Handling of expired RRSIG records - ise.gov
Dear Bind Users, BIND 9 logs report: RRSIG has expired for www.ise.gov And no valid signature found for ise.gov A. Yet I can still resolve and visit the website http://ise.gov/ DNS recursive server has: dnssec-validation yes; dnssec-enable yes; dnssec-accept-expired no; Inspection: ; DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1 +norec +dnssec @ns1.p11.dynect.net ise.gov a ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 61417 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ise.gov. IN A ;; ANSWER SECTION: ise.gov.60 IN A 50.19.98.143 ise.gov.60 IN RRSIG A 5 2 60 20140513120652 20140413120652 45468 ise.gov. VZpvQNUKY6Vt0yxytk7JzK4FGh54SImorcnbvIRKwhGp2nrrHZWgSRfM RiYtgbD2KSUoIOoaws5uDL1FAmMbbbFbdQBioEmJeCJMLzD1FJKPDBu3 PTtmTqgj7tdEM12evpM1v8JwDoN/ZYGwgMxkkOebqqrMQ0ZuprfmZqrf 6Zg= ;; AUTHORITY SECTION: ise.gov.86400 IN NS ns1.p11.dynect.net. ise.gov.86400 IN NS ns4.p11.dynect.net. ise.gov.86400 IN NS ns2.p11.dynect.net. ise.gov.86400 IN NS ns3.p11.dynect.net. ise.gov.86400 IN RRSIG NS 5 2 86400 20140513120652 20140413120652 45468 ise.gov. OJ6es8al+vr2hCU9IrEkIJ+Ly/XK79g/Hlp8vDCYR6qt5VrOA5dzC4Nq a0IOOn9Ryo38O021tlcTp9bHhC+sf02SmmbG1oBiRSbL2JaYPD0Cm5bg rLiGB9iE3lDrgIz++RytufcKjnloYyCYhfAUvTe5/tmSU5tP0rdes8yw 0rA= ;; Query time: 22 msec ;; SERVER: 208.78.70.11#53(208.78.70.11) ;; WHEN: Wed May 21 11:40:16 2014 ;; MSG SIZE rcvd: 472 All name servers have the same expiry time for the RRSIG A record, which unless I'm more confused than I realise, is about a week ago. Clocks on all machines under our control are correct to the precision required (they know what day and year it is). DNSviz suggests that SOA record is secure, but not A or MX for ise.gov and the date on the SOA RRSIG record is indeed in the future. How is BIND deciding it is okay to return the A and MX records, and that this is not some sort of DNS replay attack? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of expired RRSIG records - ise.gov
On Wed, May 21, 2014 at 12:56:32PM +0100, Simon Waters simon.wat...@surevine.com wrote a message of 58 lines which said: BIND 9 logs report: RRSIG has expired for www.ise.gov Indeed. www.ise.gov.43200 IN RRSIG CNAME 5 3 43200 ( 20140513120652 20140413120652 More than a week ago. Yet I can still resolve and visit the website http://ise.gov/ Probably because there is no DS record for ise.gov, which prevents the validator to try. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of expired RRSIG records - ise.gov
On 21 May 2014, at 13:01, Stephane Bortzmeyer bortzme...@nic.fr wrote: Probably because there is no DS record for ise.gov, which prevents the validator to try. Thanks, and indeed no DS in .gov, knew I was missing something basic. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Handling of expired RRSIG records - ise.gov
There is no DS record for ise.gov so there is no chain of trust and the answer is treated as insecure. Note ad is *not* set in flags of your query. ; DiG 9.11.0pre-alpha ds ise.gov ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 45170 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ise.gov. IN DS ;; AUTHORITY SECTION: gov.3463IN SOA a.usadotgov.net. nstld.verisign-grs.com. 1400670001 3600 900 1814400 3600 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 22 00:21:37 EST 2014 ;; MSG SIZE rcvd: 109 Mark In message ec464560-51ac-4329-b946-d0f31309c...@surevine.com, Simon Waters wr ites: Dear Bind Users, BIND 9 logs report: RRSIG has expired for www.ise.gov And no valid signature found for ise.gov A. Yet I can still resolve and visit the website http://ise.gov/ DNS recursive server has: dnssec-validation yes; dnssec-enable yes; dnssec-accept-expired no; Inspection: ; DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1 +norec +dnssec @ns1.p 11.dynect.net ise.gov a ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 61417 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ise.gov. IN A ;; ANSWER SECTION: ise.gov. 60 IN A 50.19.98.143 ise.gov. 60 IN RRSIG A 5 2 60 20140513120652 2014041 3120652 45468 ise.gov. VZpvQNUKY6Vt0yxytk7JzK4FGh54SImorcnbvIRKwhGp2nrrHZWgSR fM RiYtgbD2KSUoIOoaws5uDL1FAmMbbbFbdQBioEmJeCJMLzD1FJKPDBu3 PTtmTqgj7tdEM12ev pM1v8JwDoN/ZYGwgMxkkOebqqrMQ0ZuprfmZqrf 6Zg= ;; AUTHORITY SECTION: ise.gov. 86400 IN NS ns1.p11.dynect.net. ise.gov. 86400 IN NS ns4.p11.dynect.net. ise.gov. 86400 IN NS ns2.p11.dynect.net. ise.gov. 86400 IN NS ns3.p11.dynect.net. ise.gov. 86400 IN RRSIG NS 5 2 86400 20140513120652 201 40413120652 45468 ise.gov. OJ6es8al+vr2hCU9IrEkIJ+Ly/XK79g/Hlp8vDCYR6qt5VrOA5 dzC4Nq a0IOOn9Ryo38O021tlcTp9bHhC+sf02SmmbG1oBiRSbL2JaYPD0Cm5bg rLiGB9iE3lDrg Iz++RytufcKjnloYyCYhfAUvTe5/tmSU5tP0rdes8yw 0rA= ;; Query time: 22 msec ;; SERVER: 208.78.70.11#53(208.78.70.11) ;; WHEN: Wed May 21 11:40:16 2014 ;; MSG SIZE rcvd: 472 All name servers have the same expiry time for the RRSIG A record, which unle ss I'm more confused than I realise, is about a week ago. Clocks on all mach ines under our control are correct to the precision required (they know what day and year it is). DNSviz suggests that SOA record is secure, but not A or MX for ise.gov and th e date on the SOA RRSIG record is indeed in the future. How is BIND deciding it is okay to return the A and MX records, and that this is not some sort of DNS replay attack? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users