Andreas Pothe <[email protected]> writes:
> Oh, dslbank.de has a corrupt DS entry at .de level (DS without
> corresponding DNSKEY). This can make trouble too, I think.
I don't see that (now at least). There are 4 DS records and 4 ZSKs with
matching IDs at least:
bjorn@canardo:~$ dig +dnssec ds postbank.de @a.nic.de +multiline
; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> +dnssec ds postbank.de @a.nic.de
+multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63458
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;postbank.de. IN DS
;; ANSWER SECTION:
postbank.de. 86400 IN DS 53214 7 2 (
0D2B8312AC2E52B9A1B1FD8A8F9824CF6D7545D0A0D5
EFC47AB5C84AF0AB06FC )
postbank.de. 86400 IN DS 41601 7 2 (
6553D5202663A13E67C3E0E38E457B01DA54B0583D1E
03943D88EEE15DEDF2E3 )
postbank.de. 86400 IN DS 13734 7 2 (
52392391140DF30BE650BD34073BAC554A420D5657BE
3F00A0B41B8336937C7C )
postbank.de. 86400 IN DS 18276 7 2 (
CF18D83746B799D046A0B7DF751F5EB0A1DB2CD154CE
77BBD44E0CB261CA05C5 )
postbank.de. 86400 IN RRSIG DS 8 2 86400 (
20160209110000 20160202110000 62490 de.
fz+k9OA+O2FHN5JQETlhGd/XuLKVUCXO1rwQ0fqZhqzP
JFQStHcSs9tyjLfz8IuCPgiQUphtKtzjT44D0HH5j0FI
rNqv/43lpiQtH/EI2Qbfub1SyV9HbO4g71btTvvlT33T
Vva7w3WnYKFUeF48kOfJNdK2TArAgftttM7/alM= )
;; Query time: 45 msec
;; SERVER: 2001:678:2::53#53(2001:678:2::53)
;; WHEN: Tue Feb 02 14:37:16 CET 2016
;; MSG SIZE rcvd: 394
bjorn@canardo:~$ dig +dnssec dnskey postbank.de @ns1.postbank.de +multiline
; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> +dnssec dnskey postbank.de
@ns1.postbank.de +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22666
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;postbank.de. IN DNSKEY
;; ANSWER SECTION:
postbank.de. 86400 IN DNSKEY 257 3 7 (
AwEAAcRzTe+/LM0moPFfSFK8F5kg+z6EFCzy2RcUUT2E
CY12qLab0PqjHqPa/qN3k+FzgJlrZzlkuDwWLJg6Mvco
7JgIHEl3447G2NLUOcpuiHZ9HlId5jvyN2GXOij+C+wB
Fhuo54rAG+TT6tXk+B1pH88enxLUH14iihFsKiJdkMkW
D2ejskL/upKoRWh0ke/IlfheSnLMppJRouPjxU6TWTko
odkFy3xkZFM7C+1fo+HzY6arN7zhj1wSqAikSLoOBZlC
N/B+Afx53UMawP00Ftc+xm6pD3VhDp9NjcB1fOdVtUMc
+CWTl3kXaoWdPDjesD5PbTiDgDzCCcn+/1e280U=
) ; KSK; alg = NSEC3RSASHA1; key id = 18276
postbank.de. 86400 IN DNSKEY 257 3 7 (
AwEAAbN0sNttYJE7OlzpVif9w5RzZ7Atmc+/pR9Qfh5w
C/rBwFuxADYbC6FUhQkpRZT+oXIW7aaSBUjA3QFyMK7f
zfM7F3iIqdgDLL2ettHFBTy2Ch2MoTleFtWU26lJ0YPz
DLWtHbQdz6KHP5NJR+K6NqlPtn8hH3N88BpLVwITY855
uXFHEPqmAOP9pSpDcs2FHAduJxq6KtBhMLrDasE01dfn
xlX2+EpLqD2V7BKrJ7s9/3u2d6YFrmHhkS8HX73yexbz
mXo5RVncdn6S55gmFc3q7E0iUUAdZbuAyQfX92lcM+9y
e8wHPktQyaKa6obRekZUJr4FNe7+hwESnw+/dXM=
) ; KSK; alg = NSEC3RSASHA1; key id = 13734
postbank.de. 86400 IN DNSKEY 257 3 7 (
AwEAAfAiDH5Os1tmMwBS+p4SczjzYUNCBOX3MZjRcoWl
cErrjNWlAVWqimM4bFZB/nRzreVtmHCO3kYfJgazuT3T
2W6Qe6fs4HN8k4ETUTC5taPfmZQ9ReNDD5QfLIk/LIAQ
MJ39Y1QAeJrK2/RFQA1LwKPyuehQZWNxsuPoClVFKizQ
2eozAIV1g6JtCyrtsin3288coz/ZAaGDShQQXoMzMfyg
rFiZyurtUqf90IWZhI4Gc9rxApdFgrV4t4FeFNk+LGtr
ahun1yy2UNtUcpgvRgzG4mw8HG41PYDUCmzvlwNXUmpo
Cwt7Oa3Zybu6ikGprfBSM11SZURRSRv8BryCy+k=
) ; KSK; alg = NSEC3RSASHA1; key id = 53214
postbank.de. 86400 IN DNSKEY 257 3 7 (
AwEAAcnx4BAUeeDyAkPIkm9gAXERrFxy9XIDN5EPFQny
H/eLjqgmSA2B09sTODO+5loPR1PTsk0RkJabwrPJXUll
6FfRodV/1lW3QltT/7y17698rqGrc7sqyDgxo5vJx+Ta
JDjD6IlhWjI6FH8pAFonBgrOJz/nS0sy1oxbubEbGCcY
1W8+l2X6fecHqVR3tvdhdPmCOVzCh5sX6YC/FnisOQ/h
2Pi2kKIiac9iTq/A2Vw0i5dWYWw//ZqeO0TA0WDmXCtK
UtvUVurDeTrKx5WiMIYrefLUC77Aa9vjXb6gpzCiJxoo
cJCgvXateBayPTrit/fBay24fvqRWWoBvolVIhE=
) ; KSK; alg = NSEC3RSASHA1; key id = 41601
postbank.de. 86400 IN DNSKEY 256 3 7 (
AwEAAbIrv7LW/T9qjAM9p+kkppvH1K3GJhbSS+cNza3B
1r2tRR82Z8PcZclYRqv2aBvjiAPcZv6lOupQcYD/Vrpg
MEjrzEbSn85vr0OYYjqHq+/WTT57x9Ko6Y9/vtbIws7x
Kq9GigSWhbpTRn9qsSFisI17yn9jVdWsN9bNinOMnzm1
) ; ZSK; alg = NSEC3RSASHA1; key id = 63284
postbank.de. 86400 IN DNSKEY 256 3 7 (
AwEAAbipCwn6Fbh3kbrGENYu4EGKnkLsh1+9ACGLcDR7
iTysuces2ot9VnGdq+zg0+D3f/IDgSMNU+PPE09bvKfg
HqDod+f2TuvBiYLZfjr2sMwrlqQnGvSpXfuc9t071JI7
uz80LnlDR9rtoF+Ni6dSI6Nw8AX10hQTkS4KwqAx/Ftd
) ; ZSK; alg = NSEC3RSASHA1; key id = 48839
postbank.de. 86400 IN DNSKEY 256 3 7 (
AwEAAda3BdXHnv5nGstQ9nECdO5S25sihAMCJbphVJ13
QJ9yw+fsfOZHaFMX3Oi3uTkwtobOZGizeuUF8SsQRpY6
wXEP1Aa4HMgm0coCcGbGHjkE86pvmDDh9PExpmg71VvW
lQZubucLoGRj6ZAr64UeNofci9J1sTo1Ub6WAoKXANIT
) ; ZSK; alg = NSEC3RSASHA1; key id = 13394
postbank.de. 86400 IN DNSKEY 256 3 7 (
AwEAAahHOOnai3XHpvSa2fKArbATWwHQA4+xeUitroui
7i+l+Exy5Q3pQ0AASRo2k6iYWXGCpklLO0mKryjCpFUN
VuIdyVC+fSZlgOPpdRgzwjv9w3C7EBafTl0bVit0TNHS
WzFfzy/0rSr4Bpkg2YrfGy38WqDwHmcOUG86HfugBedp
) ; ZSK; alg = NSEC3RSASHA1; key id = 43898
postbank.de. 86400 IN RRSIG DNSKEY 7 2 86400 (
20160208145154 20160201145154 53214 postbank.de.
hgawwvu2Ne5583qitm7cnXtDI2fx8ZAskZfJ+B7dBe9T
K24imxqC8DC98y5+QcVFKEv0KW8qxNSitlIJt8CrjgMH
C6TPj8O9RMG/ro0jou2GpQMANJjcmszwpGCWVsT2h90P
pR3jPb0+6S24ee/0Z+dVj94iCi5D51WOwxQJGVCIqRj0
7cOtfcKo2XGIqQWw8pnPaeOUA9yn0VPG3P4dHAqbRuEI
Uj6rD4qh5FEwaIZJU3oqR05/Q+h7utoKsAM9HO3uzUfY
U0n+IYfG+ZYixQaw8jxP3kmgo73skIIHgIfZjTRltzhb
CACU/qcwPCayLAjlBp98xzIpWCgM7ho4kQ== )
postbank.de. 86400 IN RRSIG DNSKEY 7 2 86400 (
20160208145154 20160201145154 41601 postbank.de.
hKsw+kmm3JqYblS2dNOVGpfe5SzNViRs8XBTPznTst5Q
Vj6VGdWmTB0RdeOby/WF1e5l/MsV1Z9lwD4VL1gVmWnm
dqTVYJMamep/FI1yRxEY6PPkdryr3KBDyNTWPBALnRpm
IFSmg7et8l3MWqAZk80RSfiNZ8UhDJjXgzJP3gE6C8JD
nTwsLx7DGu2Lnd0gRv/I8CCEr0Mlyv3QPZR+Qii2J2jO
t3/au2vyYZ2hRnaZfAB/PL1reISUkcIPiCfwshXGkA4b
fEunkTZIy5hegC6olhzx4wdmpWg1CZudltNfqBxp3dZh
dIBHlFQiZFfZYVz1Eb5I9Y44LogZfRMblg== )
postbank.de. 86400 IN RRSIG DNSKEY 7 2 86400 (
20160208145154 20160201145154 13394 postbank.de.
z/a7WjxUUZrRvG0MhqaTsAowKoYitadMDYxaFc3c3qhj
x8a67ihz55MwRLiD6TgBPDUd8cpWyCTNzJne8vhoAAIK
bVaL5ide8NCqDLljbq9+qHVp+oWUr21Q2VcUwSUie3KR
6/WF+LqfeTw2bXnTjVu2SY0Ms4HNDvQsQpoK81Y= )
postbank.de. 86400 IN RRSIG DNSKEY 7 2 86400 (
20160208145154 20160201145154 43898 postbank.de.
F4TUFHteWlIpCf682c8Ymd5ZK7q9XQs+vekUNoB36fUL
yPLElMUh1hOrsS3hJ4gTUyDkoa0o3R0p5fh/6URdRpeW
RdP6PwqFvFpkU+pXSRHFdteoLBZmQQTv7ajeTPJJo4L7
43Z6LSbK3El2VCeu9p9IuUJqw2tafjjOOvi3TRM= )
;; Query time: 48 msec
;; SERVER: 62.153.105.1#53(62.153.105.1)
;; WHEN: Tue Feb 02 14:37:26 CET 2016
;; MSG SIZE rcvd: 2808
But publishing no less than 8 keys, resulting in a 2808 reply, is more
than risky IMHO. Especially in the bank business. You only need one
paranoid firewall to break that.
Why would anyone need to publish 4 ZSKs *and* 4 KSKs?
Bjørn
