Re: [dns-operations] [outa...@outages.org: [outages] DNSSEC issues .se]
On Fri, Feb 04, 2022 at 05:48:41PM +0100, Stephane Bortzmeyer wrote: > From: Jonathan Sélea via Outages > To: "outa...@outages.org" > Subject: [outages] DNSSEC issues .se > > Apparently, if a unsigned domain is followed by a signed domain in the > .se zone - the domain wont resolve due to NSEC errors. The problem is not limited to "unsigned followed by signed", here's a counter-example: 12timmarsbillingen.se. DS 12412 8 1 F2C2875A83586049209043F8902C14480CB23ADC 12timmarsbillingen.se. DS 12412 8 2 38E21AD13565B3742C7025EC6A377E2469E006AF07263D820A86B94C 8EE2F72F 12timmarsbillingen.se. RRSIG DS 8 2 3600 20220214223716 20220201211104 30015 se. ... ; 12timmarsbillingen.se. NSEC 12tio.se. NS DS RRSIG NSEC 12timmarsbillingen.se. RRSIG NSEC 8 2 7200 20220217092758 20220204091055 30015 se. AAH/ADAxMA0GCWCGSAFlAwQCAQUABCB60KcmsNHUcT/lUUzcsAgqKrLtDlGjohL/JgW5gHmzpA== 12tio.se. DS 8042 13 2 10DBC098B055E8DFE252659D50202A35AAF631BB9824D076F0B34CB576F4E282 12tio.se. RRSIG DS 8 2 3600 20220215032204 2022020053 30015 se. ... ; 12tio.se. NSEC 12trad.se. NS DS RRSIG NSEC 12tio.se. RRSIG NSEC 8 2 7200 20220215230329 20220202141108 30015 se. KK5w0vghV65yxdTUkoBNTQ7pCJnOrtLRtf4le/e91RiFTi/RF3UPeNP0bQ0vFi1oT77Mk4mmNgi9RztycCCMUiy4Zb0+Rd2VhTNaHVQZFhYAx1/V4wsC773ZbQgzDaYk8sIQsw1pHt67NXOURbBUV4oiajHaN62HKYuo+ETkkSY+l7AuGQQN3jUDdeaaU97zIVgLhAYrw3mod72HVwEWDVMZmatIYlCrs8yg0kXENihcwdMirhtICGdzN1oat7oQrIim0XJbVRBlfA8LaAevbPtR3VgiAHwxItqgOpDq7i4RPrjsfC/qscW+g4/iMZNViW4l56N/fPBIvR0+T6X1FQ== Roughly 0.6% of the NSEC RRSIGs appear to be affected. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] [outa...@outages.org: [outages] DNSSEC issues .se]
On Fri, Feb 04, 2022 at 05:48:41PM +0100, Stephane Bortzmeyer wrote: > Indeed, DNSviz seems to confirm the problem: > > https://dnsviz.net/d/sportbladet.se/Yf1XbQ/dnssec/ > > The signature of the NSEC record looks strange to me: > > sportbladet.se. 7200 IN RRSIG NSEC 8 2 7200 ( > 20220217023427 20220204111055 30015 se. > AAH/ > > > > > > ADAxMA0GCWCGSAFlAwQCAQUABCDDlM45/p82 > gs9EuWI0BODTVEgrkVM5ZrtG98oLVgefGQ== ) > Well, it is not what should be there, but *that* strange: $ echo 'AAH/ADAxMA0GCWCGSAFlAwQCAQUABCDDlM45/p82gs9EuWI0BODTVEgrkVM5ZrtG98oLVgefGQ==' | openssl base64 -A -d | od -tx1 000 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff 020 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff * 300 ff ff ff ff ff ff ff ff ff ff ff ff 00 30 31 30 320 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 340 c3 94 ce 39 fe 9f 36 82 cf 44 b9 62 34 04 e0 d3 360 54 48 2b 91 53 39 66 bb 46 f7 ca 0b 56 07 9f 19 400 What we see here is the PKCS#1 padded *input* to the RSA signature operation, rather than its signed output. Somehow the RSA private key operation never happened. An HSM glitch? A software error? -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] [outa...@outages.org: [outages] DNSSEC issues .se]
Indeed, DNSviz seems to confirm the problem: https://dnsviz.net/d/sportbladet.se/Yf1XbQ/dnssec/ The signature of the NSEC record looks strange to me: % dig @a.ns.se. +dnssec A sportbladet.se ; <<>> DiG 9.16.1-Ubuntu <<>> @a.ns.se. +dnssec A sportbladet.se ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60924 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 0048c3eb59d11c2b010061fd58dcdecd7e08e6619bd5 (good) ;; QUESTION SECTION: ;sportbladet.se.IN A ;; AUTHORITY SECTION: sportbladet.se. 86400 IN NS dns02.ports.se. sportbladet.se. 86400 IN NS dns03.ports.se. sportbladet.se. 86400 IN NS dns04.ports.net. sportbladet.se. 86400 IN NS dns01.dipcon.com. sportbladet.se. 7200 IN NSEC sportbladet-tv.se. NS RRSIG NSEC sportbladet.se. 7200 IN RRSIG NSEC 8 2 7200 ( 20220217023427 20220204111055 30015 se. AAH/ ADAxMA0GCWCGSAFlAwQCAQUABCDDlM45/p82 gs9EuWI0BODTVEgrkVM5ZrtG98oLVgefGQ== ) ;; ADDITIONAL SECTION: dns03.ports.se. 86400 IN 2a04:3540:1000:310:287e:f6ff:fe1d:4789 dns02.ports.se. 86400 IN 2001:19f0:5001:2a:5400:ff:fe38:1e6f dns03.ports.se. 86400 IN A 94.237.33.102 dns02.ports.se. 86400 IN A 45.63.42.179 ;; Query time: 39 msec ;; SERVER: 2a01:3f0:0:301::53#53(2a01:3f0:0:301::53) ;; WHEN: ven. févr. 04 17:48:28 CET 2022 ;; MSG SIZE rcvd: 595 --- Begin Message --- Anyone else seeing dnssec issues on unsigned .se domains? Apparently, if a unsigned domain is followed by a signed domain in the .se zone - the domain wont resolve due to NSEC errors. Example: Sportbladet.se Kgkfastigheter.se Deltacity.se Med vänlig hälsning / Best RegardsJonathan SéleaLinux Technician+46 70 726 00 50jonathan.se...@portsgroup.comGöteborg, Kungsgatan 42The General Terms applicable to our services are available on our website, here. Please refer to our Privacy Policy for information about how we process personal data. This e-mail may contain legally privileged and confidential information. If you are not the intended addressee, you are hereby notified that any reading, distribution, copying or other use of this message or attachments is strictly prohibited. If you have received this message in error, return to us and delete this email. Thank you. ___ Outages mailing list outa...@outages.org https://puck.nether.net/mailman/listinfo/outages --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations