[dns-operations] Validation anomalies under gpo.gov

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Apr 4 06:10:24 UTC 2020 

On Sat, Apr 04, 2020 at 12:47:59AM -0400, Shumon Huque wrote:

> > The AD=1 replies from Google and Verisign are not "wrong".  They just
> > reflect the fact that any ancestor zone is in principle free to bypass
> > delegation and return "unexpected" signed answers for a child domain,
> > legitimately or otherwise.
> 
> In this case, I think the explanation might be a bit simpler. The
> parent zone isn't really bypassing anything. The behavior is likely a
> result of the fact that both the parent (gpo.gov) and child
> (access.gpo.gov) are served by the same set of nameservers.

That's fine, but the signer field of the RRSIG of the granchild domain
permanent.access.gpo.gov is the ancestor gpo.gov domain and not the
intermediate access.gpo.gov domain, which is purportedly a zone cut,
with bogus, on the fly, denial of existence:

    $ date
    Sat Apr  4 05:49:01 UTC 2020

    ; Unsigned glue from parent:
    access.gpo.gov. 7200 IN NS ns2.gpo.gov.
    access.gpo.gov. 7200 IN NS ns1.gpo.gov.

    ; Bogus dynamic DS denial of existence, with inception time just
    ; seconds prior to query.  But...
    ;
    ; access.gpo.gov. IN DS ?
    2oh36s2i5fvc888hj7cn50jofliom8qn.gpo.gov. 3517 IN NSEC3 1 0 1 39387f663ea6445e 2OH36S2I5FVC888HJ7CN50JOFLIOM8QO
    2oh36s2i5fvc888hj7cn50jofliom8qn.gpo.gov. 3517 IN RRSIG NSEC3 8 3 3600 20200411055005 20200404055005 35943 gpo.gov. CoDsecb/hXR2ucRkyeSB5sA5jZZzcUeyWktSI+h7v5Qvx6P331q4IomZgco7qrydHQWbk4KDkw5ABfiK7b1NGOet6SgbNWbRczwtnePUIbxOD7wc4feV6vj825MgKsyNqRscHCLKTUFps72/ec7pxi3kR1Wmy8fwaq9jw9xE5Uw=

    ; the NSEC3 hash in question (almost a white lie with a 1 bit
    ; difference in the SHA-1 hashes, but matches gpo.gov, not
    ; access.gpo.gov) is not the right one:
    ;
    $ ldns-nsec3-hash -t 1 -s 39387f663ea6445e gpo.gov
    2oh36s2i5fvc888hj7cn50jofliom8qn.

So the parent zone is bypassing a delegation of the child zone when
returning a signed A RRset for a name under access.gpo.gov, but this is
not visible to resolvers that aren't doing query minimisation.

So the gpo.gov DNS is all too cleverly broken, with delegation to some
appliance that is not correctly integrated into the parent DNS zone.

-- 
    Viktor.

More information about the dns-operations mailing list