IETF Logo Mail Archive

Re: [dane] DNSSEC debug advice (TLSA lookup problem).

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 05 September 2014 15:11 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D55A91A06F6 for <dane@ietfa.amsl.com>; Fri, 5 Sep 2014 08:11:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJqBvnE-DK2K for <dane@ietfa.amsl.com>; Fri, 5 Sep 2014 08:11:56 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 195391A02FC for <dane@ietf.org>; Fri, 5 Sep 2014 08:11:56 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 1748E2AB2C0; Fri, 5 Sep 2014 15:11:49 +0000 (UTC)
Date: Fri, 05 Sep 2014 15:11:49 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140905151149.GO26920@mournblade.imrryr.org>
References: <20140904202137.GD26920@mournblade.imrryr.org> <20140904210017.09E4D1E6A231@rock.dv.isc.org> <20140904213730.GE26920@mournblade.imrryr.org> <20140904230533.ED33E1E6D2FC@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20140904230533.ED33E1E6D2FC@rock.dv.isc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/tX2lAi1k8PAjHTxgCbJTPmwMNqY
Subject: Re: [dane] DNSSEC debug advice (TLSA lookup problem).
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Sep 2014 15:11:58 -0000

On Fri, Sep 05, 2014 at 09:05:33AM +1000, Mark Andrews wrote:

> > Yes, in fact between posting and reading your answer, I went off
> > and did some reading.  The problem as I now understand it seems to
> > be that:
> > 
> > 	1.   *.clarion-hotels.cz IN CNAME 	exists.
> > 	2.   mail2.clarion-hotels.cz		exists.
> > 	3.   _tcp.mail2.clarion-hotels.cz	does not exist.
> > 
> > and finally, the nameservers for clarion-hotels.cz incorrectly
> > apply the wildcard CNAME to a child of an existing sibling node
> > (mail2).  This is detected as an error by various validating
> > resolvers.
> >
> > Is this right?
> 
> Yes.

Thanks.  I wrote to the operators of the DNS servers, and they are
planning to fix the bug, but implemented a short-term work-around,
where the wildcard CNAME was replaced by wildcard A record.  However
the work-around is not working to the satisfaction of my resolver,
any idea why?

    $ dig +dnssec +norecur -t tlsa _25._tcp.mail2.clarion-hotels.cz @ns.forpsi.net
    ; <<>> DiG 9.8.3-P1 <<>> +dnssec +norecur -t tlsa _25._tcp.mail2.clarion-hotels.cz @ns.forpsi.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31810
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;_25._tcp.mail2.clarion-hotels.cz. IN   TLSA

    ;; AUTHORITY SECTION:
    clarion-hotels.cz.      3600    IN      SOA     ns.forpsi.net. admin.forpsi.com. 2014090502 3600 1800 2592000 3600
    clarion-hotels.cz.      3600    IN      RRSIG   SOA 5 2 3600 20141005113302 20140905113302 13077 clarion-hotels.cz. Y4JCzy6U/fMI2tz+pLfQ1mFD2h1jxRMJ7nUwXS0cxlE9xcN8QFibwC75 BBivVbf3Xb2oPXJTRTvkkUAXR1wziOCy/qvK4LyNFX2ENn2aKGn3i93H LrHM/5u1IoeG4niXbS22Tue3FEgYKcSX7UA5PDDQAQs2o+jX9IbwYawC teM=
    *.clarion-hotels.cz.    3600    IN      NSEC    mail.clarion-hotels.cz. A RRSIG NSEC
    *.clarion-hotels.cz.    3600    IN      RRSIG   NSEC 5 2 3600 20141005113302 20140905113302 13077 clarion-hotels.cz. lSf+ySQxo+sXxtuEZEIy7YghFeQnFlDd7vkZA8XO/ahgAzgxHZkAsQXk RjoJVCLd3E3FgX55Pu0RA6IQVn1ynZFYp3l1P24bC93+l3vszNsnMKnD qqjNIIzeYanNfkI34kdPpj5C1HhtrC1ZUhRwryphsKXX9KYFB/B4i+47 U2E=
    mail2.clarion-hotels.cz. 3600   IN      NSEC    clarion-hotels.cz. A RRSIG NSEC
    mail2.clarion-hotels.cz. 3600   IN      RRSIG   NSEC 5 3 3600 20141005113302 20140905113302 13077 clarion-hotels.cz. lX8m4n9dL8/055WYsv5LW/D9L7257lzOv9QAynpBlJiShQkYRFsAc9rT ZFdrCeahWXg01/jGVrUNoxwJUUxUobt8GFcTiXHvI/w5ej6rsc80tUVT BCnW9WsJBNiz7hDN8Ac3V8gKE77Td2TZxJpPtRdAOTW4mc6E04XsLIL7 XmQ=

    ;; Query time: 130 msec
    ;; SERVER: 81.2.194.130#53(81.2.194.130)
    ;; WHEN: Fri Sep  5 11:04:38 2014
    ;; MSG SIZE  rcvd: 742

This time there is no erroneous wildcard CNAME response, just
ANSWER:0, and some NSEC records in the authority section.  In
particular there is an NSEC record that should prove absense of
anything after "mail2", thus denying "_tcp.mail2"...

What's wrong now?  Oddly enough when I ask for "mail3.<etc> IN TLSA
?" the resolver is happy with a "NODATA" response, containing
exactly the same records.  So these records constitute proof that
"mail3" does not exist, but somehow fail to prove that "_tcp.mail2"
does not?

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email