Re: Handling of expired RRSIG records - ise.gov
There is no DS record for ise.gov so there is no chain of trust and the answer is treated as insecure. Note "ad" is *not* set in flags of your query. ; <<>> DiG 9.11.0pre-alpha <<>> ds ise.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45170 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ise.gov. IN DS ;; AUTHORITY SECTION: gov.3463IN SOA a.usadotgov.net. nstld.verisign-grs.com. 1400670001 3600 900 1814400 3600 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 22 00:21:37 EST 2014 ;; MSG SIZE rcvd: 109 Mark In message , Simon Waters wr ites: > Dear Bind Users, > > BIND 9 logs report: RRSIG has expired for "www.ise.gov" > And "no valid signature found" for "ise.gov A". > > Yet I can still resolve and visit the website http://ise.gov/ > > DNS recursive server has: > dnssec-validation yes; > dnssec-enable yes; > dnssec-accept-expired no; > > Inspection: > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1 <<>> +norec +dnssec @ns1.p > 11.dynect.net ise.gov a > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61417 > ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;ise.gov. IN A > > ;; ANSWER SECTION: > ise.gov. 60 IN A 50.19.98.143 > ise.gov. 60 IN RRSIG A 5 2 60 20140513120652 2014041 > 3120652 45468 ise.gov. VZpvQNUKY6Vt0yxytk7JzK4FGh54SImorcnbvIRKwhGp2nrrHZWgSR > fM RiYtgbD2KSUoIOoaws5uDL1FAmMbbbFbdQBioEmJeCJMLzD1FJKPDBu3 PTtmTqgj7tdEM12ev > pM1v8JwDoN/ZYGwgMxkkOebqqrMQ0ZuprfmZqrf 6Zg= > > ;; AUTHORITY SECTION: > ise.gov. 86400 IN NS ns1.p11.dynect.net. > ise.gov. 86400 IN NS ns4.p11.dynect.net. > ise.gov. 86400 IN NS ns2.p11.dynect.net. > ise.gov. 86400 IN NS ns3.p11.dynect.net. > ise.gov. 86400 IN RRSIG NS 5 2 86400 20140513120652 201 > 40413120652 45468 ise.gov. OJ6es8al+vr2hCU9IrEkIJ+Ly/XK79g/Hlp8vDCYR6qt5VrOA5 > dzC4Nq a0IOOn9Ryo38O021tlcTp9bHhC+sf02SmmbG1oBiRSbL2JaYPD0Cm5bg rLiGB9iE3lDrg > Iz++RytufcKjnloYyCYhfAUvTe5/tmSU5tP0rdes8yw 0rA= > > ;; Query time: 22 msec > ;; SERVER: 208.78.70.11#53(208.78.70.11) > ;; WHEN: Wed May 21 11:40:16 2014 > ;; MSG SIZE rcvd: 472 > > All name servers have the same expiry time for the RRSIG A record, which unle > ss I'm more confused than I realise, is about a week ago. Clocks on all mach > ines under our control are correct to the precision required (they know what > day and year it is). > > DNSviz suggests that SOA record is secure, but not A or MX for ise.gov and th > e date on the SOA RRSIG record is indeed in the future. > > How is BIND deciding it is okay to return the A and MX records, and that this > is not some sort of DNS replay attack? > > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of expired RRSIG records - ise.gov
On 21 May 2014, at 13:01, Stephane Bortzmeyer wrote: > Probably because there is no DS record for ise.gov, which prevents the > validator to try. Thanks, and indeed no DS in .gov, knew I was missing something basic. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of expired RRSIG records - ise.gov
On Wed, May 21, 2014 at 12:56:32PM +0100, Simon Waters wrote a message of 58 lines which said: > BIND 9 logs report: RRSIG has expired for "www.ise.gov" Indeed. www.ise.gov.43200 IN RRSIG CNAME 5 3 43200 ( 20140513120652 20140413120652 More than a week ago. > Yet I can still resolve and visit the website http://ise.gov/ Probably because there is no DS record for ise.gov, which prevents the validator to try. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Handling of expired RRSIG records - ise.gov
Dear Bind Users, BIND 9 logs report: RRSIG has expired for "www.ise.gov" And "no valid signature found" for "ise.gov A". Yet I can still resolve and visit the website http://ise.gov/ DNS recursive server has: dnssec-validation yes; dnssec-enable yes; dnssec-accept-expired no; Inspection: ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1 <<>> +norec +dnssec @ns1.p11.dynect.net ise.gov a ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61417 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ise.gov. IN A ;; ANSWER SECTION: ise.gov.60 IN A 50.19.98.143 ise.gov.60 IN RRSIG A 5 2 60 20140513120652 20140413120652 45468 ise.gov. VZpvQNUKY6Vt0yxytk7JzK4FGh54SImorcnbvIRKwhGp2nrrHZWgSRfM RiYtgbD2KSUoIOoaws5uDL1FAmMbbbFbdQBioEmJeCJMLzD1FJKPDBu3 PTtmTqgj7tdEM12evpM1v8JwDoN/ZYGwgMxkkOebqqrMQ0ZuprfmZqrf 6Zg= ;; AUTHORITY SECTION: ise.gov.86400 IN NS ns1.p11.dynect.net. ise.gov.86400 IN NS ns4.p11.dynect.net. ise.gov.86400 IN NS ns2.p11.dynect.net. ise.gov.86400 IN NS ns3.p11.dynect.net. ise.gov.86400 IN RRSIG NS 5 2 86400 20140513120652 20140413120652 45468 ise.gov. OJ6es8al+vr2hCU9IrEkIJ+Ly/XK79g/Hlp8vDCYR6qt5VrOA5dzC4Nq a0IOOn9Ryo38O021tlcTp9bHhC+sf02SmmbG1oBiRSbL2JaYPD0Cm5bg rLiGB9iE3lDrgIz++RytufcKjnloYyCYhfAUvTe5/tmSU5tP0rdes8yw 0rA= ;; Query time: 22 msec ;; SERVER: 208.78.70.11#53(208.78.70.11) ;; WHEN: Wed May 21 11:40:16 2014 ;; MSG SIZE rcvd: 472 All name servers have the same expiry time for the RRSIG A record, which unless I'm more confused than I realise, is about a week ago. Clocks on all machines under our control are correct to the precision required (they know what day and year it is). DNSviz suggests that SOA record is secure, but not A or MX for ise.gov and the date on the SOA RRSIG record is indeed in the future. How is BIND deciding it is okay to return the A and MX records, and that this is not some sort of DNS replay attack? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing incomplete
On 21.05.2014 12:39, Phil Mayers wrote: > On 21 May 2014 10:24:23 BST, Klaus Darilion > wrote: >>> Further, I see that sometimes there are no private records at all. >> When >>> does this happen? (I never called "rndc signing -clear") >> >> It seems that this happens when Bind is restarted. >> >> So, what is the suggested (and reliable) way for external tools to get >> the signing status from Bind? I.e. if a key is still used for signing >> or >> can be deleted? >> >> Thanks >> Klaus > > We bodge this by axfr'ing the zone and parsing the rrsig to see which keys > are generating which sigs (or not). Nasty and slow, but reliable, and also > lets you look for signatures that haven't been regenerated on schedule. That's actually what I wanted to avoid. I thought there will be an "API" or similar to get the signing status of the zone and thought that the private records will solve my troubles, but it seems I was wrong. I think I will do something similar - not nice if you have plenty of zones ... thanks Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing incomplete
On 21 May 2014 10:24:23 BST, Klaus Darilion wrote: >> Further, I see that sometimes there are no private records at all. >When >> does this happen? (I never called "rndc signing -clear") > >It seems that this happens when Bind is restarted. > >So, what is the suggested (and reliable) way for external tools to get >the signing status from Bind? I.e. if a key is still used for signing >or >can be deleted? > >Thanks >Klaus We bodge this by axfr'ing the zone and parsing the rrsig to see which keys are generating which sigs (or not). Nasty and slow, but reliable, and also lets you look for signatures that haven't been regenerated on schedule. -- Sent from my phone with, please excuse brevity and typos ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KSK signing incomplete
> Further, I see that sometimes there are no private records at all. When > does this happen? (I never called "rndc signing -clear") It seems that this happens when Bind is restarted. So, what is the suggested (and reliable) way for external tools to get the signing status from Bind? I.e. if a key is still used for signing or can be deleted? Thanks Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users