Re: [dane] DNSSEC debug advice (TLSA lookup problem).
Rene Bartsch <ietf@bartschnet.de> Fri, 05 September 2014 09:30 UTC
Return-Path: <ietf@bartschnet.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F05D1A05D1 for <dane@ietfa.amsl.com>; Fri, 5 Sep 2014 02:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OdqaUY0_Fm98 for <dane@ietfa.amsl.com>; Fri, 5 Sep 2014 02:30:13 -0700 (PDT)
Received: from triangulum.uberspace.de (triangulum.uberspace.de [95.143.172.227]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE8801A00E7 for <dane@ietf.org>; Fri, 5 Sep 2014 02:30:12 -0700 (PDT)
Received: (qmail 30253 invoked from network); 5 Sep 2014 09:30:09 -0000
Received: from localhost (HELO www.bartschnet.de) (127.0.0.1) by triangulum.uberspace.de with SMTP; 5 Sep 2014 09:30:09 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Fri, 05 Sep 2014 11:30:06 +0200
From: Rene Bartsch <ietf@bartschnet.de>
To: IETF DANE Mailinglist <dane@ietf.org>
In-Reply-To: <20140904230533.ED33E1E6D2FC@rock.dv.isc.org>
References: <20140904202137.GD26920@mournblade.imrryr.org> <20140904210017.09E4D1E6A231@rock.dv.isc.org> <20140904213730.GE26920@mournblade.imrryr.org> <20140904230533.ED33E1E6D2FC@rock.dv.isc.org>
Message-ID: <a979d408271bbb644e5234f4cbfcaaf4@triangulum.uberspace.de>
X-Sender: ietf@bartschnet.de
User-Agent: Roundcube Webmail/1.0.1
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/VFfRrToGdLCyj_v5h0_rM1g81B4
Subject: Re: [dane] DNSSEC debug advice (TLSA lookup problem).
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Sep 2014 09:30:15 -0000
When testing avoid to use Google Public DNS resolvers as they have a bug in wildcard resolution (https://groups.google.com/forum/#!topic/public-dns-discuss/M982l7Lz9uA). Am 2014-09-05 01:05, schrieb Mark Andrews: > In message <20140904213730.GE26920@mournblade.imrryr.org>, Viktor > Dukhovni writ > es: >> On Fri, Sep 05, 2014 at 07:00:16AM +1000, Mark Andrews wrote: >> >> > Just go and read how the DNS works first. This will tell you what >> > rules DNSSEC has to prove were met for each answer. >> >> Yes, in fact between posting and reading your answer, I went off >> and did some reading. The problem as I now understand it seems to >> be that: >> >> 1. *.clarion-hotels.cz IN CNAME exists. >> 2. mail2.clarion-hotels.cz exists. >> 3. _tcp.mail2.clarion-hotels.cz does not exist. >> >> and finally, the nameservers for clarion-hotels.cz incorrectly >> apply the wildcard CNAME to a child of an existing sibling node >> (mail2). This is detected as an error by various validating >> resolvers. >> >> Is this right? > > Yes. > >> > The RRSIG for _25._tcp.mail2.clarion-hotels.cz says it was generated >> > from a wildcard record which the validator proved by retaining the >> > correct number of labels to form the suffix of the wildcard record >> > and adding a '*' label. This gives the name of the record that was >> > signed. The number of labels is also part of the data that is >> > hashed to form the RRSIG. >> >> Right, so along with this there needs to be a non-existence proof >> for the labels replaced with the wildcard, but there is no such >> proof, because "mail2" exists. >> >> > Now can we please stop second guessing whether DNSSEC actually >> > works. It does. >> >> Sorry, I was just surprised by the RRSIG values being the same for >> multiple qnames, but did not know about the RRSIG label count field. >> So my guess was way off, but it was a guess, and I did ask for >> advice from folks who actually know how this works. > > Ok. Sorry if I came on a bit strong. > >> So now I need to figure out what manner of broken name servers are: >> >> ns.forpsi.cz >> ns.forpsi.it >> ns.forpsi.net >> >> -- >> Viktor. >> >> _______________________________________________ >> dane mailing list >> dane@ietf.org >> https://www.ietf.org/mailman/listinfo/dane -- Best regards, Rene Bartsch, B. Sc. Informatics
- [dane] DNSSEC debug advice (TLSA lookup problem). Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Mark Andrews
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Mark Andrews
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Rene Bartsch
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Mark Andrews
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni