[dns-operations] DNSSEC validation - salliemae.com

Warren Kumari warren at kumari.net
Wed Aug 7 13:51:33 UTC 2019

On Wed, Aug 7, 2019 at 9:36 AM Robert Blayzor <rblayzor.bulk at inoc.net> wrote:
> We run multiple unbound recursive DNS servers using DNSSEC validation.
> We've been getting complaints about users not being able to get to
> salliemae.com. From what we have seen, salliemae.com's DNSSEC is
> completely broken. Bad sigs, no sigs on records, etc.
> For example: SOA sig fails, but "www" for salliemae.com has no signature
> (that I can see).
> User complains that using our servers they can't get to the site (and
> rightfully so, I guess), but then states that if they switch to Google
> or Cloudfalre ( or it works.
> If I try to do validation tests for the SOA record Google or Cloudflare,
> I get the same failures, but they DO return a valid A records for "www".
> I thought DNSSEC validation was to be "all or nothing". How can you be
> doing DNSSEC validation but still passing back RR's that do not pass due
> to not having any signature ?

Well, according to dnsviz, there *is* a validation path which works
for www -- http://dnsviz.net/d/www.salliemae.com/dnssec/

The signature is over rrsets, and there are indeed valid ones for
everything needed for www.salliemae.com (edited for readability):
$ dig  ns salliemae.com @a.gtld-servers.com
salliemae.com. 172800 IN NS ns81.a2.incapsecuredns.net.
salliemae.com. 172800 IN NS ns22.a1.incapsecuredns.net.
salliemae.com. 172800 IN NS ns107.a0.incapsecuredns.net.

$ dig +short ds salliemae.com @a.gtld-servers.com
15630 7 2 6FA7705AF8AFA8AF4AA620F3F49D67BC81935C3F8EAF8D37137DFCE8 2CE022D0
15630 7 1 8E14C4E3F8E9104FAEB16E3CAD39AE9876855D43

$ dig  +dnssec dnskey  www.salliemae.com @ns81.a2.incapsecuredns.net.
www.salliemae.com. 520 IN CNAME ltfhaea.x.incapdns.net.
www.salliemae.com. 520 IN RRSIG CNAME 7 3 600 20190905152127
20190806152127 33962 salliemae.com.
t4Pc1OMyz5i8zBQd0exyt7HsKDDow5SPBu8F1dFBI59hFNQX8Bs5e/Qf FsVFZA==

DNSSEC for salliemae.com itself is distinctly "odd" --
http://dnsviz.net/d/salliemae.com/dnssec/ -- I'd be fascinated to know
just how they managed that.
Anyway, none of the broken names there are needed to build a valid chain...

> Who is right?

Well, one thing is for sure, it isn't salliemae :-P


> --
> inoc.net!rblayzor
> XMPP: rblayzor.AT.inoc.net
> PGP:  https://pgp.inoc.net/rblayzor/
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.

More information about the dns-operations mailing list