[dns-operations] Edge-case, zero-length DNSKEYs
Mark Andrews
marka at isc.org
Tue Oct 6 21:14:06 UTC 2020
And it doesn’t even have NOKEY set in the flags as if it was a KEY record breaking
the chain of trust. Dig rejects the records as being malformed and named won’t
validate the zone. Named rejects the answer to the DNSKEY request as it has
malformed DNSKEY records.
[beetle:~/git/bind9] marka% dig nlagriculture.nl dnskey @ns1.rijksoverheidnl.nl +all
;; Warning: Message parser reports malformed message packet.
; <<>> DiG 9.15.4 <<>> nlagriculture.nl dnskey @ns1.rijksoverheidnl.nl +all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16425
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; WARNING: Message has 191 extra bytes at end
;; QUESTION SECTION:
;nlagriculture.nl. IN DNSKEY
;; ANSWER SECTION:
nlagriculture.nl. 86400 IN DNSKEY 257 3 13 vRMOgGXuo/RaeD1XNWmDPvSDQDCNRa68OTq+/BqucA25ACppkunDt5fn RF2IL76ZpybyG7W8IBNYj7dpYrzWOg==
nlagriculture.nl. 86400 IN DNSKEY 256 3 8 AwEAAeBjJKDZyqH6QoTM3lSHZ2Gk+26y6S/MH1Va2noAMfGAu1t2jg8V e1m1dR53hNjaQpDiKkwg9UNH7wCdEKPT/PoAMP3Q3UZnqnoPk4b2wwyG EN5v+eIvDREoc6Eg1leAA8RQ2/GatjqWVR5K7wQ1UFCSyIOhgiPYpOKq foFAnmx1
;; Query time: 353 msec
;; SERVER: 178.22.85.27#53(178.22.85.27)
;; WHEN: Wed Oct 07 08:00:31 AEDT 2020
;; MSG SIZE rcvd: 465
If we turn off best effort mode we just get a packet dump.
[beetle:~/git/bind9] marka% dig nlagriculture.nl dnskey @ns1.rijksoverheidnl.nl +nobesteffort
;; Got bad packet: unexpected end of input
465 bytes
4c fa 85 00 00 01 00 04 00 00 00 01 0d 6e 6c 61 L............nla
67 72 69 63 75 6c 74 75 72 65 02 6e 6c 00 00 30 griculture.nl..0
00 01 c0 0c 00 30 00 01 00 01 51 80 00 88 01 00 .....0....Q.....
03 08 03 01 00 01 e0 63 24 a0 d9 ca a1 fa 42 84 .......c$.....B.
cc de 54 87 67 61 a4 fb 6e b2 e9 2f cc 1f 55 5a ..T.ga..n../..UZ
da 7a 00 31 f1 80 bb 5b 76 8e 0f 15 7b 59 b5 75 .z.1...[v...{Y.u
1e 77 84 d8 da 42 90 e2 2a 4c 20 f5 43 47 ef 00 .w...B..*L..CG..
9d 10 a3 d3 fc fa 00 30 fd d0 dd 46 67 aa 7a 0f .......0...Fg.z.
93 86 f6 c3 0c 86 10 de 6f f9 e2 2f 0d 11 28 73 ........o../..(s
a1 20 d6 57 80 03 c4 50 db f1 9a b6 3a 96 55 1e ...W...P....:.U.
4a ef 04 35 50 50 92 c8 83 a1 82 23 d8 a4 e2 aa J..5PP.....#....
7e 81 40 9e 6c 75 c0 0c 00 30 00 01 00 01 51 80 .. at .lu...0....Q.
00 88 01 00 03 08 03 01 00 01 f7 39 f1 1b fb 68 ...........9...h
be be d5 c5 65 19 a1 85 e8 fe 66 8f 11 3b ee 10 ....e.....f..;..
c5 5c 02 89 16 e9 0e a6 bb 9c 2a a3 b5 ce ea 5d .\........*....]
1c 60 c7 ae 45 a5 be 70 58 c5 1f 8c 02 b5 cf a9 .`..E..pX.......
9c 6c 5c 08 cd 36 07 5b 1e 40 9c 28 6e 12 fa a8 .l\..6.[. at .(n...
68 fa 8d 61 8d a9 46 89 39 ac 96 c7 4a 09 39 45 h..a..F.9...J.9E
a1 27 fb bb a4 38 ae 55 5f af fc 94 6c 5d 3d 71 .'...8.U_...l]=q
07 42 31 d8 c1 12 37 27 7b 34 41 48 05 0d 6b bc .B1...7'{4AH..k.
ee e9 f3 cf 0d d6 49 fe d7 e3 c0 0c 00 30 00 01 ......I......0..
00 01 51 80 00 04 01 01 03 08 c0 0c 00 30 00 01 ..Q..........0..
00 01 51 80 00 44 01 01 03 0d bd 13 0e 80 65 ee ..Q..D........e.
a3 f4 5a 78 3d 57 35 69 83 3e f4 83 40 30 8d 45 ..Zx=W5i.>.. at 0.E
ae bc 39 3a be fc 1a ae 70 0d b9 00 2a 69 92 e9 ..9:....p...*i..
c3 b7 97 e7 44 5d 88 2f be 99 a7 26 f2 1b b5 bc ....D]./...&....
20 13 58 8f b7 69 62 bc d6 3a 00 00 29 10 00 00 ..X..ib..:..)...
00 00 00 00 1c 00 0a 00 18 14 f9 03 93 8b 20 aa ................
07 fc 96 54 71 5f 7c db f7 ee 83 fa e3 79 e3 14 ...Tq_|......y..
2b +
[beetle:~/git/bind9] marka%
> On 7 Oct 2020, at 07:27, Mark Andrews <marka at isc.org> wrote:
>
> They are just malformed. No key material is not permitted with DNSKEY. it’s one of the differences to KEY.
>
> --
> Mark Andrews
>
>> On 7 Oct 2020, at 04:40, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>>
>> After an algorithm rollover (RSA 8 -> ECDSA P256 13) a couple of days
>> backs, two domains now have new zero-length RSA 8 KSKs, along with
>> working new ECDSA KSKs:
>>
>> https://stats.dnssec-tools.org/explore/?nlagriculture.nl
>> https://stats.dnssec-tools.org/explore/?nlenergyandclimatechange.nl
>>
>> It isn't only the RSA modulus that is empty, but rather the entire
>> DNSKEY key value (exponent length, exponent, modulus):
>>
>> nlagriculture.nl. IN DNSKEY 257 3 8 ; NoError
>> nlagriculture.nl. IN DNSKEY 257 3 13 vRMOgGXuo/Ra...Yj7dpYrzWOg== ; NoError
>> nlagriculture.nl. IN DNSKEY 256 3 8 AwEAAfc58Rv7...6fPPDdZJ/tfj ; NoError
>> nlagriculture.nl. IN DNSKEY 256 3 8 AwEAAeBjJKDZ...pOKqfoFAnmx1 ; NoError
>>
>> nlenergyandclimatechange.nl. IN DNSKEY 257 3 8 ; NoError
>> nlenergyandclimatechange.nl. IN DNSKEY 257 3 13 SURx8TOW5B07...liYpu7BmE0w== ; NoError
>> nlenergyandclimatechange.nl. IN DNSKEY 256 3 8 AwEAAb2AbhJT...ppErUsfvCMGtv ; NoError
>> nlenergyandclimatechange.nl. IN DNSKEY 256 3 8 AwEAAaeQDrF0...u3IdA2xzSiqZF ; NoError
>>
>> Unbound validates the DNSKEY RRset just fine, but these give DNSViz some indigestion:
>>
>> https://dnsviz.net/d/nlagriculture.nl/X3yhPg/dnssec/
>> https://dnsviz.net/d/nlenergyandclimatechange.nl/X3yhXg/dnssec/
>>
>> the graphs fail to display. I wonder whether any other tools
>> (especially resolvers) have difficulties with these...
>>
>> --
>> Viktor.
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list