Re: [dns-operations] is anybody awake at 5.0.1.0.0.2.ip6.arpa? (comcast and/or arin)

2020-10-06 Thread Mark Andrews 


> On 6 Oct 2020, at 23:14, Shumon Huque  wrote:
> 
> On Mon, Oct 5, 2020 at 11:22 PM Mark Andrews  wrote:
> > On 6 Oct 2020, at 13:18, Paul Vixie  wrote:
> > 
> > ssh gets hinky when i connect from a server whose PTR is "servfail" (dnssec 
> > "bogus")
> > 
> >   • 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa: No valid RRSIGs 
> > made by a key corresponding to a DS RR were found covering the DNSKEY 
> > RRset, resulting in no secure entry point (SEP) into the zone. 
> > (68.87.68.244, 68.87.72.244, 68.87.76.228, 68.87.85.132, 69.252.250.103, 
> > 2001:558:1004:7:68:87:85:132, 2001:558:100a:5:68:87:68:244, 
> > 2001:558:100e:5:68:87:72:244, 2001:558:1014:c:68:87:76:228, 
> > 2001:558:fe23:8:69:252:250:103, UDP_-_EDNS0_4096_D_K)
> 
> I have no idea why DNSVIZ is reporting this NSEC record (?) given there is a 
> DS RRset.  The covering NSEC record for 9.5.5.0.1.0.0.2.ip6.arpa that would 
> prove the non existence of the DS RRset if it didn’t exist is 
> 9.5.5.0.1.0.0.2.ip6.arpa.  I suspect a DNSVIZ bug here.
> 
> Sorry Mark - where do you see dnsviz complaining about an NSEC record?

If it was a DS record I would expect the message to say 
9.5.5.0.1.0.0.2.ip6.arpa (not 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa) 
which feels more like a NSEC than a DS.  It’s not actually clear what RRset it 
is referring to.

> This error message says that no "valid" DNSKEY RRSIGs made by a key matching 
> the DS RRset were found -- which is a correct diagnosis. No NSEC records are 
> involved in that determination.
> 
> As you've already pointed out, DNSKEY with keytag 47242 has an expired 
> signature on the DNSKEY RRset. Key 30705 has a valid unexpired signature but 
> that does not match the DS set (it also doesn't have the advisory SEP flag, 
> so was likely not intended to be used as a secure entry point).
> 
> Shumon.
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] is anybody awake at 5.0.1.0.0.2.ip6.arpa? (comcast and/or arin)

2020-10-06 Thread Shumon Huque 
On Mon, Oct 5, 2020 at 11:22 PM Mark Andrews  wrote:

> > On 6 Oct 2020, at 13:18, Paul Vixie  wrote:
> >
> > ssh gets hinky when i connect from a server whose PTR is "servfail"
> (dnssec "bogus")
> >
> >   • 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa: No valid
> RRSIGs made by a key corresponding to a DS RR were found covering the
> DNSKEY RRset, resulting in no secure entry point (SEP) into the zone.
> (68.87.68.244, 68.87.72.244, 68.87.76.228, 68.87.85.132, 69.252.250.103,
> 2001:558:1004:7:68:87:85:132, 2001:558:100a:5:68:87:68:244,
> 2001:558:100e:5:68:87:72:244, 2001:558:1014:c:68:87:76:228,
> 2001:558:fe23:8:69:252:250:103, UDP_-_EDNS0_4096_D_K)
>
> I have no idea why DNSVIZ is reporting this NSEC record (?) given there is
> a DS RRset.  The covering NSEC record for 9.5.5.0.1.0.0.2.ip6.arpa that
> would prove the non existence of the DS RRset if it didn’t exist is
> 9.5.5.0.1.0.0.2.ip6.arpa.  I suspect a DNSVIZ bug here.
>

Sorry Mark - where do you see dnsviz complaining about an NSEC record?

This error message says that no "valid" DNSKEY RRSIGs made by a key
matching the DS RRset were found -- which is a correct diagnosis. No NSEC
records are involved in that determination.

As you've already pointed out, DNSKEY with keytag 47242 has an expired
signature on the DNSKEY RRset. Key 30705 has a valid unexpired signature
but that does not match the DS set (it also doesn't have the advisory SEP
flag, so was likely not intended to be used as a secure entry point).

Shumon.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] is anybody awake at 5.0.1.0.0.2.ip6.arpa? (comcast and/or arin)

2020-10-05 Thread Paul Vixie 
On Monday, October 5, 2020 8:24:09 PM PDT Robert Edmonds wrote:
> Paul Vixie wrote:
> > ssh gets hinky when i connect from a server whose PTR is "servfail"
> > (dnssec
> > "bogus")
> 
> Unless you're using host-based authentication or the from= option with a
> hostname pattern in an authorized_keys file, you can set "UseDNS no" in
> the sshd config file, or upgrade to OpenSSH 6.8p1 or later where "UseDNS
> no" is the default.

it's this way on purpose, not only a default. port knockers need PTR's here.

-- 
Vixie @FSI
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] is anybody awake at 5.0.1.0.0.2.ip6.arpa? (comcast and/or arin)

2020-10-05 Thread Paul Vixie 
On Monday, October 5, 2020 8:18:54 PM PDT Mark Andrews wrote:
> Why are you complaining to ARIN (5.0.1.0.0.2.ip6.arpa) when this is 
> Comcast's (9.5.5.0.1.0.0.2.ip6.arpa) fault?
> 
> ...
> 
> Now ARIN should be badgering Comcast to fix this as they should be 
checking
> that the delegation is correct.  RFC 1034 required this sort of checking
> for NS records and DS records should be similar.

you have asked and answered your own question. very efficient.

-- 
Vixie @FSI
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] is anybody awake at 5.0.1.0.0.2.ip6.arpa? (comcast and/or arin)

2020-10-05 Thread Mark Andrews 
Why are you complaining to ARIN (5.0.1.0.0.2.ip6.arpa) when this is  Comcast's 
(9.5.5.0.1.0.0.2.ip6.arpa) fault?

If Comcast don’t re-sign their zone properly things break.  Note the signature 
for DNSKEY(47242) is out of date.

9.5.5.0.1.0.0.2.ip6.arpa. 3579  IN  DNSKEY  257 3 5 
AwEAAcaqTpoScNc8eSX3L0Khdntzs5+PG+740QK2IWleEl5rd6O7NXLE 
8kIpNdP7Vj+251B3CWZdtwjRJghdJhNiRIJMotI6D/XZQ29i0gg2cYT6 
SPeXiwe7qp2+Gi9L5WnFdPsKspWW8AXNdIRTaZtEEs6IRP2LeN+dwc4V 
cehqe+I54Ypg3/z8a7pRN0E5E/1g5UAnLZEeTyj6oksSTytUHZ7GenKY 
kFJZjXR1eheMCl49ck9UX2lQaJf3m5GuXvmPETfv7OdQU2OfT7AukbHj 
4+QjDxsnf/q4AE/o8sIWm0k8AedlnG2gUex7rAWYsyZmpPi6UEbctyjf eMAoBrCoUNU=  ; KSK; 
alg = RSASHA1 ; key id = 47242
9.5.5.0.1.0.0.2.ip6.arpa. 3579  IN  DNSKEY  256 3 5 
AwEAAd2YrNVKQSCOywdo+x+2YW2oTtCKCh4XArHGADnWu9gXcnjPEIxl 
J0dM3+aPAU/x8FtVB0WQasF7+7kHsuvRAuMqGnEg6jxnWRcbnMGd8Tob 
phl7bsY4wIIGX99SAGCoSdY4eszvvpfcppxT8AFi8NbqQgWNpnMcHCPp SRv2j359  ; ZSK; alg = 
RSASHA1 ; key id = 30705
9.5.5.0.1.0.0.2.ip6.arpa. 3579  IN  RRSIG   DNSKEY 5 10 3600 20200509174432 
20200110134432 47242 9.5.5.0.1.0.0.2.ip6.arpa. 
YVnmkYciYb1i8v7jkAzPFC5ue1+jRHdyMCuosFGf7n+6Su0yW9bTDXH5 
W7xSZ3Ndike4DDRWO1+Ba8HjxBSD/r7eeXz4jui3FAuUXpT46a1rDa/P 
/LwnfKi5x6I/cNn4bBBqDwVyOzE6136zw3r59mcChSOGAsZAF9hsJzz2 
yOZpYiSbgDWO/HM/anD5miCTqljPtMPtgRJiPI+nzBpra8mKJTk0Eg9J 
dmMwG6zuOhRJj5ImSXNPHonMJCKclVAfRZCocVtApzcAeQF0IrEa8yXR 
wdNt+zvhvVTd/fjWcgpj7oV64VHBuDAL51zjU2l5jC0qeG1fxrIrBTB5 2djygw==
9.5.5.0.1.0.0.2.ip6.arpa. 3579  IN  RRSIG   DNSKEY 5 10 3600 20201009204432 
20201002173932 30705 9.5.5.0.1.0.0.2.ip6.arpa. 
wqJEB/SLUKDwlMuNZ9huG9809BCHMFcEh0USglWs0ErIJ6NEt2NFIVhP 
m3uYEWGm2e6t7LaMsuDO4i7gZstO7ONgVoqDSXKBwXwJH+UocASK1JpW 
f9ndqTnF2zdcnC2MjT5wbD1qZa/AhKq1TRztc4oXmF9sLIfSIdkZ94m9 1YU=

ARIN has the correct DS records.  Note the key id matched that of the KSK 
DNSKEY and the contents of the DS algorithms I checked are correct.

9.5.5.0.1.0.0.2.ip6.arpa. 1581  IN  DS  47242 5 4 
478AED83E09ED912C1B7098BFE30EBB26F4E42F7641ED74CC9FF0A68 
B70F7BECFD6FD635600FA66A3D69F424AFF0F865
9.5.5.0.1.0.0.2.ip6.arpa. 1581  IN  DS  47242 5 2 
51AF515ACB12A7FC94BCEB3E061363ED6F917B6798F88A88697B5D72 4DC131AA
9.5.5.0.1.0.0.2.ip6.arpa. 1581  IN  DS  47242 5 1 
F172A2C39A98C115B1ED8A14D09FE30C97B95D57

Now ARIN should be badgering Comcast to fix this as they should be checking 
that the delegation is correct.  RFC 1034 required this sort of checking for NS 
records and DS records should be similar.

> On 6 Oct 2020, at 13:18, Paul Vixie  wrote:
> 
> ssh gets hinky when i connect from a server whose PTR is "servfail" (dnssec 
> "bogus")
> 
>   • 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa: No valid RRSIGs 
> made by a key corresponding to a DS RR were found covering the DNSKEY RRset, 
> resulting in no secure entry point (SEP) into the zone. (68.87.68.244, 
> 68.87.72.244, 68.87.76.228, 68.87.85.132, 69.252.250.103, 
> 2001:558:1004:7:68:87:85:132, 2001:558:100a:5:68:87:68:244, 
> 2001:558:100e:5:68:87:72:244, 2001:558:1014:c:68:87:76:228, 
> 2001:558:fe23:8:69:252:250:103, UDP_-_EDNS0_4096_D_K)

I have no idea why DNSVIZ is reporting this NSEC record (?) given there is a DS 
RRset.  The covering NSEC record for 9.5.5.0.1.0.0.2.ip6.arpa that would prove 
the non existence of the DS RRset if it didn’t exist is 
9.5.5.0.1.0.0.2.ip6.arpa.  I suspect a DNSVIZ bug here.

>   • RRSIG 9.5.5.0.1.0.0.2.ip6.arpa/DNSKEY alg 5, id 47242: The Signature 
> Expiration field of the RRSIG RR (2020-05-09 17:44:32+00:00) is 149 days in 
> the past.
>   • RRSIG 9.5.5.0.1.0.0.2.ip6.arpa/DNSKEY alg 5, id 47242: The Signature 
> Expiration field of the RRSIG RR (2020-05-09 17:44:32+00:00) is 149 days in 
> the past.
> 
> https://dnsviz.net/d/5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.c.0.0.0.0.0.8.9.5.5.0.1.0.0.2.ip6.arpa/dnssec/
> 
> -- 
> Sent from Postbox
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] is anybody awake at 5.0.1.0.0.2.ip6.arpa? (comcast and/or arin)

2020-10-05 Thread Robert Edmonds 
Paul Vixie wrote:
> ssh gets hinky when i connect from a server whose PTR is "servfail" (dnssec
> "bogus")

Unless you're using host-based authentication or the from= option with a
hostname pattern in an authorized_keys file, you can set "UseDNS no" in
the sshd config file, or upgrade to OpenSSH 6.8p1 or later where "UseDNS
no" is the default.

-- 
Robert Edmonds
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] is anybody awake at 5.0.1.0.0.2.ip6.arpa? (comcast and/or arin)

2020-10-05 Thread Paul Vixie 
ssh gets hinky when i connect from a server whose PTR is "servfail"
(dnssec "bogus")

  * 5.0.1.0.0.2.ip6.arpa to 9.5.5.0.1.0.0.2.ip6.arpa: No valid RRSIGs
made by a key corresponding to a DS RR were found covering the
DNSKEY RRset, resulting in no secure entry point (SEP) into the
zone. (68.87.68.244, 68.87.72.244, 68.87.76.228, 68.87.85.132,
69.252.250.103, 2001:558:1004:7:68:87:85:132,
2001:558:100a:5:68:87:68:244, 2001:558:100e:5:68:87:72:244,
2001:558:1014:c:68:87:76:228, 2001:558:fe23:8:69:252:250:103,
UDP_-_EDNS0_4096_D_K)
  * RRSIG 9.5.5.0.1.0.0.2.ip6.arpa/DNSKEY alg 5, id 47242: The Signature
Expiration field of the RRSIG RR (2020-05-09 17:44:32+00:00) is 149
days in the past.
  * RRSIG 9.5.5.0.1.0.0.2.ip6.arpa/DNSKEY alg 5, id 47242: The Signature
Expiration field of the RRSIG RR (2020-05-09 17:44:32+00:00) is 149
days in the past.

https://dnsviz.net/d/5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.c.0.0.0.0.0.8.9.5.5.0.1.0.0.2.ip6.arpa/dnssec/

-- 
Sent from Postbox 
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations