[dns-operations] www.factorymoneystore.gov DNSSec Failures

Mark Andrews marka at isc.org
Mon Jul 28 00:02:36 UTC 2014 

It doesn't help that the nameservers for treasury.gov and
www.moneyfactorystore.gov are broken.  They don't respond to EDNS
version 1 queries.

; <<>> DiG 9.11.0pre-alpha <<>> treasury.gov dnskey @166.123.208.249 +dnssec +edns=1
;; global options: +cmd
;; connection timed out; no servers could be reached

It would be nice if the dnssec verification tools:

* handles unknown EDNS version (returns BADVERS)
* handles unknown EDNS option (ignores it, I've seen servers
  incorrectly echo it back, return BADVERS, and drop the query)
* responds with > 512 bytes to a EDNS at 512 byte TCP query
  (this requires finding a response that will be > 512 bytes)
* add the OPT record to a truncated response
  (this requires finding a response that can be forced to truncate)

The first two impact upon future DNS developement.  Much easier to
fix problems if you catch them early.  It is a real pain having to
try to figure out why you are not getting a response when there are
lots of different to eliminate as the cause.

The last two impact validators running behind firewalls that limit
responses to 512 bytes.

Mark

In message <CAEKtLiTX25at8FeZ8W_TBAHrseGJG+pOBTR5B7ivh5QQHAZ1Aw at mail.gmail.com>, Casey Deccio writes:
> 
> On Sat, Jul 26, 2014 at 2:30 PM, Ryan Rawdon <ryan at u13.net> wrote:
> 
> > http://dnssec-debugger.verisignlabs.com/www.moneyfactorystore.gov
> >
> >         RRSIG=51869 and DNSKEY=51869 does not verify the A RRset (RSA
> > Verification failed)
> >         RRSIG=54410 and DNSKEY=54410 does not verify the A RRset (RSA
> > Verification failed)
> >         None of the 2 RRSIG and 4 DNSKEY records validate the A RRset
> >         The A RRset was not signed by any keys in the chain-of-trust
> >
> > Validation for moneyfactorystore.gov succeeds, however
> > www.moneyfactorystore.gov fails.  Came across this when a user pointed
> > out that it was not resolving.
> >
> >
> Hmm, DNSViz doesn't see any problems [1], and the DNS-OARC resolvers give
> an authenticated response [2].  I'm not sure about the reported RSA
> verification failures, but it could be that your resolver is (incorrectly)
> expecting a closest encloser NSEC3 record, which isn't necessary for
> wildcard responses, but which some older versions of BIND required it [3].
> What resolver are you running?
> 
> Cheers,
> Casey
> 
> [1] http://dnsviz.net/d/www.moneyfactorystore.gov/U9P4fQ/dnssec/
> [2] https://www.dns-oarc.net/oarc/services/odvr
> [3] See the following thread:
> http://dnssec-deployment.org/pipermail/dnssec-deployment/2011-October/005486.html
> 
> --089e0153668a6de7df04ff1ddb55
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr">On Sat, Jul 26, 2014 at 2:30 PM, Ryan Rawdon <span dir=3D"=
> ltr"><<a href=3D"mailto:ryan at u13.net" target=3D"_blank">ryan at u13.net</a>=
> ></span> wrote:<br><div class=3D"gmail_extra"><div class=3D"gmail_quote"=
> ><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border=
> -left:1px solid rgb(204,204,204);padding-left:1ex">
> 
> <a href=3D"http://dnssec-debugger.verisignlabs.com/www.moneyfactorystore.go=
> v" target=3D"_blank">http://dnssec-debugger.verisignlabs.com/www.moneyfacto=
> rystore.gov</a><br>
> <br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 RRSIG=3D51869 and DNSKEY=3D51869 does not verif=
> y the A RRset (RSA Verification failed)<br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 RRSIG=3D54410 and DNSKEY=3D54410 does not verif=
> y the A RRset (RSA Verification failed)<br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 None of the 2 RRSIG and 4 DNSKEY records valida=
> te the A RRset<br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 The A RRset was not signed by any keys in the c=
> hain-of-trust<br>
> <br>
> Validation for <a href=3D"http://moneyfactorystore.gov" target=3D"_blank">m=
> oneyfactorystore.gov</a> succeeds, however <a href=3D"http://www.moneyfacto=
> rystore.gov" target=3D"_blank">www.moneyfactorystore.gov</a> fails. =C2=A0C=
> ame across this when a user pointed out that it was not resolving.<br>
> 
> 
> <br></blockquote><div><br></div><div>Hmm, DNSViz doesn't see any proble=
> ms [1], and the DNS-OARC resolvers give an authenticated response [2].=C2=
> =A0 I'm not sure about the reported RSA verification failures, but it c=
> ould be that your resolver is (incorrectly) expecting a closest encloser NS=
> EC3 record, which isn't necessary for wildcard responses, but which som=
> e older versions of BIND required it [3].=C2=A0 What resolver are you runni=
> ng?<br>
> 
> <br></div><div>Cheers,<br></div><div>Casey<br></div><div><br>[1] <a href=3D=
> "http://dnsviz.net/d/www.moneyfactorystore.gov/U9P4fQ/dnssec/" target=3D"_b=
> lank">http://dnsviz.net/d/www.moneyfactorystore.gov/U9P4fQ/dnssec/</a><br>
> [2] <a href=3D"https://www.dns-oarc.net/oarc/services/odvr" target=3D"_blan=
> k">https://www.dns-oarc.net/oarc/services/odvr</a><br>[3] See the following=
>  thread: <a href=3D"http://dnssec-deployment.org/pipermail/dnssec-deploymen=
> t/2011-October/005486.html">http://dnssec-deployment.org/pipermail/dnssec-d=
> eployment/2011-October/005486.html</a><br>
> 
> </div></div></div></div>
> 
> --089e0153668a6de7df04ff1ddb55--
> 
> --===============7826947019416644396==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> --===============7826947019416644396==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list