[dns-operations] Validation anomalies under gpo.gov
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Apr 3 20:49:19 UTC 2020
On Fri, Apr 03, 2020 at 12:18:57PM -0700, Brian Somers wrote:
> The gpo.gov domain came up recently as being something that likes to
> compress the RRSIG signer field, but something even more disturbing
> has now come up and, of course, customers like to compare the
> behaviour of different recursive resolvers!
>
> In summary, looking at permanent.access.gpo.gov, it’s a complete mess:
> * gpo.gov/RRSIG/DNSKEY has a compressed signer
> * access.gpo.gov is a delegation point
> * access.gpo.gov/DS is denied without an SOA and with a fabricated, irrelevant NSEC3 RR
> * permanent.access.gpo.gov/A comes with an RRSIG with a signer field of gpo.gov
>
> However, it seems that both 8.8.8.8 and 9.9.9.9 are happy to respond
> with an answer, and worse still, 8.8.8.8 also sets the AD bit in the
> response.
> Cloudflare gets it right and returns SERVFAIL.
The problems even seem to be getting worse in near-real-time:
https://dnsviz.net/d/permanent.access.gpo.gov/XoeUqQ/dnssec/
https://dnsviz.net/d/permanent.access.gpo.gov/XoebRg/dnssec/
though are not new:
https://dnsviz.net/d/permanent.access.gpo.gov/XmugWA/dnssec/
I don't recall whether Scott Rose et. al. are on this list, but perhaps
someone from .gov will follow up without an off-list ping...
Looking across all the major public resolvers I see:
1.0.0.1 permanent.access.gpo.gov. IN A ? ; ServFail AD=0
1.1.1.1 permanent.access.gpo.gov. IN A ? ; ServFail AD=0
;
8.8.4.4 permanent.access.gpo.gov. IN A 162.140.254.81 ; NoError AD=1
8.8.8.8 permanent.access.gpo.gov. IN A 162.140.254.81 ; NoError AD=1
;
64.6.64.6 permanent.access.gpo.gov. IN A 162.140.254.81 ; NoError AD=1
64.6.65.6 permanent.access.gpo.gov. IN A 162.140.254.81 ; NoError AD=1
;
9.9.9.10 permanent.access.gpo.gov. IN A 162.140.254.81 ; NoError AD=0
149.112.112.10 permanent.access.gpo.gov. IN A 162.140.254.81 ; NoError AD=0
My take is that:
- Cloudflare at some point discovered that the domain should be
delegated, and is treating the answer as bogus (or has received
more recent, even more broken answers).
- Google and Verisign obtained a correctly signed response from the parent
zone with no evidence of delegation, and did not qname-minimize to
discover the breakage.
- Quad9 also discovered the breakage, but they return AD=0, rather
than ServFail, and let the downstream resolver decide what to do.
When I specifically ask for the NS RRs of the intermediate domain, I
get (consistent with the above hypotheses):
1.0.0.1 access.gpo.gov. IN NS ? ; ServFail AD=0
1.1.1.1 access.gpo.gov. IN NS ? ; ServFail AD=0
;
8.8.4.4 access.gpo.gov. IN NS ? ; ServFail AD=0
8.8.8.8 access.gpo.gov. IN NS ? ; ServFail AD=0
;
64.6.64.6 access.gpo.gov. IN NS ? ; ServFail AD=0
64.6.65.6 access.gpo.gov. IN NS ? ; ServFail AD=0
;
9.9.9.10 access.gpo.gov. IN NS ns2.gpo.gov. ; NoError AD=0
9.9.9.10 access.gpo.gov. IN NS ns1.gpo.gov. ; NoError AD=0
149.112.112.10 access.gpo.gov. IN NS ns2.gpo.gov. ; NoError AD=0
149.112.112.10 access.gpo.gov. IN NS ns1.gpo.gov. ; NoError AD=0
The AD=1 replies from Google and Verisign are not "wrong". They just
reflect the fact that any ancestor zone is in principle free to bypass
delegation and return "unexpected" signed answers for a child domain,
legitimately or otherwise. Of course if a TLD were found doing that
for nefarious reasons, there'd be a major "covfefe".
--
Viktor.
More information about the dns-operations
mailing list