Re: [dnsext] duplicate RRs and resulting RRSIG
Mohan Parthasarathy <suruti94@gmail.com> Wed, 04 January 2012 20:39 UTC
Return-Path: <suruti94@gmail.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E04A11E809F for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 12:39:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNrTybLJ73Uu for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 12:39:06 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id CB70C11E80A6 for <dnsext@ietf.org>; Wed, 4 Jan 2012 12:39:06 -0800 (PST)
Received: by qadb15 with SMTP id b15so10466199qad.10 for <dnsext@ietf.org>; Wed, 04 Jan 2012 12:39:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=WXvQ1GKixOyNjPpkWr8SQk2sOeMFBtP3OdlU13DaU84=; b=SFMiJmmqMtBPUb9ziWf0HGTuYu6hXIcXdPAVC8+WjVDuWvI01RoQ1SjnAvnFhwiG+0 TKtvQigx6qkJFCeA6SJEker2y/ZDegoDM4XecwfxZTIc4qQrtamCpgF5pqWVyCvFd6MD 9CRWyZnsA+RCL/Q2L3a7EnFt8ttr1egvcwHJA=
MIME-Version: 1.0
Received: by 10.224.202.130 with SMTP id fe2mr14143052qab.16.1325709544924; Wed, 04 Jan 2012 12:39:04 -0800 (PST)
Received: by 10.229.212.4 with HTTP; Wed, 4 Jan 2012 12:39:04 -0800 (PST)
In-Reply-To: <CA+wr5LX8DbiGZnxEtQxRMsiW3Y+RnVHMZsBnuge=783BTL5PiQ@mail.gmail.com>
References: <CA+wr5LX8DbiGZnxEtQxRMsiW3Y+RnVHMZsBnuge=783BTL5PiQ@mail.gmail.com>
Date: Wed, 04 Jan 2012 12:39:04 -0800
Message-ID: <CACU5sDm8UZMqkL_jp-jrz5P6S_mOi8mYdi9xNUp7J=5k85d8zA@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: bert hubert <bert.hubert@netherlabs.nl>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "dnsext@ietf.org" <dnsext@ietf.org>
Subject: Re: [dnsext] duplicate RRs and resulting RRSIG
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 20:39:07 -0000
On Wed, Jan 4, 2012 at 12:26 PM, bert hubert <bert.hubert@netherlabs.nl> wrote: > Hi everybody, > > As part of a recent very big PowerDNS deployment as a DNSSEC signer, > we've encountered an interesting issue. I'm sharing this here in hopes > of hearing your wisdom, plus possibly to warn you about this happening > in your code or deployments too. > > In a zone there are three MX RRs for a name, of which 2 are identical. > PowerDNS signs all three records in canonical order when the zone is > transferred to BIND (at least I think it is BIND). > > That server subsequently drops one of the two identical records, and > serves only two MX RRs to the world, BUT with the RRSIG that was > calculated from all three records. Bad data ensues, and bounced > emails, since this is in the country that actually validates. > > Now, there are at least 3 places where we might call 'bug': 1) the > process that put duplicate RRs in the database 2) PowerDNS for signing > the 3 RRs or 3) the 'outer' server for silently dropping one of the > RRs, in the assumption that the RRSIG will survice this process. > > RFC 2181, section 5, says that servers should (lower case) 'suppress' > duplicate RRSIGs, which would argue that at least PowerDNS is > partially to blame, and should've dropped the duplicate record. > However, the outer server I think should also not feel free to drop > records on an DNSSEC signed zone. > Section 6.3 of RFC 4034 states: 6.3. Canonical RR Ordering within an RRset For the purposes of DNS security, RRs with the same owner name, class, and type are sorted by treating the RDATA portion of the canonical form of each RR as a left-justified unsigned octet sequence in which the absence of an octet sorts before a zero octet. [RFC2181] specifies that an RRset is not allowed to contain duplicate records (multiple RRs with the same owner name, class, type, and RDATA). Therefore, if an implementation detects duplicate RRs when putting the RRset in canonical form, it MUST treat this as a protocol error. If the implementation chooses to handle this protocol error in the spirit of the robustness principle (being liberal in what it accepts), it MUST remove all but one of the duplicate RR(s) for the purposes of calculating the canonical form of the RRset. Going by this, PowerDNS should have removed the duplicate RRs before signing. -mohan > > What do you think? > > Bert > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] duplicate RRs and resulting RRSIG bert hubert
- Re: [dnsext] duplicate RRs and resulting RRSIG Mohan Parthasarathy
- Re: [dnsext] duplicate RRs and resulting RRSIG bmanning
- Re: [dnsext] duplicate RRs and resulting RRSIG bert hubert
- Re: [dnsext] duplicate RRs and resulting RRSIG Doug Barton
- Re: [dnsext] duplicate RRs and resulting RRSIG SM
- Re: [dnsext] duplicate RRs and resulting RRSIG Marco Davids (SIDN)
- Re: [dnsext] duplicate RRs and resulting RRSIG Tony Finch
- Re: [dnsext] duplicate RRs and resulting RRSIG Tony Finch