On Sat, Apr 26, 2014 at 12:44 PM, Simon Kelley <[email protected]> wrote: > On 26/04/14 17:20, Aaron Wood wrote: >> David, >> >> With two of them (akamai and cloudflare), I _think_ it's a dnsmasq >> issue with the DS records for proving insecure domains are insecure. >> But Simon Kelley would know that better than I. >> > > > The result of the analysis of the akamai domain was that there's a > problem with the domain (ie it's an akamai problem) See the post in the > Cerowrt list by Evan Hunt for the origin of this conclusion. > > There's a dnsmasq issue to the extent that dnsmasq uses a different > strategy for proving that a name should not be signed than other > nameservers (dnsmasq works bottom-up, the others can work top-down, > since they are recursive servers, not forwarders.) This means that > dnsmasq sees the akamai problem, whilst eg unbound happens not to. I > plan to see if dnsmasq can be modified to improve this.
If it's not a violation of the specification, the bottom-up method might be good to add to a dnssec validation tool. > > I'm not sure of cloudflare has been looked at in detail, but my > impression was that it's the same as akamai. > >> With BofA, I'm nearly certain it's them, or an issue with one of >> their partners (since the domain that fails isn't BofA, but >> something else): >> >> (with dnssec turned off): >> >> ;; QUESTION SECTION: ;sso-fi.bankofamerica.com. IN A >> >> ;; ANSWER SECTION: sso-fi.bankofamerica.com. 3599 IN CNAME >> saml-bac.onefiserv.com. saml-bac.onefiserv.com. 299 IN CNAME >> saml-bac.gslb.onefiserv.com. saml-bac.gslb.onefiserv.com. 119 IN A >> 208.235.248.157 >> >> And it's the saml-bac.gslb.onefiserv.com host that's failing (see >> here for debug info): >> >> http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com >> >> -Aaron >> >> >> On Sat, Apr 26, 2014 at 6:00 PM, <[email protected]> wrote: >> >>> Is this just a dnsmasq issue or is the DNSSEC mechanism broken at >>> these sites? If it is the latter, I can get attention from >>> executives at some of these companies (Heartbleed has sensitized >>> all kinds of companies to the need to strengthen security >>> infrastructure). >>> >>> >>> >>> If the former, the change process is going to be more tricky, >>> because dnsmasq is easily dismissed as too small a proportion of >>> the market to care. (wish it were not so). >>> > > > Given it's less than a month since the first DNSSEC-capable dnsmasq > release, anything other than small market share would be fairly miraculous! > > Cheers, > > Simon. > > _______________________________________________ > Cerowrt-devel mailing list > [email protected] > https://lists.bufferbloat.net/listinfo/cerowrt-devel -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
