[swinog] Re: Swiss Domain Security Report Q3 2022
Hi swinog / init7
Thanks @adrian for the report and @daniel for pointing out the NXDOMAIN issue.
Maybe this is well-known, but I would like to point out that this swinog list
has a problem with DKIM and SPF.
1) DKIM: not valid ("message has been altered") because of the email forwarding
without re-signing
2) SPF: wrong record
> Authentication-Results: opendkim.logging.ch;
> dkim=fail (2048-bit key) reason="fail (message has been altered)"
> header.d=switch.ch header.b=qiNTrxHE
> Received-SPF: permerror (lists.swinog.ch: Unknown mechanism type 'redirect'
> in 'v=spf1' record) receiver=mx3.logging.ch; identity=mailfrom;
> envelope-from="swinog-boun...@lists.swinog.ch"; helo=vmaill01.sys.init7.net;
> client-ip=82.197.188.230
> Received: from vmaill01.sys.init7.net (vmaill01.sys.init7.net
> [82.197.188.230])
SPF misconfiguration:
> dig +short lists.swinog.ch txt
> "v=spf1 redirect:init7.net"
The correct record should read as:
> "v=spf1 redirect=init7.net"
See https://www.rfc-editor.org/rfc/rfc7208#section-6.1
While 2) would be an easy fix, 1) might involve some more work.
My 2 cents - Gruass, Franco
On 08.06.23 07:42, Daniel Stirnimann via swinog wrote:
> Hi Adrian,
>
>
> On 07.06.23 21:33, Adrian Ulrich via swinog wrote:
>>> I'm pretty surprised that of the 1.7M domains with an MX record, only 57%
>>> have DKIM
>>
>> I don't see how one could reliability gather this data from DNS:
>>
>> DKIM allows you to specify a selector in the header of the mail: This mail
>> for example will use 'sx1' as the selector (check out the header ;-) ):
>>
>>> $ dig +short txt sx1._domainkey.blinkenlights.ch
>>> "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC[]
>>
>> But without ever receiving a mail from me: how would you know?
>>
>> You could try to send a query for '_domainkey.blinkenlights.ch' and you MAY
>> receive a NOERROR reply - but that's not guaranteed: My DNS will just return
>> an NXDOMAIN:
>>
>>> $ dig txt _domainkey.blinkenlights.ch|grep status:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10153
>
>
> Your nameserver breaks https://www.rfc-editor.org/rfc/rfc8020
>
> This document states clearly that when a DNS resolver receives a
> response with a response code of NXDOMAIN, it means that the domain
> name which is thus denied AND ALL THE NAMES UNDER IT do not exist.
>
> Daniel
> ___
> swinog mailing list -- swinog@lists.swinog.ch
> To unsubscribe send an email to swinog-le...@lists.swinog.ch
___
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
Luckily I have some historic .ch zone data laying around, so I did a quick analysis of the number of ALG-7 / ALG-5 / DS-1 domains, please find the numbers below. Seems the wipe-out has been performed in chunks, maybe by registrar. SWITCH willing to share some info? Also interesing to see that the number of DS-1 hashes in the .ch zone file is raising again. All coming from hosttech. Though by now it seems these are not published anymore. Gruass, Franco DATEALG-7 ALG-5 DS-1 = = 2023-04-01530 41 59645 2023-04-02529 41 59627 2023-04-03528 41 59466 2023-04-04527 41 59443 2023-04-05527 41 59427 2023-04-06527 41 59394 2023-04-07526 41 59383 2023-04-08526 41 59354 2023-04-09524 41 59332 2023-04-10524 41 59315 2023-04-11524 41 59274 2023-04-12278 28 58756 2023-04-13279 28 58733 2023-04-14272 22 57566 2023-04-15269 22 57543 2023-04-16269 22 57529 2023-04-17269 22 57504 2023-04-18 72 19309 2023-04-19 10 7133 2023-04-20 10 7135 2023-04-21 10 7147 2023-04-22 7 4 88 2023-04-23 7 4 92 2023-04-24 7 4 92 2023-04-25 7 4 91 2023-04-26 7 4 97 2023-04-27 7 4 98 2023-04-28 0 0 0 2023-04-29 0 0 0 2023-04-30 0 0 1 2023-05-01 0 0 1 2023-05-02 0 0 5 caroule-music.ch. 3600IN DS 7321 8 1 FF2BCD11DBBEB58B15CE581AC4D0B4F0FA7B5AC8 caroulemusic.ch.3600IN DS 49924 8 1 B23CB635433B6DF5893FE94BD7F27B91DED2FD3C datalawyer.ch. 3600IN DS 49765 8 1 73CD7B42648847E43C2CF6A1E4F2680F8C0C20A4 digilawyer.ch. 3600IN DS 13045 8 1 A5E02D7FF95BACE907F93197A23E45CB65DFF838 workforceag.ch. 3600IN DS 49996 8 1 98B42F52FE01CB6E593CB463C11E3C602C6F2BB1 On 01.05.23 17:33, Franco Hug wrote: > Thanks Daniel for your helpful answers. Yes, CDS is also something I always > wanted to try, but as usual: no hard pressure, no time... ;-) > > Benoît Panizzon wrote: >> From their point of view, my 'algo 5' .ch domains have still DNSSEC active > > Basically the same behavior I had with my 'algo 7' domains (infomaniak). > >> but deleting DS or disabling DNSSEC hangs forever and upon reloading my old >> algo 5 keys are back. > > I did not even try to delete/disable DNSSEC, I was just able to update the > existing record (key/algo/hash). Then the update towards the registry was > carried out immediately, seems the old values do not matter then. Cannot > tell whether that works with Gandi though. > > Maybe option #3 besides the nerd and normal answers and worth a try? > > Gruass, Franco > ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] DNSSEC auto-disabled by SWITCH on some .ch domains?
Hey SWINOGgers, I noticed that DNSSEC was somehow auto-disabled at registry level for some .ch domains I am responsible for. For these domains, no DS records are published anymore in the .ch zone, dnsviz shows a broken chain of trust. However, registrar data still shows that DNSSEC is enabled, but the registry (SWITCH) says it is not... Is this a known problem? Seems not all DNSSEC protected .ch domains are affected, which leads me to the suspicion that it might have to do with the algorithm being used. Did SWITCH turn off older algorithms, e.g. algo 7 (RSASHA1-NSEC3-SHA1)? Did I miss an announcement? Random example, e.g. gkb.ch (notably a bank...) > dig +short @dns1.inventx.ch gkb.ch dnskey > 256 3 7 AwEAAdYydDZyd5M3UGS5b4Yv6qlIO5eOSwskJ/DQjiRO0as59ZG6hMDJ > VseqslJMTwghdiCrd/sicWvDOszK6Cuqye0+ZEm9tfG6gxgWWmzpSmXQ > KDHRG1iV8UF0KSOciFAPp4qRe083KPXu2ChXkTUSAa/iRCcZdFJK2M6l c7Gjjj55 > 257 3 7 AwEAAbQv5Whc+cna1IbtESB+Pwx+8eP5jfbjhuqiFuU/18qUckR9NxT7 > KUCT8GDlRTsGYmuKxcMITvH510CgGOA/6TORaB4iIXRnACmfiiku25/B > NHmNJd58ymZ/ED17smVJ4ou77/rhxW+/0Q1iVIAOcY8EblWq3EabepYz > E6CY9Vh/RTh2mvSl80h8nZyFotsEwN0LIlc/Pi0qGmy7iTOBqtVsbFVm > gssn/2c7IMCA8N2aaP1it8Qi+3DDGDh3N8HSEIVk+nrgQtsqQaLOFPGQ > Q0ezahQO6oVGKG4XAHw+2XaZQ3UT0sTcFj3ZVKCcGE4Ddoa3J/gqLQh7 aA44cVIQx+s= > > dig +short @a.nic.ch gkb.ch ds > > -> no DS record Working example with algorithm 13 (ECDSA Curve P-256 with SHA-256): > dig +short @ns2.switch.ch switch.ch dnskey > 257 3 13 keJOWxnKOCymNa0sPpwp/ioeyvgrXjY9hu8KxWdaxlMFukxquKVLdt2J > 5KxGOpmIZZbOXRALfG78FnDsE/k8EQ== > 256 3 13 YOf+TLHGeDBL0q6DSpE4vE2ub8RUvniew7xYkZJHocU6je7Ww/MfUeHf > B1LEDpFNFloYHFBvWD92gu5MT2ZJ1A== > 256 3 13 twHlL7CfhxPadzuRi3wRxEDs+3i/oe9W3heRKiP8CALwpexBZYCjMJ2w > Z403h9dJ/iA7CzCTSmvePLGdJ4cIzQ== > > dig +short @a.nic.ch switch.ch ds > 32265 13 2 8A865736961D246F99D6111BCA060E69908380FD5545D799F21E4652 DA60A17C Could anybody shed some light on this? Thx & Gruass, Franco ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
Thanks Daniel for your helpful answers. Yes, CDS is also something I always wanted to try, but as usual: no hard pressure, no time... ;-) Benoît Panizzon wrote: > From their point of view, my 'algo 5' .ch domains have still DNSSEC active Basically the same behavior I had with my 'algo 7' domains (infomaniak). > but deleting DS or disabling DNSSEC hangs forever and upon reloading my old > algo 5 keys are back. I did not even try to delete/disable DNSSEC, I was just able to update the existing record (key/algo/hash). Then the update towards the registry was carried out immediately, seems the old values do not matter then. Cannot tell whether that works with Gandi though. Maybe option #3 besides the nerd and normal answers and worth a try? Gruass, Franco On 01.05.23 17:11, Benoît Panizzon via swinog wrote: > Hi Daniel > >> The nerd answer is that you can use Automated DNSSEC Provisioning [1] >> to enable DNSSEC. This also sends an EPP poll message to your >> registrar to update locally cached state information about a domain >> name. > > Yes, trying to understand, how I correctly get rid of my old RRSIG > entries without shooting myself in the foot, I came across this whole > new dnssec-policy and automatic publishing CDS records via Bind. > > Not sure if I have yet fully understood the mechanics. But I have > tentatively set it up now and I'll see, if this somehow, by the magic > of the internet, caused my DS entries to get refreshed. > ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] Re: DNSSEC auto-disabled by SWITCH on some .ch domains?
Hi all, Thanks for your replies, you basically backed my work assumption concerning deprecated algorithms, good to know. However, this raises some questions about the chosen proceeding of "just wiping" algo 5/7 and digest 1 DS records from the .ch zone... Affected domain holders should and could have been informed (by whoever...), I am pretty sure there are more affected .ch/.li domains out there, with its domain holders not being aware that their DNSSEC protection is currently turned off. Didn't have this problem with other tld's so far. Would be interesting to see a chart similar to this one: https://www.nic.ch/de/statistics/dnssec/ which shows the different algorithms in use. Marcus Jaeger wrote: > To the partners at least, in October 2022 informing them that anything > containing digest-type 1 and/or key algorithm 5 oder 7 are no longer > supported and will be deleted. > This was done last week and digest-type 2 and key algorithm 13 should be used. Well, as an end user I am not a "partner" in the sense of the registry/registrar agreement, so I never received any communication about this proceeding. Who would be liable and paying for a possible damage? Where damage in the best case would be junked or non deliverable emails, services not working as expected, additional admin work (you/me), etc. I guess either the registry (SWITCH) for "just doing this", or the registrars for not passing on this information to their customers... This would be a funny law suit... ;-) > Since end of January 2023 you could not use them anymore. Probably valid for new DNSSEC activations, had no effect on pre-existing algo 5/7 domains. John Howard wrote: > Not sure if/how it relates to this situation, but it’s notable that the > DNSSEC key signing ceremony was a couple of days ago? > > https://www.iana.org/dnssec/ceremonies/49 > > I don’t see any deprecations but maybe someone needs an update somewhere? Probably unrelated coincidence, but thanks for sharing, interesting 3.5h ceremony, didn't watch it in full though... ;-) Jeroen Massar wrote: > Alg 7 is ancient and deprecated... Technically, agreed. I am bearing this in my head since months or even years that I should "eventually" change this. Eventually now changed to immediately... Administratively, there is a slight difference between ancient/deprecated and disabled/forbidden. Reminds me of RFC-2119 (MAY, MUST, MUST NOT, etc). Rhetoric question, what is better: a domain signed with a deprecated algorithm, or a non-signed domain from which the holder thinks it is signed? Benoît Panizzon wrote: > Guess I have to read: https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html Since DNSSEC was disabled, I guess you can't do a key rollover. Just start over... > I wonder why my registrar never noticed me he would delete my DS records > disabling DNSSEC on my domains. I guess it was the registry that wiped the DS records, not your registrar. At least my registrar's GUI still showed a nice all-green DNSSEC overview with the wiped DS records still in place... Thanks & have a nice and secure week ;-) Gruass, Franco On 01.05.23 11:50, Marcus J via swinog wrote: > G'day > > just saw something was missing in my reply. > It should say : digest-type 2 and key algorithm 13 should be used. > > cheers > > Marcus > > ___ > swinog mailing list -- swinog@lists.swinog.ch > To unsubscribe send an email to swinog-le...@lists.swinog.ch ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
[swinog] DNSSEC auto-disabled by SWITCH on some .ch domains?
Hey SWINOGgers, I noticed that DNSSEC was somehow auto-disabled at registry level for some .ch domains I am responsible for. For these domains, no DS records are published anymore in the .ch zone, dnsviz shows a broken chain of trust. However, registrar data still shows that DNSSEC is enabled, but the registry (SWITCH) says it is not... Is this a known problem? Seems not all DNSSEC protected .ch domains are affected, which leads me to the suspicion that it might have to do with the algorithm being used. Did SWITCH turn off older algorithms, e.g. algo 7 (RSASHA1-NSEC3-SHA1)? Did I miss an announcement? Random example, e.g. gkb.ch (notably a bank...) > dig +short @dns1.inventx.ch gkb.ch dnskey > 256 3 7 AwEAAdYydDZyd5M3UGS5b4Yv6qlIO5eOSwskJ/DQjiRO0as59ZG6hMDJ > VseqslJMTwghdiCrd/sicWvDOszK6Cuqye0+ZEm9tfG6gxgWWmzpSmXQ > KDHRG1iV8UF0KSOciFAPp4qRe083KPXu2ChXkTUSAa/iRCcZdFJK2M6l c7Gjjj55 > 257 3 7 AwEAAbQv5Whc+cna1IbtESB+Pwx+8eP5jfbjhuqiFuU/18qUckR9NxT7 > KUCT8GDlRTsGYmuKxcMITvH510CgGOA/6TORaB4iIXRnACmfiiku25/B > NHmNJd58ymZ/ED17smVJ4ou77/rhxW+/0Q1iVIAOcY8EblWq3EabepYz > E6CY9Vh/RTh2mvSl80h8nZyFotsEwN0LIlc/Pi0qGmy7iTOBqtVsbFVm > gssn/2c7IMCA8N2aaP1it8Qi+3DDGDh3N8HSEIVk+nrgQtsqQaLOFPGQ > Q0ezahQO6oVGKG4XAHw+2XaZQ3UT0sTcFj3ZVKCcGE4Ddoa3J/gqLQh7 aA44cVIQx+s= > > dig +short @a.nic.ch gkb.ch ds > > -> no DS record Working example with algorithm 13 (ECDSA Curve P-256 with SHA-256): > dig +short @ns2.switch.ch switch.ch dnskey > 257 3 13 keJOWxnKOCymNa0sPpwp/ioeyvgrXjY9hu8KxWdaxlMFukxquKVLdt2J > 5KxGOpmIZZbOXRALfG78FnDsE/k8EQ== > 256 3 13 YOf+TLHGeDBL0q6DSpE4vE2ub8RUvniew7xYkZJHocU6je7Ww/MfUeHf > B1LEDpFNFloYHFBvWD92gu5MT2ZJ1A== > 256 3 13 twHlL7CfhxPadzuRi3wRxEDs+3i/oe9W3heRKiP8CALwpexBZYCjMJ2w > Z403h9dJ/iA7CzCTSmvePLGdJ4cIzQ== > > dig +short @a.nic.ch switch.ch ds > 32265 13 2 8A865736961D246F99D6111BCA060E69908380FD5545D799F21E4652 DA60A17C Could anybody shed some light on this? Thx & Gruass, Franco ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
