[dns-operations] DNSSEC validation - salliemae.com

Robert Blayzor rblayzor.bulk at inoc.net
Thu Aug 8 17:57:57 UTC 2019


On 8/8/19 12:54 PM, Joe Abley wrote:
> I haven't looked into this particular example, but be aware that a well-functioning validator will not block records that are verifiably insecure (i.e. they have no signature, and there's no indication that they ought to have one). This is not the same situation as a response being received with a missing signature where one is expected.
> 
> Since the root zone and most TLD zones are signed, and since most domains today operated by registrants are not, it's actually tremendously normal for part of the resolution chain to have signatures that need to be valid and part to have no need for signatures. Insecure delegations and CNAME targets in zones that are insecure are common scenarios.


I get that, but what we're seeing is a problem two fold...

salliemae.com is set:  DNSSEC: signedDelegation


If I try to do a lookup using DNSSEC validation to quad1 or quad8 or my
own unbound servers for "NS" or "SOA" for salliemae.com, I get a SERVFAIL.

Unbound will not validate any RR's in that zone and either returns
SERVFAIL on everything or times out.


unbound:
; <<>> DiG 9.14.4 <<>> +dnssec @localhost www.salliemae.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46699
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.salliemae.com.		IN	A



google:
; <<>> DiG 9.14.4 <<>> +dnssec @8.8.8.8 www.salliemae.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26926
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1


cloudflare:
; <<>> DiG 9.14.4 <<>> +dnssec @1.1.1.1 www.salliemae.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31478
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1



Mind you, if I did the SOA or NS records, that fails on every one I try.

-- 
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP:  https://pgp.inoc.net/rblayzor/




More information about the dns-operations mailing list