[dnsext] duplicate RRs and resulting RRSIG
bert hubert <bert.hubert@netherlabs.nl> Wed, 04 January 2012 20:27 UTC
Return-Path: <bert.hubert@netherlabs.nl>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4364321F85CD for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 12:27:10 -0800 (PST)
X-Quarantine-ID: <hd2HA7pZ4A8X>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field made up entirely of whitespace (char 20 hex): X-Spam_report: ...that system for details.\n \n Content previ[...]
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hd2HA7pZ4A8X for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 12:27:09 -0800 (PST)
Received: from xs.powerdns.com (xs.powerdns.com [IPv6:2001:888:2000:1d::2]) by ietfa.amsl.com (Postfix) with ESMTP id BC35121F85CC for <dnsext@ietf.org>; Wed, 4 Jan 2012 12:27:09 -0800 (PST)
Received: from mail-ee0-f44.google.com ([74.125.83.44]) by xs.powerdns.com with esmtpsa (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.71) (envelope-from <bert.hubert@netherlabs.nl>) id 1RiXQP-0003gw-KH for dnsext@ietf.org; Wed, 04 Jan 2012 21:27:07 +0100
Received: by eekc14 with SMTP id c14so15848573eek.31 for <dnsext@ietf.org>; Wed, 04 Jan 2012 12:27:05 -0800 (PST)
Received: by 10.14.3.200 with SMTP id 48mr22839382eeh.94.1325708825169; Wed, 04 Jan 2012 12:27:05 -0800 (PST)
MIME-Version: 1.0
Received: by 10.213.7.6 with HTTP; Wed, 4 Jan 2012 12:26:44 -0800 (PST)
From: bert hubert <bert.hubert@netherlabs.nl>
Date: Wed, 04 Jan 2012 21:26:44 +0100
Message-ID: <CA+wr5LX8DbiGZnxEtQxRMsiW3Y+RnVHMZsBnuge=783BTL5PiQ@mail.gmail.com>
To: "dnsext@ietf.org" <dnsext@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-Spam_score: -2.9
X-Spam_score_int: -28
X-Spam_bar: --
X-Spam_report: Spam detection software, running on the system "xs.powerdns.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi everybody, As part of a recent very big PowerDNS deployment as a DNSSEC signer, we've encountered an interesting issue. I'm sharing this here in hopes of hearing your wisdom, plus possibly to warn you about this happening in your code or deployments too. [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
Subject: [dnsext] duplicate RRs and resulting RRSIG
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 20:27:10 -0000
Hi everybody,
As part of a recent very big PowerDNS deployment as a DNSSEC signer,
we've encountered an interesting issue. I'm sharing this here in hopes
of hearing your wisdom, plus possibly to warn you about this happening
in your code or deployments too.
In a zone there are three MX RRs for a name, of which 2 are identical.
PowerDNS signs all three records in canonical order when the zone is
transferred to BIND (at least I think it is BIND).
That server subsequently drops one of the two identical records, and
serves only two MX RRs to the world, BUT with the RRSIG that was
calculated from all three records. Bad data ensues, and bounced
emails, since this is in the country that actually validates.
Now, there are at least 3 places where we might call 'bug': 1) the
process that put duplicate RRs in the database 2) PowerDNS for signing
the 3 RRs or 3) the 'outer' server for silently dropping one of the
RRs, in the assumption that the RRSIG will survice this process.
RFC 2181, section 5, says that servers should (lower case) 'suppress'
duplicate RRSIGs, which would argue that at least PowerDNS is
partially to blame, and should've dropped the duplicate record.
However, the outer server I think should also not feel free to drop
records on an DNSSEC signed zone.
What do you think?
Bert
- [dnsext] duplicate RRs and resulting RRSIG bert hubert
- Re: [dnsext] duplicate RRs and resulting RRSIG Mohan Parthasarathy
- Re: [dnsext] duplicate RRs and resulting RRSIG bmanning
- Re: [dnsext] duplicate RRs and resulting RRSIG bert hubert
- Re: [dnsext] duplicate RRs and resulting RRSIG Doug Barton
- Re: [dnsext] duplicate RRs and resulting RRSIG SM
- Re: [dnsext] duplicate RRs and resulting RRSIG Marco Davids (SIDN)
- Re: [dnsext] duplicate RRs and resulting RRSIG Tony Finch
- Re: [dnsext] duplicate RRs and resulting RRSIG Tony Finch