

Current thread: