Re: fixed rrset ordering - is this still a thing?

2024-02-29 Thread Matt Nordhoff via bind-users 
On Fri, Mar 1, 2024 at 12:38 AM Matt Nordhoff  wrote:
> On Thu, Feb 29, 2024 at 9:40 PM Ondřej Surý  wrote:
> > Hey,
> >
> > BIND 9 supports a fixed rrset ordering (that is keeping the order of the 
> > RRSets from the zone file). It has to be configured
> > at the compile time, it takes more memory (to record that order) and it's a 
> > #ifdef all over the places.
> >
> > So, henceforth, my question - does anyone still uses that? And if yes, what 
> > are the use cases?
> >
> > I think BIND is the only server that actually supports this, so it doesn't 
> > feel like the DNS can't function without it.
>
> For what it's worth, Knot DNS is fixed by default. I know because the
> first setting in my knot.conf file is "answer-rotation: on". :-)

Correction: It's fixed but sorted, rather than fixed in the original
zone file order. Which is not necessarily the same as any of BIND's
settings?

I'll go hide in a cave and wish emails could be edited now. :-)

> NSD also has a "round-robin" setting, which is also off by default.
>
> So other nameservers do support fixed order, but I personally don't
> use it and don't mind if you remove it.
>
> > Thanks,
> > Ondřej
-- 
Matt Nordhoff
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: fixed rrset ordering - is this still a thing?

2024-02-29 Thread Matt Nordhoff via bind-users 
On Thu, Feb 29, 2024 at 9:40 PM Ondřej Surý  wrote:
> Hey,
>
> BIND 9 supports a fixed rrset ordering (that is keeping the order of the 
> RRSets from the zone file). It has to be configured
> at the compile time, it takes more memory (to record that order) and it's a 
> #ifdef all over the places.
>
> So, henceforth, my question - does anyone still uses that? And if yes, what 
> are the use cases?
>
> I think BIND is the only server that actually supports this, so it doesn't 
> feel like the DNS can't function without it.

For what it's worth, Knot DNS is fixed by default. I know because the
first setting in my knot.conf file is "answer-rotation: on". :-)

NSD also has a "round-robin" setting, which is also off by default.

So other nameservers do support fixed order, but I personally don't
use it and don't mind if you remove it.

> Thanks,
> Ondřej
-- 
Matt Nordhoff
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

KeyTrap fix breaks resolving semi-bogus paste.debian.net/snow-crash.org

2024-02-14 Thread Matt Nordhoff via bind-users 
Hello,

I'm not sure if this is a bug or a feature, but the recent CVE fixes
prevent resolving paste.debian.net with DNSSEC validation on.

It is a CNAME:

$ dig +short paste.debian.net
apu.snow-crash.org.
p.snow-crash.org.
148.251.236.38

debian.net is fine, but snow-crash.org is misconfigured: It has an
algorithm 13 DS record, is correctly signed with algorithm 13, but is
also signed using algorithm 8 with signatures that expired a year
ago(!).



Other resolvers, and older versions of BIND, ignore the bad/irrelevant
signatures and can still resolve the zone.

With the recent CVE fixes, BIND sees the expired RRSIGs, decides it's
bogus, logs the below, and returns SERVFAIL. I imagine it hits
max-validation-failures-per-fetch or some internal limit.

named[2540]: validating apu.snow-crash.org/CNAME: verify failed due to
bad signature (keyid=41523): RRSIG has expired
named[2540]: validating apu.snow-crash.org/CNAME: no valid signature found
named[2540]: RRSIG has expired resolving 'apu.snow-crash.org/A/IN':
37.120.176.165#53
named[2540]: validating apu.snow-crash.org/CNAME: verify failed due to
bad signature (keyid=41523): RRSIG has expired
named[2540]: validating apu.snow-crash.org/CNAME: no valid signature found
named[2540]: RRSIG has expired resolving 'apu.snow-crash.org/A/IN':
148.251.236.38#53
named[2540]: validating apu.snow-crash.org/CNAME: verify failed due to
bad signature (keyid=41523): RRSIG has expired
named[2540]: validating apu.snow-crash.org/CNAME: no valid signature found
named[2540]: RRSIG has expired resolving 'apu.snow-crash.org/A/IN':
2a01:4f8:201:3437::2#53

snow-crash.org is clearly misconfigured, but resolvers usually succeed
when they encounter both valid and invalid DNSSEC signatures. And this
domain has no algorithm 8 DS records at all, so the signatures and
keys can be ignored entirely.

Regarding DoS attacks, a resolver can ignore signatures that are
expired or use algorithms not included in the DS record without any
expensive cryptography.

I'm not necessarily saying this is a bug, but it might be an
interesting data point regarding the experimental new limits, and you
might want to consider changing the default or the accounting.

I noticed the issue using Quad9's 9.9.9.11 DNS resolver, and then
reproduced it on an Ubuntu 23.10 (amd64) VM by installing Ubuntu's
bind9 1:9.18.18-0ubuntu2 package with the default configuration and
then upgrading it to 1:9.18.18-0ubuntu2.1.

Some copy-and-pasted information at
.
(Since I couldn't use ...)

(I also did/will tell Quad9 about it for their information.)

Cheers,
-- 
Matt Nordhoff
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users