Maintained by: NLnet Labs

[Unbound-users] dfas.mil DNSSEC Failure

W.C.A. Wijngaards
Fri Jun 28 16:18:40 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ehren,

On 06/28/2013 03:47 PM, Ehren Hawks wrote:
> Yesterday a customer of ours reported they couldn’t get to 
> *mypay.dfas.mil*. Upon looking into it I see both of my Unbound
> servers are returning SERVFAIL. Given the type of sight this is I
> suspected this to be a possible DNSSEC issue. I verified there’s an
> issue here:

Unbound checks that the chain of trust uses the correct algorithm, as
advertised by the DS record.  The DS record advertises algorithm 7
(only).  The DNSKEY record set has keys for 7 and 8.  The MX record is
signed with only 8.

Unbound is strict here, the DS record states that this chain of trust
must be present (MUST in the RFC).  It is not, bogus.

Bind is more lenient here, and a signature whose algorithm was not
advertised is fine.

Best regards,
   Wouter

> http://dnsviz.net/d/dfas.mil/dnssec/
> 
> 
> 
> •dfas.mil/DNSKEY:This RRset is not covered by any RRSIG.
> 
> •dfas.mil/MX:DNSKEYs exist for algorithm(s) 8, 7 in the dfas.mil
> zone, but the dfas.mil/MX RRset was not signed by any DNSKEY with
> algorithm(s) 7.
> 
> •dfas.mil/SOA:DNSKEYs exist for algorithm(s) 8, 7 in the dfas.mil
> zone, but the dfas.mil/SOA RRset was not signed by any DNSKEY with
> algorithm(s) 7.
> 
> •dfas.mil/TXT:DNSKEYs exist for algorithm(s) 8, 7 in the dfas.mil
> zone, but the dfas.mil/TXT RRset was not signed by any DNSKEY with
> algorithm(s) 7.
> 
> 
> 
> I tested resolution against both DNS-OARC’s BIND and Unbound
> DNSSEC public servers:
> 
> 
> 
> BIND 9   149.20.64.20    2001:4f8:3:2bc:1::64:20
> 
> Unbound   149.20.64.21   2001:4f8:3:2bc:1::64:21
> 
> 
> 
> Their Unbound server fails just as mine do, but their BIND server 
> returns the A record. I’m reluctant to disable DNSSEC validation
> over this one domain, considering there appears to be an actual
> problem. Considering BIND as well as Google’s public DNS are
> validating this site OK I figured it was worth bringing up.
> 
> 
> 
> Any feedback is appreciated!
> 
> 
> 
> 
> 
> /ehren
> 
> 
> 
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRzZs7AAoJEJ9vHC1+BF+NNrcP/R67P2hhW8E04gQDOspyJy9c
K1LaRIRJvttmg6/kFaHKj0/a/0flIyC4lg2UHz/1/z2rB2Y0SFsUSq56xwLMV6oI
eAvtjJxSxCJSf5kwBrH/LdBGeq65zZsIPFQWELyvQF+gv9Dh6B3OeLWNN2hL/lIa
h41M6RsXAbAdSO9FaIhQKCK5twzM4fVYpxVsykPXgixeNmTHIHO3BfNecD07kgpb
JNnLRjPAUwYaccOOBJD4LdwOcQgJogGi4EzqiKWYGZ1Vo6MM2Zy3QSbGgaR44v31
BpbGtrNhcFpfqfheZa/OOIbLK0bGnYZGSI1ASzw7S49Y8IxqVLkbfVMtkeJIHJTa
YPyjiE5LcVweNWP78Kdo7lxvcHg/HolNzhwnbLQDJ5EX4mixH2g7grtFI24NstQe
eq0uhcNmY6GNu7q8EQ7vPM6AXvJtrBDm9DtMUxUAYrxDVkrDB8x2UimQjEWC14Z9
Ei0XlIzSrkMyX2zU537GEOamOw2MiVA2qHZDxfYQCNSutX3lUWHceZLChnb2LpnE
KeiCGOyJeUsDXR3eyc17D7QCd/ESPXXI95cp75Yy/qOrhBxb7Mgp7pp1XefRU8Bd
u1Oq7vp4J/s1v9F/8RvYOmSiEKvbK7aKHtyuPjYnBxyrKs6DAZvQzDE9QV4srwvj
eplq5bj4GFXsmOJECSly
=xJV4
-----END PGP SIGNATURE-----