Re: [DNSOP] Debugging DNSSEC SERVFAILs on resolver side
Petr Spacek <pspacek@redhat.com> Tue, 16 June 2015 09:10 UTC
Return-Path: <pspacek@redhat.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63B421A1BA5 for <dnsop@ietfa.amsl.com>; Tue, 16 Jun 2015 02:10:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.013
X-Spam-Level:
X-Spam-Status: No, score=-5.013 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UgcQWB38EC8l for <dnsop@ietfa.amsl.com>; Tue, 16 Jun 2015 02:10:45 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17D591A1B7F for <dnsop@ietf.org>; Tue, 16 Jun 2015 02:10:45 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id 958A733767D for <dnsop@ietf.org>; Tue, 16 Jun 2015 09:10:44 +0000 (UTC)
Received: from pspacek.brq.redhat.com (pspacek.brq.redhat.com [10.34.128.7]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t5G9AhD6028226 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Tue, 16 Jun 2015 05:10:44 -0400
Message-ID: <557FE812.1000804@redhat.com>
Date: Tue, 16 Jun 2015 11:10:42 +0200
From: Petr Spacek <pspacek@redhat.com>
Organization: Red Hat
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: IETF DNSOP WG <dnsop@ietf.org>
References: <54DB64BC.2020102@redhat.com> <debf337e31e1202620df1368dc4a2c97@pierky.com> <20150211160813.GB53392@isc.org> <556EA150.9070408@redhat.com> <20150603150034.GA71330@isc.org> <55706B14.50400@redhat.com> <5570CF34.8020905@gmail.com> <20150604232823.GA90619@isc.org>
In-Reply-To: <20150604232823.GA90619@isc.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/3Zf3IqLXONm6kvvk93_NSbO4uOE>
Subject: Re: [DNSOP] Debugging DNSSEC SERVFAILs on resolver side
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2015 09:10:46 -0000
Hello, (re-sending to list) I would like to find a solution which covers other possible failure modes than SERVFAIL, too. Looking at BIND 9.9, it sometimes can return NXDOMAIN or even NOERROR when validation fails for some obscure reasons. E.g. an attempt to invent private TLD like 'mycompany' without proper trust anchor configuration / negative trust anchor can yield NXDOMAIN answer and one line in log, but not a SERVFAIL. Similarly, an attempt to 'shadow'/'hijack' an existing domain which has DS records in the parent might result in returning NOERROR with data from the real parent while ignoring 'spoofed' data. I agree that this behavior makes sense from security stand point but it would be tremendously handy to get information that something like that happened. Maybe https://tools.ietf.org/html/draft-hunt-dns-server-diagnostics-00#section-2.2 could be relaxed to allow the server to send ESD option even in non-SERVFAIL responses? Maybe there will be other use-cases for ESD option too. E.g. GSS-TSIG errors could be accompanied with detailed error codes and/or human-readable error messages from GSS libraries and so on. GSS-TSIG is sometimes quite hard to debug so this extension could be a tremendous help! (Yes, all this may require some configurable policy to specify clients who can use ESD option.) I will be in Prague so I'm more than happy to discuss it there if there is enough interest. -- Petr Spacek @ Red Hat
- [DNSOP] Debugging DNSSEC SERVFAILs on resolver si… Petr Spacek
- Re: [DNSOP] Debugging DNSSEC SERVFAILs on resolve… Pier Carlo Chiodi
- Re: [DNSOP] Debugging DNSSEC SERVFAILs on resolve… Olafur Gudmundsson
- Re: [DNSOP] Debugging DNSSEC SERVFAILs on resolve… Evan Hunt
- Re: [DNSOP] Debugging DNSSEC SERVFAILs on resolve… Petr Spacek
- Re: [DNSOP] Debugging DNSSEC SERVFAILs on resolve… Evan Hunt
- Re: [DNSOP] Debugging DNSSEC SERVFAILs on resolve… Petr Spacek
- Re: [DNSOP] Debugging DNSSEC SERVFAILs on resolve… Evan Hunt
- Re: [DNSOP] Debugging DNSSEC SERVFAILs on resolve… Petr Spacek
- Re: [DNSOP] Debugging DNSSEC SERVFAILs on resolve… Petr Spacek