[dns-operations] DNSSEC validation - salliemae.com
Joe Abley
jabley at hopcount.ca
Thu Aug 8 18:07:45 UTC 2019
On 8 Aug 2019, at 13:57, Robert Blayzor <rblayzor.bulk at inoc.net> wrote:
> I get that, but what we're seeing is a problem two fold...
>
> salliemae.com is set: DNSSEC: signedDelegation
Yep, I see a signed delegation from COM.
> If I try to do a lookup using DNSSEC validation to quad1 or quad8 or my
> own unbound servers for "NS" or "SOA" for salliemae.com, I get a SERVFAIL.
Yep, I see no signatures returned from ns107.a0.incapsecuredns.net for SALLIEMAE.COM/IN/SOA with DO=1. SERVFAIL seems like an appropriate response. Their zone is broken.
> Unbound will not validate any RR's in that zone and either returns
> SERVFAIL on everything or times out.
I don't know how you concluded that there are no RRs in that zone that are returned with signatures, unless you know the full contents of their zone. I see signatures on SALLIEMAE.COM/IN/DNSKEY with DO=1, for example. Here's the response from ODVR's Unbound validator:
[anchovy:~]% dig @184.105.193.74 salliemae.com IN DNSKEY +dnssec +multiline
; <<>> DiG 9.10.6 <<>> @184.105.193.74 salliemae.com IN DNSKEY +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31761
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;salliemae.com. IN DNSKEY
;; ANSWER SECTION:
salliemae.com. 447 IN DNSKEY 256 3 7 (
AwEAAbx9NRApanJphwVKdhi1uCjuaXIcOM4/hu3A180X
zE32vBdW/s54o0YjQHczSaKvDBZPGrYvGUrvq+lpiW31
lOKs7ZiVxS9Fh/tHvtFgMRZmq6ly8q0JURHyYNpaBXf/
EOZAuMeiJ4EIkLyUxk9d7txyiYNCsfYWkFYFNNDdE3nX
bAdNlRIGopRzyrC6hxCPs4JNP7go9hJ9RotvZ4ArhPVc
UvKkMEJjh8Rz/uH+xbC1ycEuopjXslmY5ak0CsLMwJo9
YKCDCQCHthOEsuAQhUUSMQnD3tD/1YHZZ2HiZaqvQRCJ
tixUsB22d6BNaSSnJ8bgwGJQISxdezLQLjfj/98=
) ; ZSK; alg = NSEC3RSASHA1 ; key id = 33962
salliemae.com. 447 IN DNSKEY 257 3 7 (
AwEAAcTElH6W0s5P+ENfTEjMz9KCDbucmuTsBpcVH+/R
5JVclcI8gF/xs+RMvUW4YQ8Wx65gQxJbfzlKBwG1oAwF
udrA58XCLSXx3iLtRYKQ2iqnH6Fl3dX84+cBi9BeEoar
gPT6WV+7fQY8gYisfB4Or9kWes3K18yxo6AVFkZ58OYU
Tn1L1kXAKuuKc6zENxLWG1rZgLnf9XxwnG5Pv+uxL+Lm
FWADJoQmFcxPj8Mn870jTrDyrJG4qUjFEuKGrM72rnk2
H6+ObUL/NisqVPMoFGYHQrNh6KmQUr2asr6Oyi4rwXFz
2hY8QpUUVXLCI5piVeCIuwdaFn0rmWyhMETO33rE/Heh
Lfd18IQu804nVUXVAwfXHeBiN2caeciGVKc0Ka1Me7QN
LeScxHbF/3zAdXjE79xTYSNtnKV8q/kxlGChckTuQPh0
jXadpftxNLA9WaDbbm+9tM/s6dD6AnS4WNHIgBQkgCHs
lgy5/DJJx/DWw6qRwTEzaXSWJzwkzdgOEXS6EnOPsvWg
gQ2HHLpebUDaqlp7dPqIS0HEiaWZRELLTIC+lZsw+tBw
WYNWXLnpmLQm3r+Q1FX70SxvgSVRHQuSFjbDmhO/bL0o
h72ijTKFapQvsZaE6/l/oyx3kpGmWQMjvbqvxY7YY4l9
nszzBpBRIVbhwqL2/6boS+ODEQbN
) ; KSK; alg = NSEC3RSASHA1 ; key id = 15630
salliemae.com. 447 IN RRSIG DNSKEY 7 2 600 (
20190905152127 20190806152127 15630 salliemae.com.
s851LLgBMd+KftIpZyvj+nNooSaL3qy5GHbyBFYL2BqS
Ha5iVSVg1NW3Ef8aW8GEaKK998326x2/x04qiK23YQPu
z/fnfR6TIJxRJMM+MBGpoHqMAGghHmRQo5WCHIgSQoa5
Lds4pswgoDPyaqgVdQV+tHFKIPzHIjcbCH8MTnw7+iPM
IwWd5pQHCLP2ksjFtNXUToIVWWKPoCd/urc5CnieYVuk
gv5HsS/Ycryrc84NPRFDna9hqIeGCtlpBAUfWk8LZODn
dG1R7u5d6jPO8eYGwalLX4B9beaxgO/cl8ObbaSXCLq7
Rs9OC4rbiQIlh/z/yKsy1SZ/xRgn+e+n3zjOgysEeF/3
ZnShE37HBjoOAS9N4dIt136nYgCVJKyxVp6N7kcJWLBR
Jihmepe1g5YBt1hI1CBpLsm3aNJkSh3XaEWb/RWUoiPR
K1LX/dXOreOY+dkoCOrcYS1/9cu0Wzpot3fejp4J/mzj
mjXachLvm4W6kKXF9pejgqV1c5+n9KKXu62JQ9lmej/G
VjTuu/o8uQGz4+Ze13IALvr6X11v1FdjBOrFfulkZvs/
OGFgyJ9KiwFtprWZdMtemUdZCatpI0N7KOb1jTTx6wsk
zJYzcGSBkz16aYx5BY1Bk3C1Rfdi4qhjLYzvIGH5INax
W7QP2HCBjehGAaayoTlM4jA= )
salliemae.com. 447 IN RRSIG DNSKEY 7 2 600 (
20190905152127 20190806152127 33962 salliemae.com.
jGCZBRGuJBl7OxOEzgvA20LIbY7yOmbShlDdDRs/qmbE
sGiUmsc7uKDeMas9v/QzkErwzAm/z4A6bugUe8im/RAw
lVkTqms86T9Onh/IzfBIL6xq0BXZpwJXf+hIC8pCXn5d
iER3Oy5CQt4GZxWSpjEysiXqtUeobv22cJU1IYIEpn5G
nVug8l3gQTYk7fz56DD7wgX61NhKupZzLaYrHzk4WOYX
oTi0jTgqnS6WwJu3f4jh3LUVHcFcV3E0pbDYRHzsIn0d
yyxAv8ot8xJVRa54AOK9fddTTNS6NmP+26aXsNnWW/fD
4bPI7aWhe6csLivc6K7PIsFNmdWWo9xWaQ== )
;; Query time: 84 msec
;; SERVER: 184.105.193.74#53(184.105.193.74)
;; WHEN: Thu Aug 08 14:05:07 EDT 2019
;; MSG SIZE rcvd: 1708
[anchovy:~]%
> unbound:
> ; <<>> DiG 9.14.4 <<>> +dnssec @localhost www.salliemae.com
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46699
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.salliemae.com. IN A
I get a response with a signature:
[anchovy:~]% dig @184.105.193.74 salliemae.com IN A +dnssec +multiline
; <<>> DiG 9.10.6 <<>> @184.105.193.74 salliemae.com IN A +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8174
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;salliemae.com. IN A
;; ANSWER SECTION:
salliemae.com. 325 IN A 45.60.122.53
salliemae.com. 325 IN A 45.60.132.53
salliemae.com. 325 IN RRSIG A 7 2 600 (
20190905152127 20190806152127 33962 salliemae.com.
MGWAPNv3tq/Sq77Zg2plhmP0iphXlII4cbLAPJdWCg3d
wq7aXiv2FITBdElVHn8PLl0k3+JVIXnoTdC+VH61gxqg
sWYC+Ep5DXRYXym+5olbV/IDUeLBviuUiRbZovO94PC6
9KE5IG0rPV2vBfEtZUUYxm57uEWrlGdOQmv2Jxq+Txw+
OA5E7yFNUA/7v/DTw2cgGkYc/0PLI6Hkdv0VWCVCDDOw
iickgxpgBNUM820xl3FXgZzTff9A8tVJU0pv3tuC5iGq
4W0pdx5dk4FWCJZJ0yc6vIs/3M9tIYutBPjzZl8N+KpQ
whtTBO7XhzppN8cpIiEJ97+a6L0KpmUYnw== )
;; Query time: 85 msec
;; SERVER: 184.105.193.74#53(184.105.193.74)
;; WHEN: Thu Aug 08 14:05:36 EDT 2019
;; MSG SIZE rcvd: 375
[anchovy:~]%
Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190808/1269b2b4/attachment.sig>
More information about the dns-operations
mailing list