Maintained by: NLnet Labs

DNSSEC validaion fail for _25._tcp.eldinhadzic.com

W.C.A. Wijngaards
Fri Jul 15 10:50:15 CEST 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Andreas,

You have enabled qname-minimisation.  And the server does not support
queries for _tcp.eldinhadzic.com.

The answer for _tcp.eldinhadzic.com. is NXDOMAIN.  And the DNSSEC
proof for it is broken.  For _25._tcp TLSA there is a TLSA answer,
dnssec valid, this is what people without qname minimisation get.

The server says it is
version.bind.		5	CH	TXT	"Rage4 DNS - https://rage4.com"
and soa record also talks about rage4.
eldinhadzic.com.        3600    IN      SOA     ns1.r4ns.com.
postmaster.eldinhadzic.com. 1468246877 10800 3600 604800 3600
I guess they have their own implementation.

But it gives NXDOMAIN for empty nonterminals.  And the proof for that
NXDOMAIN is then broken.

The proof has the nsec3 for the zone apex, as the closest encloser.
The next closer, _tcp, there is no covering nsec3 for it.

The other nsec3s in the packet are the covering nsec3s that prove that
the names _25._tcp and *._25._tcp do not exist. That would prove an
NXDOMAIN for _25._tcp, but these nsec3s are pointless here.

What with doing TLSA for their mail, perhaps the domain owners want
working DNSSEC too? :-)

Best regards, Wouter

On 15/07/16 10:13, A. Schulze via Unbound-users wrote:
> 
> Hello,
> 
> with unbound-1.5.9, we hit $subject. The domain is signed using 
> algorithm 14. (
> http://dnsviz.net/d/_25._tcp.eldinhadzic.com/dnssec/ )
> 
> # posttls-finger eldinhadzic.com posttls-finger: warning: DANE TLSA
> lookup problem: Host or domain name not found. Name service error
> for name=_25._tcp.eldinhadzic.com type=TLSA: Host not found, try
> again posttls-finger: warning: DANE TLSA lookup problem: Host or
> domain name not found. Name service error for
> name=_25._tcp.eldinhadzic.com type=TLSA: Host not found, try again 
> posttls-finger: Failed to establish session to eldinhadzic.com via 
> eldinhadzic.com: TLSA lookup error for eldinhadzic.com:25
> 
> unbound logs: [1468570247] unbound[31749:0] notice: init module 0:
> validator [1468570247] unbound[31749:0] notice: init module 1:
> iterator [1468570247] unbound[31749:0] info: start of service
> (unbound 1.5.9). [1468570251] unbound[31749:0] info: ::1
> eldinhadzic.com. MX IN [1468570251] unbound[31749:0] info: ::1
> eldinhadzic.com. A IN [1468570251] unbound[31749:0] info: ::1
> eldinhadzic.com. AAAA IN [1468570251] unbound[31749:0] info: ::1
> _25._tcp.eldinhadzic.com. TLSA IN [1468570252] unbound[31749:0]
> info: validation failure <_25._tcp.eldinhadzic.com. TLSA IN>:
> nameerror proof failed from 176.124.112.100 [1468570252]
> unbound[31749:0] info: ::1 _25._tcp.eldinhadzic.com. TLSA IN 
> [1468570252] unbound[31749:0] info: validation failure 
> <_25._tcp.eldinhadzic.com. TLSA IN>: nameerror proof failed from 
> 176.124.112.100 [1468570252] unbound[31749:0] info: ::1
> _25._tcp.eldinhadzic.com. TLSA IN [1468570252] unbound[31749:0]
> info: validation failure <_25._tcp.eldinhadzic.com. TLSA IN>:
> nameerror proof failed from 176.124.113.200 [1468570252]
> unbound[31749:0] info: ::1 _25._tcp.eldinhadzic.com. TLSA IN 
> [1468570252] unbound[31749:0] info: validation failure 
> <_25._tcp.eldinhadzic.com. TLSA IN>: nameerror proof failed from 
> 176.124.113.200 [1468570252] unbound[31749:0] info: ::1
> _25._tcp.eldinhadzic.com. TLSA IN [1468570252] unbound[31749:0]
> info: validation failure <_25._tcp.eldinhadzic.com. TLSA IN>:
> nameerror proof failed from 2a05:b0c1::200 [1468570252]
> unbound[31749:0] info: ::1 _25._tcp.eldinhadzic.com. TLSA IN 
> [1468570253] unbound[31749:0] info: validation failure 
> <_25._tcp.eldinhadzic.com. TLSA IN>: nameerror proof failed from 
> 2a05:b0c0::100 [1468570253] unbound[31749:0] info: ::1
> _25._tcp.eldinhadzic.com. TLSA IN [1468570253] unbound[31749:0]
> info: validation failure <_25._tcp.eldinhadzic.com. TLSA IN>:
> nameerror proof failed from 176.124.112.100 [1468570253]
> unbound[31749:0] info: ::1 _25._tcp.eldinhadzic.com. TLSA IN 
> [1468570253] unbound[31749:0] info: validation failure 
> <_25._tcp.eldinhadzic.com. TLSA IN>: nameerror proof failed from 
> 2a05:b0c1::200
> 
> DNSVIZ say it's valid:
> http://dnsviz.net/d/_25._tcp.eldinhadzic.com/dnssec/ how can I
> check my unbound could validate such data at all?
> 
> 
> # unbound -h ... Version 1.5.9 linked libs: libevent 2.0.21-stable
> (it uses epoll), OpenSSL 1.0.1t  3 May 2016 linked modules: dns64
> validator iterator ...
> 
> I have also ldns-keygen which at least 'know' about that
> algorithm:
> 
> # ldns-keygen -a list Possible algorithms: RSAMD5 RSASHA1 
> RSASHA1-NSEC3-SHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 
> ECDSAP384SHA384 DSA DSA-NSEC3-SHA1 hmac-md5.sig-alg.reg.int 
> hmac-sha1 hmac-sha256
> 
> Andreas

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXiKPCAAoJEJ9vHC1+BF+N5/0P/jNprpGeuxjvPCjZkV+uiA92
yZnyTSKgbeiZKD/L7trysA/7OoZ38Onh6HCJKgIDcu3qd8tsaoYac829DYoogAEh
dOdIADzLwnX5yrp5zKxvh7YjoUGSdpIMjc0w4zIVyGtExkft0ERSQsPh9WBw65j3
jlqkKb9qPg2YKf2aO78V3h9lqLIBSKY9LXXFLXNbzJYvDgCAE3GDjIMBt7x/QErd
nQFDj7rNuT0JCaF2tkXc6lK2zZi2Nw1r5Kv0NSyhEmV86mvM8L2YOEFPO7ylVbBZ
7Qu8bjIaAhd9z56+EA4i2dvf/Y5bHwEkiMFXJcKDbiD6FJXurHXTNHvJUlQ/Uyq+
h5i9Har9KGxnLrSUvfCBtM/3quSAm/qkP9J00ZnHVzQ8b4Xvs7qMc/mb2AXffn+0
rIMS6TWClRCU3ugOboZXNCYYMBxjYZPRfvCckNsdfe08Djo+kFW751GmWFanmijI
XZo015ybx4+k80uKsV+XXIOCww/bGEOeXkLI+zuX26aSeHmHtEfydQS7JHSsp2TA
S3qSPEwTU9ufY1/jh7wPQ7PfXOkl52z0jgIRPaCUedQqU3Zs0B3YFqVHrNU1gTDR
LJDyWQNOOz7Vch/SLAqz66ls+GVhRt4QO4jb4efTHm/OywlbHnKOONBkfRx9UeKA
q7BUDHIhS3AN33BQlhtB
=63ie
-----END PGP SIGNATURE-----