Re: DNSSEC validation failures for www.hrsa.gov
In message , Jay Ford writes: > On Sat, 25 Jun 2016, Mark Andrews wrote: > > The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant. > > They are returning FORMERR to queries with EDNS options. Unknown > > EDNS options are supposed to be ignored (RFC 6891). > > > > You can workaround this with a server clause to disable sending the > > cookie option with a server clause. > > > > server { request-sit no; }; // 9.10.x > > server { send-cookie no; }; // 9.11.x > > That did it, at least for now. > > > Now one could argue that FORMERR is legal under RFC 2671 (the initial > > EDNS specification) as no options were defined and to use a option > > you need to bump the EDNS version but the servers don't do EDNS > > version negotiation either as they return FORMERR to a EDNS version 1 > > query rather than BADVERS. They also incorrectly copy back unknown > > EDNS flags. > > > Whether this is the cause of your issue I don't know but it won't be > > helping. > > The HRSA folks claim that their "site is fine". In hopes of disabusing them > of that notion I'll have our folks who have to try to use the HRSA site pass > along the trouble report. Just because it appears to work for some clients does not mean that it works for all clients. This is yet another IT department putting their fingers in their ears and saying "nah nah nah". If they were compentent they would look at the RFC's listed in the original report and check that their servers work correctly and fix the issues found. EDNS was designed to allow clients and servers to upgrade independently but that requires that both clients and servers follow the protocol. That they handle new/unknown stuff correctly which these servers do not. They can check their servers at https://ednscomp.isc.org/ Mark > Thanks for the diagnosis & work-around. Excellent as always & crazy fast, > too! > > > Jay Ford, Network Engineering Group, Information Technology Services > University of Iowa, Iowa City, IA 52242 > email: jay-f...@uiowa.edu, phone: 319-335- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: DNSSEC validation failures for www.hrsa.gov
On 24-Jun-16 22:13, Jay Ford wrote: > On Sat, 25 Jun 2016, Mark Andrews wrote: >> The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant. >> They are returning FORMERR to queries with EDNS options. Unknown >> EDNS options are supposed to be ignored (RFC 6891). >> >> You can workaround this with a server clause to disable sending the >> cookie option with a server clause. >> >> server { request-sit no; };// 9.10.x >> server { send-cookie no; };// 9.11.x > > That did it, at least for now. > >> Now one could argue that FORMERR is legal under RFC 2671 (the initial >> EDNS specification) as no options were defined and to use a option >> you need to bump the EDNS version but the servers don't do EDNS >> version negotiation either as they return FORMERR to a EDNS version 1 >> query rather than BADVERS. They also incorrectly copy back unknown >> EDNS flags. > >> Whether this is the cause of your issue I don't know but it won't be >> helping. > > The HRSA folks claim that their "site is fine". In hopes of > disabusing them of that notion I'll have our folks who have to try to > use the HRSA site pass along the trouble report. > > Thanks for the diagnosis & work-around. Excellent as always & crazy > fast, too! > > > Jay Ford, Network Engineering Group, Information Technology Services > University of Iowa, Iowa City, IA 52242 > email: jay-f...@uiowa.edu, phone: 319-335- > FWIW, dnsfp identifies the DNS servers as: fingerprint (162.99.248.222, 162.99.248.222): Unlogic Eagle DNS 1.0 -- 1.0.1 [New Rules] If this is correct, the project website for Eagle DNS would appear to be: http://www.unlogic.se/projects/eagledns It seems a rather odd choice for a .gov (US Health and Human Services) owned domain...though one never knows what IT outsourcing will produce :-) Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation failures for www.hrsa.gov
On Sat, 25 Jun 2016, Mark Andrews wrote: The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant. They are returning FORMERR to queries with EDNS options. Unknown EDNS options are supposed to be ignored (RFC 6891). You can workaround this with a server clause to disable sending the cookie option with a server clause. server { request-sit no; }; // 9.10.x server { send-cookie no; }; // 9.11.x That did it, at least for now. Now one could argue that FORMERR is legal under RFC 2671 (the initial EDNS specification) as no options were defined and to use a option you need to bump the EDNS version but the servers don't do EDNS version negotiation either as they return FORMERR to a EDNS version 1 query rather than BADVERS. They also incorrectly copy back unknown EDNS flags. Whether this is the cause of your issue I don't know but it won't be helping. The HRSA folks claim that their "site is fine". In hopes of disabusing them of that notion I'll have our folks who have to try to use the HRSA site pass along the trouble report. Thanks for the diagnosis & work-around. Excellent as always & crazy fast, too! Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC validation failures for www.hrsa.gov
The servers for webfarm.dr.hrsa.gov are not EDNS and DNSSEC compliant. They are returning FORMERR to queries with EDNS options. Unknown EDNS options are supposed to be ignored (RFC 6891). You can workaround this with a server clause to disable sending the cookie option with a server clause. server { request-sit no; }; // 9.10.x server { send-cookie no; }; // 9.11.x Now one could argue that FORMERR is legal under RFC 2671 (the initial EDNS specification) as no options were defined and to use a option you need to bump the EDNS version but the servers don't do EDNS version negotiation either as they return FORMERR to a EDNS version 1 query rather than BADVERS. They also incorrectly copy back unknown EDNS flags. ; <<>> DiG 9.11.0a3 <<>> webfarm.dr.hrsa.gov @ns2.hrsa.gov +edns=1 +noednsneg +nocookie +noad +norec +qr ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59618 ;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 1, flags:; udp: 4096 ;; QUESTION SECTION: ;webfarm.dr.hrsa.gov. IN A ;; QUERY SIZE: 48 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 59618 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 1, flags:; udp: 4096 ;; QUESTION SECTION: ;webfarm.dr.hrsa.gov. IN A ;; Query time: 313 msec ;; SERVER: 162.99.248.222#53(162.99.248.222) ;; WHEN: Sat Jun 25 11:18:55 EST 2016 ;; MSG SIZE rcvd: 48 Whether this is the cause of your issue I don't know but it won't be helping. Mark In message , Jay For d writes: > I'm getting DNSSEC validation failures by BIND 9.10.4-P1 for www.hrsa.gov. > > The pertinent log messages are things like: > > lame-servers: info: no valid RRSIG resolving 'webfarm.dr.hrsa.gov/DS/IN': > 165.112.137.222#53 > lame-servers: info: no valid RRSIG resolving 'webfarm.dr.hrsa.gov/DS/IN': > 162.99.248.222#53 > lame-servers: info: no valid DS resolving 'webfarm.dr.hrsa.gov/A/IN': 162 > .99.248.222#53 > lame-servers: info: broken trust chain resolving 'webfarm.dr.hrsa.gov/A/I > N': 165.112.137.222#53 > lame-servers: info: insecurity proof failed resolving 'dr.hrsa.gov/SOA/IN > ': 162.99.248.222#53 > lame-servers: info: insecurity proof failed resolving 'dr.hrsa.gov/SOA/IN > ': 165.112.137.222#53 > > The dig output is: > > $ dig www.hrsa.gov @dns-spare.uiowa.edu > > ; <<>> DiG 9.10.3-P4-Debian <<>> www.hrsa.gov @dns-spare.uiowa.edu > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42947 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;www.hrsa.gov. IN A > > ;; Query time: 103 msec > ;; SERVER: fd9a:2c75:7d0c:5::2#53(fd9a:2c75:7d0c:5::2) > ;; WHEN: Fri Jun 24 18:49:06 CDT 2016 > ;; MSG SIZE rcvd: 41 > > It doesn't fail with a similar config on 9.10.3-P4, but there are admittedly > config differences. > > Other DNSSEC-signed things validate fine at both versions, so things are > mostly OK. > > My guess is that BIND 9.10.4-P1 is checking something more stringently than > previous versions did, & that something is broken with the DNS for > www.hrsa.gov, but I can't spot what it is. There are some very short TTLs (5 > seconds) in the data tree in question, including for SOAs, which seems like a > really bad idea but I'm not sure it definitely breaks things. There are also > some answers with both "AA" & "AD" set, which seems odd, but again, not > definitely broken. > > dnsviz.net reports a couple of warnings, including a non-AA answer from > authoritative servers, but it doesn't say it's bogus. > > If anybody can spot something broken for www.hrsa.gov, I'd be very glad to > hear about it. > > > Jay Ford, Network Engineering Group, Information Technology Services > University of Iowa, Iowa City, IA 52242 > email: jay-f...@uiowa.edu, phone: 319-335- > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users