[dns-operations] DNSSEC failures resolving the Sophos domain sophosxl.net
Robert Edmonds
edmonds at mycre.ws
Fri Jan 20 06:12:13 UTC 2017
Craig Leres wrote:
> 2 Jan 19 14:09:18 131.243.???.??? named[1316]: client
> 198.128.208.???#61079 (3.1o18sr00n57o62ppp3744opqr8qn9813764r5o86osn295ss2r4pr1632rq4903.064p8r741p334393648s241824r58s9s84o22o6q9p20rro629o0rnro4q9r5q6.s3184q863ro1qp7928208809r78q0627o49q7rpnor36s013.931np766rn5645s1.i.00.s.sophosxl.net):
> rpz NSIP rewrite 3.1o18sr00n57o62ppp3744opqr8qn9813764r5o86osn295ss2r4pr1632rq4903.064p8r741p334393648s241824r58s9s84o22o6q9p20rro629o0rnro4q9r5q6.s3184q863ro1qp7928208809r78q0627o49q7rpnor36s013.931np766rn5645s1.i.00.s.sophosxl.net
> via 931np766rn5645s1.i.00.s.sophosxl.net unrecognized NS rpz_rrset_find()
> failed: SERVFAIL
>
> While we do make extensive use of rpz we do not use the NSIP feature nor do
> we even build bind with RPZ_NSIP support.
Hi, Craig:
If you grep for ENABLE_RPZ_NSIP in the BIND source, there's exactly one
#ifdef of it, and it appears to be in the RPZ loading code. So I think
the only thing --disable-rpz-nsip does is prevent NSIP RPZ rules from
being loaded.
The code that actually performs RPZ rewriting doesn't have such an
#ifdef, and the "unrecognized NS" log message is only generated here:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=bin/named/query.c;h=52d13b6c61436f1357cf4ce15722e326953c54a4;hb=2b12043ba0debf1aba08ddd0914aff287e46978a#l5360
But, it looks like that code is trying to perform RPZ NSDNAME filtering
(not RPZ NSIP).
> Here's a dnsviz.net report that shows a number of DNSSEC issues:
>
> http://dnsviz.net/d/i.00.s.sophosxl.net/dnssec/
There's an insecure delegation from the TLD for sophosxl[dot]net, and
the Sophos zones aren't signed (and don't appear to have ever been
signed). So by definition it can't be a DNSSEC issue :-)
The issues listed on that page:
i.00.s.sophosxl.net zone: The server(s) were not responsive to
queries over TCP.
i.00.s.sophosxl.net/AAAA: The response had an invalid RCODE
(REFUSED).
i.00.s.sophosxl.net/DNSKEY: The response had an invalid RCODE
(REFUSED).
i.00.s.sophosxl.net/NS: A query for i.00.s.sophosxl.net results in a
NOERROR response, while a query for its ancestor, s.sophosxl.net,
returns a name error (NXDOMAIN), which indicates that subdomains of
s.sophosxl.net, including i.00.s.sophosxl.net, don't exist.
i.00.s.sophosxl.net/SOA: A query for i.00.s.sophosxl.net results in
a NOERROR response, while a query for its ancestor, s.sophosxl.net,
returns a name error (NXDOMAIN), which indicates that subdomains of
s.sophosxl.net, including i.00.s.sophosxl.net, don't exist.
i.00.s.sophosxl.net/SOA: No response was received from the server
over TCP (tried 3 times).
So, those nameservers are pretty broken, but probably not broken enough
to break an old school DNS resolver :-\
FWIW, Unbound 1.6.0 with a stock configuration (and with DNSSEC
validation enabled) can resolve that name successfully (returning
NODATA), but if you enable qname minimisation it looks like the first
few resolution attempts will SERVFAIL before it starts resolving.
> So far attempts to interest Sophos tech support in this issue have failed.
> It would be appreciated if someone could put us in touch with a clueful
> contact at Sophos.
Good luck!
--
Robert Edmonds
More information about the dns-operations
mailing list