[dns-operations] [Ext] Bad SOA signature at bestregistrar.com breaks DoE

Francisco Arias francisco.arias at icann.org
Tue Nov 7 04:02:00 UTC 2017 

FWIW, Best Registration Services, Inc. dba BestRegistrar.com is listed as a "terminated" registrar at https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml

-- 
Francisco

On 11/4/17, 1:25 AM, "dns-operations on behalf of Viktor Dukhovni" <dns-operations-bounces at dns-oarc.net on behalf of ietf-dane at dukhovni.org> wrote:

    
    See:
    
        http://dnsviz.net/d/_25._tcp.mail.bestregistrar.com/Wfyg3A/dnssec/
    
        $ dig +noall +comment -t soa bestregistrar.com
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10879
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    More closely:
    
        $ dig +cd +dnssec -t soa bestregistrar.com
    
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60336
        ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
        ;; ANSWER SECTION:
        bestregistrar.com.	34	IN	SOA	ns1.cas-com.net. dmarc.bestregistrar.com. 2017091901 10800 3600 2160000 3600
        bestregistrar.com.	34	IN	RRSIG	SOA 5 2 86400 20181010190537 20170915190537 48408 bestregistrar.com. Eu/4sSK8/rnek7XpsMseGQb5kBInsioX2mtUmvR/NOphtRpgLwGN6LFH UDu3c220vYpSFXKXOb4hH4ZAMURyjg==
    
    So the incorrect signature is 512 bits and intended to be good for
    more than a year.  Indeed both the KSK and ZSK are 512-bit keys.
    So there's some room for improvement here:
    
        $ dig +noall +ans +multi +rrcomment -t dnskey bestregistrar.com
        bestregistrar.com.	3182 IN	DNSKEY 257 3 5 (
    				    AwEAAZX+87eX0YCWB9RMXCrqoNZhwBMD0mPy5gwCkOTb
    				    tREEhnIVNk1xMfokB/Semli+QmqOcHlGVFA6+B6ziRPT
    				    dv8=
    				    ) ; KSK; alg = RSASHA1 ; key id = 49453
        bestregistrar.com.	3182 IN	DNSKEY 256 3 5 (
    				    AwEAAarTV+59ZIWEXiYbo5n7e0vV13jfqE+67T1eshVl
    				    4LeKatPS1ssjDzUvo3YCmvsdPqadKk7/6dLBjHgnZyPh
    				    cUc=
    				    ) ; ZSK; alg = RSASHA1 ; key id = 48408
    
    -- 
    	Viktor.
    _______________________________________________
    dns-operations mailing list
    dns-operations at lists.dns-oarc.net
    https://lists.dns-oarc.net/mailman/listinfo/dns-operations
    dns-operations mailing list
    https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list