subject:"Handling of expired RRSIG records \- ise.gov"

Handling of expired RRSIG records - ise.gov

2014-05-21 Thread Simon Waters

Dear Bind Users,

BIND 9 logs report: RRSIG has expired for www.ise.gov
And no valid signature found for ise.gov A.

Yet I can still resolve and visit the website http://ise.gov/

DNS recursive server has:
dnssec-validation yes;
dnssec-enable yes;
dnssec-accept-expired no;

Inspection: 

;  DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1  +norec +dnssec 
@ns1.p11.dynect.net ise.gov a
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 61417
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ise.gov.   IN  A

;; ANSWER SECTION:
ise.gov.60  IN  A   50.19.98.143
ise.gov.60  IN  RRSIG   A 5 2 60 20140513120652 
20140413120652 45468 ise.gov. 
VZpvQNUKY6Vt0yxytk7JzK4FGh54SImorcnbvIRKwhGp2nrrHZWgSRfM 
RiYtgbD2KSUoIOoaws5uDL1FAmMbbbFbdQBioEmJeCJMLzD1FJKPDBu3 
PTtmTqgj7tdEM12evpM1v8JwDoN/ZYGwgMxkkOebqqrMQ0ZuprfmZqrf 6Zg=

;; AUTHORITY SECTION:
ise.gov.86400   IN  NS  ns1.p11.dynect.net.
ise.gov.86400   IN  NS  ns4.p11.dynect.net.
ise.gov.86400   IN  NS  ns2.p11.dynect.net.
ise.gov.86400   IN  NS  ns3.p11.dynect.net.
ise.gov.86400   IN  RRSIG   NS 5 2 86400 20140513120652 
20140413120652 45468 ise.gov. 
OJ6es8al+vr2hCU9IrEkIJ+Ly/XK79g/Hlp8vDCYR6qt5VrOA5dzC4Nq 
a0IOOn9Ryo38O021tlcTp9bHhC+sf02SmmbG1oBiRSbL2JaYPD0Cm5bg 
rLiGB9iE3lDrgIz++RytufcKjnloYyCYhfAUvTe5/tmSU5tP0rdes8yw 0rA=

;; Query time: 22 msec
;; SERVER: 208.78.70.11#53(208.78.70.11)
;; WHEN: Wed May 21 11:40:16 2014
;; MSG SIZE  rcvd: 472

All name servers have the same expiry time for the RRSIG A record, which unless 
I'm more confused than I realise,  is about a week ago. Clocks on all machines 
under our control are correct to the precision required (they know what day and 
year it is).

DNSviz suggests that SOA record is secure, but not A or MX for ise.gov and the 
date on the SOA RRSIG record is indeed in the future.

How is BIND deciding it is okay to return the A and MX records, and that this 
is not some sort of DNS replay attack?





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Handling of expired RRSIG records - ise.gov

2014-05-21 Thread Stephane Bortzmeyer

On Wed, May 21, 2014 at 12:56:32PM +0100,
 Simon Waters simon.wat...@surevine.com wrote 
 a message of 58 lines which said:

 BIND 9 logs report: RRSIG has expired for www.ise.gov

Indeed.

www.ise.gov.43200 IN RRSIG CNAME 5 3 43200 (
20140513120652 20140413120652

More than a week ago.

 Yet I can still resolve and visit the website http://ise.gov/

Probably because there is no DS record for ise.gov, which prevents the
validator to try.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Handling of expired RRSIG records - ise.gov

2014-05-21 Thread Simon Waters

On 21 May 2014, at 13:01, Stephane Bortzmeyer bortzme...@nic.fr wrote:

 Probably because there is no DS record for ise.gov, which prevents the
 validator to try.

Thanks, and indeed no DS in .gov, knew I was missing something basic. 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Handling of expired RRSIG records - ise.gov

2014-05-21 Thread Mark Andrews


There is no DS record for ise.gov so there is no chain of trust and
the answer is treated as insecure.  Note ad is *not* set in flags
of your query.

;  DiG 9.11.0pre-alpha  ds ise.gov
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 45170
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ise.gov.   IN  DS

;; AUTHORITY SECTION:
gov.3463IN  SOA a.usadotgov.net. 
nstld.verisign-grs.com. 1400670001 3600 900 1814400 3600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 22 00:21:37 EST 2014
;; MSG SIZE  rcvd: 109

Mark

In message ec464560-51ac-4329-b946-d0f31309c...@surevine.com, Simon Waters wr
ites:
 Dear Bind Users,
 
 BIND 9 logs report: RRSIG has expired for www.ise.gov
 And no valid signature found for ise.gov A.
 
 Yet I can still resolve and visit the website http://ise.gov/
 
 DNS recursive server has:
 dnssec-validation yes;
 dnssec-enable yes;
 dnssec-accept-expired no;
 
 Inspection: 
 
 ;  DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1  +norec +dnssec @ns1.p
 11.dynect.net ise.gov a
 ; (2 servers found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 61417
 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1
 
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags: do; udp: 4096
 ;; QUESTION SECTION:
 ;ise.gov. IN  A
 
 ;; ANSWER SECTION:
 ise.gov.  60  IN  A   50.19.98.143
 ise.gov.  60  IN  RRSIG   A 5 2 60 20140513120652 2014041
 3120652 45468 ise.gov. VZpvQNUKY6Vt0yxytk7JzK4FGh54SImorcnbvIRKwhGp2nrrHZWgSR
 fM RiYtgbD2KSUoIOoaws5uDL1FAmMbbbFbdQBioEmJeCJMLzD1FJKPDBu3 PTtmTqgj7tdEM12ev
 pM1v8JwDoN/ZYGwgMxkkOebqqrMQ0ZuprfmZqrf 6Zg=
 
 ;; AUTHORITY SECTION:
 ise.gov.  86400   IN  NS  ns1.p11.dynect.net.
 ise.gov.  86400   IN  NS  ns4.p11.dynect.net.
 ise.gov.  86400   IN  NS  ns2.p11.dynect.net.
 ise.gov.  86400   IN  NS  ns3.p11.dynect.net.
 ise.gov.  86400   IN  RRSIG   NS 5 2 86400 20140513120652 201
 40413120652 45468 ise.gov. OJ6es8al+vr2hCU9IrEkIJ+Ly/XK79g/Hlp8vDCYR6qt5VrOA5
 dzC4Nq a0IOOn9Ryo38O021tlcTp9bHhC+sf02SmmbG1oBiRSbL2JaYPD0Cm5bg rLiGB9iE3lDrg
 Iz++RytufcKjnloYyCYhfAUvTe5/tmSU5tP0rdes8yw 0rA=
 
 ;; Query time: 22 msec
 ;; SERVER: 208.78.70.11#53(208.78.70.11)
 ;; WHEN: Wed May 21 11:40:16 2014
 ;; MSG SIZE  rcvd: 472
 
 All name servers have the same expiry time for the RRSIG A record, which unle
 ss I'm more confused than I realise,  is about a week ago. Clocks on all mach
 ines under our control are correct to the precision required (they know what 
 day and year it is).
 
 DNSviz suggests that SOA record is secure, but not A or MX for ise.gov and th
 e date on the SOA RRSIG record is indeed in the future.
 
 How is BIND deciding it is okay to return the A and MX records, and that this
  is not some sort of DNS replay attack?
 
 
 
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
  from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Handling of expired RRSIG records - ise.gov

Re: Handling of expired RRSIG records - ise.gov

Re: Handling of expired RRSIG records - ise.gov

Re: Handling of expired RRSIG records - ise.gov

4 matches

Site Navigation

Mail list logo

Footer information