[dns-operations] Bad SOA signature at bestregistrar.com breaks DoE
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Nov 3 17:17:16 UTC 2017
See:
http://dnsviz.net/d/_25._tcp.mail.bestregistrar.com/Wfyg3A/dnssec/
$ dig +noall +comment -t soa bestregistrar.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10879
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
More closely:
$ dig +cd +dnssec -t soa bestregistrar.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60336
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
bestregistrar.com. 34 IN SOA ns1.cas-com.net. dmarc.bestregistrar.com. 2017091901 10800 3600 2160000 3600
bestregistrar.com. 34 IN RRSIG SOA 5 2 86400 20181010190537 20170915190537 48408 bestregistrar.com. Eu/4sSK8/rnek7XpsMseGQb5kBInsioX2mtUmvR/NOphtRpgLwGN6LFH UDu3c220vYpSFXKXOb4hH4ZAMURyjg==
So the incorrect signature is 512 bits and intended to be good for
more than a year. Indeed both the KSK and ZSK are 512-bit keys.
So there's some room for improvement here:
$ dig +noall +ans +multi +rrcomment -t dnskey bestregistrar.com
bestregistrar.com. 3182 IN DNSKEY 257 3 5 (
AwEAAZX+87eX0YCWB9RMXCrqoNZhwBMD0mPy5gwCkOTb
tREEhnIVNk1xMfokB/Semli+QmqOcHlGVFA6+B6ziRPT
dv8=
) ; KSK; alg = RSASHA1 ; key id = 49453
bestregistrar.com. 3182 IN DNSKEY 256 3 5 (
AwEAAarTV+59ZIWEXiYbo5n7e0vV13jfqE+67T1eshVl
4LeKatPS1ssjDzUvo3YCmvsdPqadKk7/6dLBjHgnZyPh
cUc=
) ; ZSK; alg = RSASHA1 ; key id = 48408
--
Viktor.
More information about the dns-operations
mailing list