exdns
exdns copied to clipboard
miekg
invalid DNSSEC signature regarded as valid
This DANE test site has intentionally an invalid DNSSEC signature:
bad-sig.dane.verisignlabs.com - Valid TLSA record but the DNSSEC signature is invalid.
… yet the output is:
$ ./q -dnssec=true -check=true bad-sig.dane.verisignlabs.com
;+ Secure signature, bad-sig.dane.verisignlabs.com. RRSIG(A) validates (DNSKEY bad-sig.dane.verisignlabs.com./5647/net)
See also:
- http://www.internetsociety.org/deploy360/resources/dane-test-sites/
- http://dane.verisignlabs.com/
New versions print:
% ./q -dnssec -check=true @m2.nstld.net bad-sig.dane.verisignlabs.com TLSA ~/g/src/github.com/miekg/exdns/q linode git(master)
;+ Secure signature, bad-sig.dane.verisignlabs.com. RRSIG(DS) validates (DNSKEY verisignlabs.com./63023/net) (expired)
;+ Secure signature, ns1.verisignlabs.net. RRSIG(A) validates (DNSKEY verisignlabs.net./31097/net) (expired)
;; opcode: QUERY, status: NOERROR, id: 24024
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;bad-sig.dane.verisignlabs.com. IN TLSA
;; AUTHORITY SECTION:
bad-sig.dane.verisignlabs.com. 60 IN NS ns1.verisignlabs.net.
bad-sig.dane.verisignlabs.com. 60 IN DS 5647 8 2 9999999999999999999999999999999999999999999999999999999999999999
bad-sig.dane.verisignlabs.com. 60 IN RRSIG DS 8 4 60 20140822130903 20140808130903 63023 verisignlabs.com. UMSra1TPz9x+OKy4LFl9bZMyIfWrSrYoPorhbFmPkuYeYcYQ/rRpWE+NFnxD7NVZa7IvClgVtRd4Wm0zJkWg7wwkUNXABkVgR+S1IIXncWH6Az21y0xWi6yFg/1sXmpFqwEATDkgL0udK59iTGvAd/V+ONNh9Yk8T0QWCARcbwA=
;; ADDITIONAL SECTION:
ns1.verisignlabs.net. 3600 IN A 72.13.58.64
ns1.verisignlabs.net. 3600 IN RRSIG A 8 3 3600 20140821200900 20140807200900 31097 verisignlabs.net. ERAI3YojMqmeu3Mkj0d+sTCAlo/VKsJWADUQJT+Rvm0mxaMlcrhPLd+OW1E6aJ4xWkvkfrJ7RTJT454pyddRoPfaQ0IxgVz5V5QM5ioQvYlXVJoPTqqkptlUGOcZHvDJecUctKBXZ5B3ebYslstpgmeMDEYLRUz6rCjVP/ZRNqM=
;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 4096
;; query time: 123869 µs, server: m2.nstld.net.:53(udp), size: 638 bytes
Thanks!
We seem to be using different versions, though I don't know of what. Please note the different expired and *EXPIRED* (which is in my and the latest copy of q.go#L419 on github).
I did update all packages just a minute ago and still get
- … without an expiration notice
- … without an "invalid" due to:
DS=5647/SHA256 does not verify DNSKEY=5647/SEP
this:
$ ./q -dnssec -check=true @m2.nstld.net bad-sig.dane.verisignlabs.com TLSA
;+ Secure signature, bad-sig.dane.verisignlabs.com. RRSIG(DS) validates (DNSKEY verisignlabs.com./63023/net)
;+ Secure signature, ns1.verisignlabs.net. RRSIG(A) validates (DNSKEY verisignlabs.net./31097/net)
;; opcode: QUERY, status: NOERROR, id: 57120
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;bad-sig.dane.verisignlabs.com. IN TLSA
;; AUTHORITY SECTION:
[… stripped, identical; Mark]
;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 4096
;; query time: 373990 µs, server: m2.nstld.net.:53(udp), size: 638 bytes
See also http://dnssec-debugger.verisignlabs.com/bad-sig.dane.verisignlabs.com
[ Quoting [email protected] in "Re: [exdns] invalid DNSSEC signatur..." ]
Thanks!
We seem to be using different versions, though I don't know of what. Please note the different
expiredand*EXPIRED*(which is in my and the latest copy of q.go on github).I did update all packages just a minute ago and still get:
- … without an expiration notice
- … without a "invalid" because:
DS=5647/SHA256 does not verify DNSKEY=5647/SEP
not the -check CHECKS the signature - nothing else! It's all on the packet level.
Might need to make that more clear.
I also look into this some more.
The capital EXPIRE is definitely in the repo: https://github.com/miekg/exdns/blob/master/q/q.go#L419
Cut and pasting from http://dnssec-debugger.verisignlabs.com/bad-sig.dane.verisignlabs.com Found 1 DS records for bad-sig.dane.verisignlabs.com in the verisignlabs.com zone Found 1 RRSIGs over DS RRset RRSIG=63023 and DNSKEY=63023 verifies the DS RRset
Found 1 DNSKEY records for bad-sig.dane.verisignlabs.com
DS=5647/SHA256 does not verify DNSKEY=5647/SEP
None of the 1 DNSKEY records could be validated by any of the 1 DS records
Found 1 RRSIGs over DNSKEY RRset
RRSIG=5647 is expired
None of the 1 RRSIG and 1 DNSKEY records validate the DNSKEY RRset
The DNSKEY RRset was not signed by any keys in the chain-of-trust
bad-sig.dane.verisignlabs.com A RR has value 72.13.58.38
Found 1 RRSIGs over A RRset * q says the same *
RRSIG=5647 is expired * q says the same*
None of the 1 RRSIG and 1 DNSKEY records validate the A RRset
The RRSIG(DS) seems not to be checked according to the list above, but happens in the step above this one.
Thanks again. Your first output has a lower case "expired", 504a12e on Github an upper case one. 504a12e does not reply with "expired", yours does (as does miekg/unbound). Hence my suspicion that we're using two versions of a package.
$ sha256sum $GOPATH/src/github.com/miekg/exdns/q/q.go
9390dfe56ce1cf882eb16862f5d346cc3335beb4c8d133faab0c1459944c6d3e …
$ cd $GOPATH/src/github.com/miekg/exdns/; and git rev-parse --short HEAD
504a12e
$ cd $GOPATH/src/github.com/miekg/dns/; and git rev-parse --short HEAD
9b0cfb5
According to http://dnscheck.pingdom.com/troubleshooting.php?domain=bad-sig.dane.verisignlabs.com it is:
Parent DS(DS(bad-sig.dane.verisignlabs.com/8/2/5647)) refers to invalid key at child: DNSKEY(bad-sig.dane.verisignlabs.com/8/5647)
The zone bad-sig.dane.verisignlabs.com has published DS records, but none of them work.
I am sorry if this out of the scope of this ticket and hope you don't mind me asking. How would I check for that mismatch?
- I think if seen this weird git/github behaviour before.. I just deleted my repo for exdns (dns' repo does not matter here).
- There is definitely a bug in my 'when is a sig expired code' (that live in the dns repo)
- An actual cmd line tool that checks DNSSEC chains you'll 'drill' from ldns or 'delve' from bind9