zonemaster-engine icon indicating copy to clipboard operation
zonemaster-engine copied to clipboard

Published 20 hours ago verified publisher icon zonemaster

DNSSEC and NS mismatches between delegation and zone

Open hno opened this issue 3 years ago • 5 comments

The EXTRA_NAME_CHILD and EXTRA_NAME_PARENT tests should both by default be flagged as an error under dnssec.

If the zone is using dnssec then validation of NS records will fail in most resolvers if there is a mismatch between the delegation glue and zone contents due to the NS records fetched from the delegating zone and the RRSIG fetched from the child zone.

hno avatar Oct 10 '21 00:10 hno

Thank you for lifting this up. Today, the default value of EXTRA_NAME_CHILD is NOTICE whereas EXTRA_NAME_PARENT is ERROR.

I would not expect an extra name sever to be a validation problem. I expect the RRSIG to be fetched with the RRset from the child zone. The RRSIG is created on the RRset in the child zone with the TTL of the NS RRset in the child zone.

  • Can you point at some name server software with that behavior?
  • Or an open resolver with that behavior and including some domain that gives the issue?
  • Have you seen any statement in the DNSSEC standards that requires the set in the zone to be identical to the set in the parent?

When adding, removing or changing name servers you will get a mismatch from the time the child zone is updated to the time when the delegation in the parent zone is updated. It would not be reasonable that such an update would create a validation problem.

matsduf avatar Oct 11 '21 09:10 matsduf

Noticed it on domains when there was a mismatch between the delegation and the zone contents. Validation of the domain as such works, presumably because the NS records of the delegation are never valiidated. But explicit lookup of the NS record fails. Mismatch between NS records the delegation poiint have always been a sore point in DNS with varying results.

Tried with a number of different resolvers. But I will try to reproduce this in a more controlled manner. The zones where this was seen are already corrected with an update in the delegation to remove a duplicate entry (different name for the same server).

Note: The TTL in the RRSIG is not part of the validation from what I can tell. Seems it is just informal.

On Mon, Oct 11, 2021 at 11:38 AM Mats Dufberg @.***> wrote:

Thank you for lifting this up. Today, the default value of EXTRA_NAME_CHILD is NOTICE https://github.com/zonemaster/zonemaster/blob/master/docs/specifications/tests/SeverityLevelDefinitions.md#notice whereas EXTRA_NAME_PARENT is ERROR https://github.com/zonemaster/zonemaster/blob/master/docs/specifications/tests/SeverityLevelDefinitions.md#error .

I would not expect an extra name sever to be a validation problem. I expect the RRSIG to be fetched with the RRset from the child zone. The RRSIG is created on the RRset in the child zone with the TTL of the NS RRset in the child zone.

  • Can you point at some name server software with that behavior?
  • Have you seen any statement in the DNSSEC standards that requires the set in the zone to be identical to the set in the parent?

When adding, removing or changing name servers you will get a mismatch from the time the child zone is updated to the time when the delegation in the parent zone is updated. It would not be reasonable that such an update would create a validation problem.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zonemaster/zonemaster-engine/issues/974#issuecomment-939860942, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACVUD4N6FVFETNGRVJJXX3UGKWB5ANCNFSM5FV3CK3Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

hno avatar Oct 12 '21 14:10 hno

Original TTL of RRsig and the RRset it signs is part of the RRsig signature.

matsduf avatar Oct 12 '21 15:10 matsduf

I cannot reproduce the resolver error today when there is a mismatch between delegation authority and the child zone. Maybe I miss something in the lab setup. Looked clear at the time, but now I am no so sure.

On Tue, Oct 12, 2021 at 5:45 PM Mats Dufberg @.***> wrote:

Original TTL of RRsig and the RRset it signs is part of the RRsig signature.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zonemaster/zonemaster-engine/issues/974#issuecomment-941135814, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACVUD6UDC7W433H2G44IRLUGRJXZANCNFSM5FV3CK3Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

hno avatar Oct 14 '21 10:10 hno

@hno, thank you for investigating. This helps us and Zonemaster.

matsduf avatar Oct 14 '21 13:10 matsduf

@hno Long over due, but I am now closing this issue. From my understanding it wasn't a problem with Zonemaster, but feel free to comment otherwise.

tgreenx avatar Sep 17 '24 16:09 tgreenx