Re: [dane] Fwd: New Version Notification for draft-york-dane-deployment-observations-00.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 10 November 2014 21:39 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E4451A6F01 for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 13:39:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level:
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_65=0.6, J_CHICKENPOX_72=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IgcgkC3Q8-2Y for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 13:39:34 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E58571A6F0A for <dane@ietf.org>; Mon, 10 Nov 2014 13:39:33 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 078412AB2F4; Mon, 10 Nov 2014 21:39:32 +0000 (UTC)
Date: Mon, 10 Nov 2014 21:39:31 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141110213931.GJ161@mournblade.imrryr.org>
References: <20141027225310.29285.24437.idtracker@ietfa.amsl.com> <F0C0FC32-FAA7-4D07-A230-59A538754BCD@isoc.org> <20141027233223.GL19158@mournblade.imrryr.org> <20141110164617.GZ161@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20141110164617.GZ161@mournblade.imrryr.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/i8ik9yD-H5du5EMveijEUBXyCCc
Subject: Re: [dane] Fwd: New Version Notification for draft-york-dane-deployment-observations-00.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 21:39:36 -0000

On Mon, Nov 10, 2014 at 04:46:17PM +0000, Viktor Dukhovni wrote:

> Speaking of testing, the Deploy360 site's list of test servers is
> in need of ongoing maintenance.  A noticeable fraction behave
> differently than advertised.

> ;; Passed(depth 1, hostname fedoraproject.org): fedoraproject.org. IN TLSA 0 0 1 19400BE5B7A31FB733917700789D2F0A2471C0C9D506C0E504C06C16D7CB17C0
> ;; Passed(depth 0): www.freebsd.org. IN TLSA 3 0 1 3F86A1FA85F6E5169CB27BF25C863805EBFD3225A16AADB75587804680992096
> ;; Passed(depth 0): torproject.org. IN TLSA 3 1 1 578582E6B4569A4627AEF5DFE876EEC0539388E605DB170217838B10D2A58DA5
> ;; Passed(depth 0): good.dane.verisignlabs.com. IN TLSA 3 0 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3
> ;; Passed(depth 0): nohats.ca. IN TLSA 3 1 1 462573195C86E861ABAB8ECCFBC7F0486958EFDFF9449AC10729B3A0F906F388
> ;; Passed(depth 0): www.nlnetlabs.nl. IN TLSA 3 1 1 F7DB964ED80ED0773F82A21997B2DCBAE434AE821AB1E3E337AD0CCFBFE2359F
> ;; Passed(depth 0): www.huque.com. IN TLSA 3 0 1 0013BEF11B875A58F3B0B1D7A0D439A608277F58433BBB12245B2A28B398C281

As advertised.  Mind you there should perhaps be a distinction in
the classification of test sites between sites whose TLSA RRs
actually leverage the CA they're signed by "usage 0, 1 or 2" vs.
sites with a valid CA cert, but DANE-EE TLSA records.  This would
separate fedora and freebsd into separate categories.

> ;; Passed(depth 3, hostname jhcloos.com): jhcloos.com. IN TLSA 1 1 1 597CC279D90F0FB950B540921C4A76916590A2B7DEDDDDBC353C65337160E1A8
> ;; Passed(depth 0): jhcloos.com. IN TLSA 3 1 1 597CC279D90F0FB950B540921C4A76916590A2B7DEDDDDBC353C65337160E1A8
> ;; Passed(depth 4, hostname *.kumari.net): www.kumari.net. IN TLSA 1 0 1 8D930A464843E08660E3FD1DDCE8ED4269CC0CD9CD53A8A306BCE8ABCF47AEF5
> ;; Passed(depth 3, hostname dougbarton.us): dougbarton.us. IN TLSA 1 0 2 F994F42839BE5C864F143A037D4E96BB0F559AD7284C57EA09BF6A69D37C1D8359E57C604BB42A9A56586DB21E700404C38B8152365C03543BBF210A4FE30E08

The jhcloos site is however, in both camps.  Above, my code is
misreporting the match depth for usage PKIX-EE(1) reporting the
depth of the cert chain, not the match, I'll fix that shortly.

> ;; Failed: rogue.nohats.ca. IN TLSA 3 0 1 0000000000000000000000000000000000000000000000000000000000000000: unable to get local issuer certificate: (20)
> ;; Failed: bad-hash.dane.verisignlabs.com. IN TLSA 3 0 1 9999999999999999999999999999999999999999999999999999999999999999: certificate not trusted: (27)
> ;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 3 119 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3: error processing TLSA RR
> ;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 51 0 1 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3: error processing TLSA RR
> ;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 3 0 17 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3: error processing TLSA RR
> DNS Lookup failed: bad-sig.dane.verisignlabs.com IN A ?: SERVFAIL

As advertised.

=== The 5 out of date sites below ===

> ;; Failed: www.statdns.net. IN TLSA 3 0 1 C1D6431EAB897824E3A767A3CBE3B200D9160B20B0B5684C851C47782787D286: certificate not trusted: (27)

This site's TLSA RR asserts a certificate digest that does not
actually match the presented certificate:

    $ (sleep 1) |
	    openssl s_client -connect www.statdns.net:443 2>&1 |
	    openssl x509 -subject -issuer -dates -sha256 -fingerprint -noout
    subject= /C=PL/CN=www.statdns.net/emailAddress=domains@statdns.com
    issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
    notBefore=Oct 31 00:37:02 2014 GMT
    notAfter=Nov  1 08:02:33 2015 GMT
    SHA256 Fingerprint=B8:00:50:18:A6:E7:75:FD:88:76:4B:5B:1D:3D:51:9F:89:1C:01:C7:FE:77:7E:74:A2:CF:22:37:B8:4A:43:B2

Recent key rotation, no corresponding TLSA RR update.

> --- Testing hacklab.to...
> Address records insecure

The hacklab.to zone is unsigned, or if it is signed uses the ISC
DLV, which my tests don't consult.  I don't expect DNSSEC resolvers
to generally support the ISC DLV service.

> ;; Failed: www.vulcano.cl. IN TLSA 3 0 1 5F301AD10923161E74EC4951C052C97963FEBCCB093019618964D69CAF7B5B34: unable to get local issuer certificate: (20)

    $ (sleep 1) |
	openssl s_client -connect www.vulcano.cl:443 2>&1 |
	openssl x509 -subject -issuer -dates -sha256 -fingerprint -noout
    subject= /CN=www.vulcano.cl
    issuer= /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
    notBefore=Oct 16 13:09:01 2014 GMT
    notAfter=Oct 15 13:09:01 2016 GMT
    SHA256 Fingerprint=2A:84:22:B0:BE:D6:96:07:AA:EB:7C:1A:75:2A:97:8E:22:EB:3E:C6:12:2E:A0:17:C8:67:89:48:67:36:A8:B0

Recent key rotation, no corresponding TLSA RR update.

> --- Testing dane.nox.su...
> DNS Lookup failed: dane.nox.su IN A ?: SERVFAIL

    $ perl ssldane.pl dane.nox.su 443
    DNS Lookup failed: dane.nox.su IN A ?: SERVFAIL

Validating "unbound" resolver fails for this domain, a DNSSEC issue.
However, the A record exists, and is visible to non-validating
resolver report:

    $ (sleep 1) |
	openssl s_client -connect dane.nox.su:443 2>&1 |
	openssl x509 -subject -issuer -dates -sha256 -fingerprint -noout
    subject= /C=RU/L=Moscow/O=NOX.SU/OU=Supervisors group 7/CN=dane.nox.su
    issuer= /C=RU/L=Moscow/O=NOX.SU/OU=Supervisors group 7/CN=dane.nox.su
    notBefore=Jul  2 12:19:19 2014 GMT
    notAfter=Jul  1 12:19:19 2016 GMT
    SHA256 Fingerprint=23:58:E8:10:27:F4:9C:39:47:92:49:93:51:80:30:B3:7F:4B:D6:19:1B:09:7D:44:4E:AF:07:29:FD:61:22:B5

Which matches the published TLSA RR, if one is willing to ignore
the signature problem.

    $ dig +noall +ans -t TLSA _443._tcp.dane.nox.su
    _443._tcp.dane.nox.su. IN TLSA 3 0 1 2358E81027F49C3947924993518030B37F4BD6191B097D444EAF0729FD6122B5

> ;; Failed: rover.secure64.com. IN TLSA 3 0 1 D7D680E82EDA59B910D4CF37EC8398432251650A176A20E08ABE45DA728266EF: self signed certificate: (18)

    $ (sleep 1) |
	openssl s_client -connect rover.secure64.com:443 2>&1 |
	openssl x509 -subject -issuer -dates -sha256 -fingerprint -noout
    subject= /CN=ubuntu
    issuer= /CN=ubuntu
    notBefore=May 29 21:18:25 2012 GMT
    notAfter=May 27 21:18:25 2022 GMT
    SHA256 Fingerprint=5D:D8:53:6B:3F:6C:0D:FB:7D:CC:14:B0:AA:18:0A:13:D1:80:05:ED:CB:45:26:18:D5:4A:01:BB:69:AC:ED:9A

Certificate unrelated to TLSA RR.

-- 
	Viktor.