[dns-operations] DNSSEC validation - salliemae.com

Mark Andrews marka at isc.org
Wed Aug 7 13:50:07 UTC 2019 


> On 7 Aug 2019, at 11:25 pm, Robert Blayzor <rblayzor.bulk at inoc.net> wrote:
> 
> We run multiple unbound recursive DNS servers using DNSSEC validation.
> 
> We've been getting complaints about users not being able to get to
> salliemae.com. From what we have seen, salliemae.com's DNSSEC is
> completely broken. Bad sigs, no sigs on records, etc.
> 
> For example: SOA sig fails, but "www" for salliemae.com has no signature
> (that I can see).

Looks fine for me. The CNAME is signed and the target isn’t.

% dig www.salliemae.com +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.15.1 <<>> www.salliemae.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27781
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: f8f1841de065ffd6f6d8b7e95d4ad66a2c9db050a7598377 (good)
;; QUESTION SECTION:
;www.salliemae.com.		IN	A

;; ANSWER SECTION:
www.salliemae.com.	597	IN	CNAME	ltfhaea.x.incapdns.net.
www.salliemae.com.	597	IN	RRSIG	CNAME 7 3 600 20190905152127 20190806152127 33962 salliemae.com. BEur7luXT3IbSDAXrv0e/a/GBqvOUJTYV6qKv8Zf2/iV/Y86NBLDO2Eo s4ClPM/ItY9PjSnRlqIPHIwJfr8Z6nhJm5l9IUrOm4anC1FtcpAfkIHq /T8pQyVjGXv1qKQfZFj6aYdwn2zChkQ4lSydOtfbxe+yYwYdnwQ/GubI hhFtdSzd3/mQzNWE0LsOQCk+ccqEx+JnCYlmMDDyvxBvTSLiuq6cmkIR Uz0a2yOH6Ig5s41bNj+6+4JpD+WcIMQyohSAcuVAr/X7jHjUSYJv8hFN t4Pc1OMyz5i8zBQd0exyt7HsKDDow5SPBu8F1dFBI59hFNQX8Bs5e/Qf FsVFZA==
ltfhaea.x.incapdns.net.	24	IN	A	45.60.126.53

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 07 23:47:22 AEST 2019
;; MSG SIZE  rcvd: 427

% 

> 
> User complains that using our servers they can't get to the site (and
> rightfully so, I guess), but then states that if they switch to Google
> or Cloudfalre (8.8.8.8 or 1.1.1.1) it works.
> 
> If I try to do validation tests for the SOA record Google or Cloudflare,
> I get the same failures, but they DO return a valid A records for "www".
> 
> I thought DNSSEC validation was to be "all or nothing". How can you be
> doing DNSSEC validation but still passing back RR's that do not pass due
> to not having any signature ?
> 
> Who is right?
> 
> -- 
> inoc.net!rblayzor
> XMPP: rblayzor.AT.inoc.net
> PGP:  https://pgp.inoc.net/rblayzor/
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list