Maintained by: NLnet Labs

[Unbound-users] faa.gov is not resolvable using DNSSEC resolver.

W.C.A. Wijngaards
Tue Oct 11 10:00:49 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 10/10/2011 11:55 PM, Hauke Lampe wrote:
> On 10.10.2011 21:06, Chris Gotstein wrote:
>> I do not see any other MTU or fragment issues on our network, yet we
>> cannot resolve faa.gov.

The MTU is not the only problem, indeed, it is in an algorithm rollover
from 7 to 8 (8 prepublished KSK), but the rollover is botched.

> I think this might be a case of Unbound still being too strict on the
> algorithm selection. OTOH, it really looks like a downgrade attack:

This is correct.  An algorithm rollover has failed (presumably).
Hosts that allow SHA256 but deny SHA1 fail to validate the zone.
The exact downgrade from SHA256 to SHA1 happens here.

> The KSK signature also looks a bit odd. You'll see it if you query the
> servers with different case. The KSK RRSIG is returned in all-lowercase:

The case issue is not a problem (not even for unbound's 0x20 - because
the first one is fine).  I guess they have an offline signer or
something like that (excellent!).

It is one in a string of failed algorithm rollovers in .gov.

> BIND however resolves the query and sets "AD" in the answer.

It accepts the algorithm downgrade from the RSASHA256 advertised in the
DS record to RSASHA1 in the zone.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOk/ewAAoJEJ9vHC1+BF+Nz0UP/ii06xQYF6ntSG0jU+HJdPsN
2i3i8u/McuuWmZkUjxS9wJzK9PoBkoTycy1HDyuV8rOrWf9Mvm2sZ2/f3nXM9+rU
++A2IU+FqwXTH0adZPAC46tnZN0gG/o9OSQcfsOJC4pxER+UuiAkrPAuNfUnsINz
RQ9Kjb2k6hmNHYsykvA/fZyhYovUz24QzbDQ97+kgXnK6hT8LfvyYgVzUZ4iNJrC
xUvVXIKIiL24QwDQviz1x1KwEknAH1AkNBBZu5JdpI+ka9m6IfJalE6eBBhN7RUr
dWQr0P5E/eSITZLnutiIr/tG+nbkmUu+GMzXCTX1DCwUb8Gxao7FUpSaewQ9oMnB
QiDUgWRTDV8Gx5yssNv6VsXAUf0+mtxViv3/2MoDDrWBl2+SqVZbVYkzDrYhJ9A2
pMMN8QjnGzclsF5FtfcLbvRS3CpU/7m3qiiMV5dPW5CzYhS8xG2cY5MSs1C83mz5
zmryWxCJP6lHDA17pO+gynyaYjwQXiOnKHOFdc1ARRf89DNQ+sUqrEagaFp9revE
46DdPrkanncza2WyUpbAgHfZnDx03YAO1k5fvIoWCFuQeX5WcFbBB7M4mqFWsTI6
ozN/i7A3KeQS20925qCps2TKyVyD1thMup2lXaOo5DnuGOP2/MLCuuqtBPbAOR1d
x9ityRY2NQbl+lGzbDaU
=yfT2
-----END PGP SIGNATURE-----