[dane] DNSSEC debug advice (TLSA lookup problem).
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 04 September 2014 20:21 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B72381A0104 for <dane@ietfa.amsl.com>; Thu, 4 Sep 2014 13:21:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.4
X-Spam-Level: *
X-Spam-Status: No, score=1.4 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_62=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 66bip8WhsoUr for <dane@ietfa.amsl.com>; Thu, 4 Sep 2014 13:21:39 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A50B1A0102 for <dane@ietf.org>; Thu, 4 Sep 2014 13:21:39 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 30B2D2AB2B7; Thu, 4 Sep 2014 20:21:37 +0000 (UTC)
Date: Thu, 04 Sep 2014 20:21:37 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140904202137.GD26920@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/ZXTyZEqiVrhdSakC0fN5IdCyN4E
Subject: [dane] DNSSEC debug advice (TLSA lookup problem).
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 20:21:40 -0000
Postfix with DANE enabled is unable to deliver mail to mailboxes
in the "clarion-hotels.cz" domain (validating recursive resolvers
SERVFAIL TLSA lookups). The domain is DNSSEC signed:
$ dig +ad +noall +comment +ans -t mx clarion-hotels.cz
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25470
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; ANSWER SECTION:
clarion-hotels.cz. 1799 IN MX 10 mail.clarion-hotels.cz.
clarion-hotels.cz. 1799 IN MX 20 mail2.clarion-hotels.cz.
However, it also sports a wildcard CNAME:
$ dig +cd +norecur +dnssec +vc -t CNAME "*.clarion-hotels.cz." @ns.forpsi.cz
; <<>> DiG 9.8.0rc1 <<>> +cd +norecur +dnssec +vc -t CNAME *.clarion-hotels.cz. @ns.forpsi.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17866
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 8
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.clarion-hotels.cz. IN CNAME
;; ANSWER SECTION:
*.clarion-hotels.cz. 1800 IN CNAME clarion-hotels.cz.
*.clarion-hotels.cz. 1800 IN RRSIG CNAME 5 2 1800 20140924121306 20140825121306 13077 clarion-hotels.cz. M8OQ5fcnOYPX2XXvV9Cgefkjv2AHYFLAMeDfUpBuSk1PBFG6s/4tMSLb C/0r72TOjZupOHe5vizyzamAcE6m7dA4tlXGlWkTapf95lKFRokqjQow eRESgmZSS/b43jgxLv/+FRsu3rYnz77j3cC413qBn0PDDKLbepk0YEZC yTk=
;; AUTHORITY SECTION:
clarion-hotels.cz. 3600 IN NS ns.forpsi.net.
clarion-hotels.cz. 3600 IN NS ns.forpsi.it.
clarion-hotels.cz. 3600 IN NS ns.forpsi.cz.
clarion-hotels.cz. 3600 IN RRSIG NS 5 2 3600 20140924121306 20140825121306 13077 clarion-hotels.cz. E+Cj1pVvA9v/VP0b2AaOZpENNYiHScIVbXt+h5bpkkl6/iivoTxtORS3 xFCM+mcqkmgQf3xxo9eB0AwbKdf1Mjk4MB4GMn0m2XicWmdRPzHld57Y qr3vorVvOx1OKigLz3LHhYNzp4nC4qIZ1xqhTstgovnlr8I8QB6fhhnu wB4=
*.clarion-hotels.cz. 3600 IN NSEC mail.clarion-hotels.cz. CNAME RRSIG NSEC
*.clarion-hotels.cz. 3600 IN RRSIG NSEC 5 2 3600 20140924121306 20140825121306 13077 clarion-hotels.cz. jlZzNSRlMVDZ2YFPwJJLy7ba37h4w35+C3ge7iikVx03zIQWiBweU3hJ agqn/eCW8LnKGoDBvTUakvEenPnf9P4PUdOCL3/2trHLyLMv4NCafLaT n3d8OSbj6VWCKR1LWNSIcp3es3FbAsdWJtmcXe4oAKSP4i2dBmSEPq/F nS8=
;; ADDITIONAL SECTION:
ns.forpsi.net. 1800 IN A 81.2.194.130
ns.forpsi.net. 1800 IN AAAA 2001:15e8:101:1::c282
ns.forpsi.it. 1800 IN A 62.149.230.87
ns.forpsi.cz. 1800 IN A 81.2.209.185
ns.forpsi.cz. 1800 IN RRSIG A 5 3 1800 20141004100806 20140904100806 27135 forpsi.cz. Nzo4Ma5iB8QFY6IERC3KLLRPkxsSQgBJgFMQHLl8AGuhaNwEeDLUaYz/ ZPjfiH2Rqchc5VV+nWV63gYhVGa4UB2fFLoFFn3L8Y6uTcBe3c7m3AaP ltUcrI2Wi7lR6Pf8DkncvtLLaumkRQ6FNkpYjyC/jkbVOMyP1r87TYXZ L78=
ns.forpsi.cz. 1800 IN AAAA 2001:15e8:201:1::d1b9
ns.forpsi.cz. 1800 IN RRSIG AAAA 5 3 1800 20141004100806 20140904100806 27135 forpsi.cz. TF1AWJD3Wcun92QwS1+ZBy29Zi2qIkBWlYqUeFHGxyQhSlcSAWEt+oOr aTyqk79M38mH7TkFzrCBof+TAc6nM9JSOjm9RfmFQ0FVyM1cpmDxD79W coBeQcGStVofuvdKeuhZG2oiMyBKrbyUFZw1mgI0bupVs1daIy+zzdcQ 43c=
;; Query time: 104 msec
;; SERVER: 2001:15e8:201:1::d1b9#53(2001:15e8:201:1::d1b9)
;; WHEN: Thu Sep 4 19:57:58 2014
;; MSG SIZE rcvd: 1156
I think the DNS servers in question don't correctly handle CNAMEs
and DNSSEC and this impacts TLSA queries for non-existent records
(SERVFAIL with many validating resolvers). The response does not
include the "*.clarion-hotels.cz" RR and RRSIG). Instead we have,
just the requested query name with an RRSIGS as below:
_25._tcp.mail.clarion-hotels.cz. 1800 IN RRSIG CNAME 5 2 1800 \
20140924121306 20140825121306 13077 clarion-hotels.cz. \
M8OQ5fcnOYPX2XXvV9Cgefkjv2AHYFLAMeDfUpBuSk1PBFG6s/4tMSLb \
C/0r72TOjZupOHe5vizyzamAcE6m7dA4tlXGlWkTapf95lKFRokqjQow \
eRESgmZSS/b43jgxLv/+FRsu3rYnz77j3cC413qBn0PDDKLbepk0YEZC yTk=
_25._tcp.mail2.clarion-hotels.cz. 1800 IN RRSIG CNAME 5 2 1800 \
20140924121306 20140825121306 13077 clarion-hotels.cz. \
M8OQ5fcnOYPX2XXvV9Cgefkjv2AHYFLAMeDfUpBuSk1PBFG6s/4tMSLb \
C/0r72TOjZupOHe5vizyzamAcE6m7dA4tlXGlWkTapf95lKFRokqjQow \
eRESgmZSS/b43jgxLv/+FRsu3rYnz77j3cC413qBn0PDDKLbepk0YEZC yTk=
The suprising thing is that for two different qnames the RRSIG is
the same, and in fact the same as for the wildcard qname! If RRSIGs
depended only on the RDATA and not on the qname, surely there'd be
serious integrity issues with DNSSEC. So I think that the
authoritative servers for this domain are busted, is that correct?
More complete server responses below (left out the authority and
additional sections to avoid needless clutter):
$ dig +cd +norecur +dnssec +vc -t tlsa "_25._tcp.mail.clarion-hotels.cz." @ns.forpsi.cz
; <<>> DiG 9.8.0rc1 <<>> +cd +norecur +dnssec +vc -t tlsa _25._tcp.mail.clarion-hotels.cz. @ns.forpsi.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33941
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_25._tcp.mail.clarion-hotels.cz. IN TLSA
;; ANSWER SECTION:
_25._tcp.mail.clarion-hotels.cz. 1800 IN CNAME clarion-hotels.cz.
_25._tcp.mail.clarion-hotels.cz. 1800 IN RRSIG CNAME 5 2 1800 20140924121306 20140825121306 13077 clarion-hotels.cz. M8OQ5fcnOYPX2XXvV9Cgefkjv2AHYFLAMeDfUpBuSk1PBFG6s/4tMSLb C/0r72TOjZupOHe5vizyzamAcE6m7dA4tlXGlWkTapf95lKFRokqjQow eRESgmZSS/b43jgxLv/+FRsu3rYnz77j3cC413qBn0PDDKLbepk0YEZC yTk=
$ dig +cd +norecur +dnssec +vc -t tlsa "_25._tcp.mail2.clarion-hotels.cz." @ns.forpsi.cz
; <<>> DiG 9.8.0rc1 <<>> +cd +norecur +dnssec +vc -t tlsa _25._tcp.mail2.clarion-hotels.cz. @ns.forpsi.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44567
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_25._tcp.mail2.clarion-hotels.cz. IN TLSA
;; ANSWER SECTION:
_25._tcp.mail2.clarion-hotels.cz. 1800 IN CNAME clarion-hotels.cz.
_25._tcp.mail2.clarion-hotels.cz. 1800 IN RRSIG CNAME 5 2 1800 20140924121306 20140825121306 13077 clarion-hotels.cz. M8OQ5fcnOYPX2XXvV9Cgefkjv2AHYFLAMeDfUpBuSk1PBFG6s/4tMSLb C/0r72TOjZupOHe5vizyzamAcE6m7dA4tlXGlWkTapf95lKFRokqjQow eRESgmZSS/b43jgxLv/+FRsu3rYnz77j3cC413qBn0PDDKLbepk0YEZC yTk=
--
Viktor.
- [dane] DNSSEC debug advice (TLSA lookup problem). Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Mark Andrews
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Mark Andrews
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Rene Bartsch
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Mark Andrews
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni
- Re: [dane] DNSSEC debug advice (TLSA lookup probl… Viktor Dukhovni