Re: [DNSOP] How Slack didn't turn on DNSSEC
Tim Wicinski <tjw.ietf@gmail.com> Wed, 01 December 2021 11:08 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 217023A00E0 for <dnsop@ietfa.amsl.com>; Wed, 1 Dec 2021 03:08:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LNcJwxuJQ3Gr for <dnsop@ietfa.amsl.com>; Wed, 1 Dec 2021 03:08:03 -0800 (PST)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 041933A00AE for <dnsop@ietf.org>; Wed, 1 Dec 2021 03:08:02 -0800 (PST)
Received: by mail-lj1-x234.google.com with SMTP id 207so47300809ljf.10 for <dnsop@ietf.org>; Wed, 01 Dec 2021 03:08:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=4bUr0vJvA++bC/jtT/HbyIeatzguQBZblAdkbgdMK7s=; b=L2Bxg+4bMmOAfDsryL/2uUSTqwCW9QtgfS8pO8fcLYvGpuAeergM1ypZp6G6E6RuI7 YtbSk72BfihONi+FDhbRrkO48avJDAnt2rumCHSneYgSz4py/eFGkojyqKufmBj/56Ur /uqbmoDFm25C22isMFxKV8gm3yAgwE+ZGeh0uxCxGjToAlwW7TIsxIt5JIUbRyyiGa2i 6hWPBTU/GAYYqdrAWx30/ptsp1vtPMEU7Q5TlOsQ150xhBr9fNIpOkrvE3atYYjVUwFb imYCRJc2QYB7+F6f3D6Vfwaj9n4A2Vn2EkzDmsOI1zBeDeIxoavx95YivYjNzri8Hm1k +4UQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=4bUr0vJvA++bC/jtT/HbyIeatzguQBZblAdkbgdMK7s=; b=tIAuYv/xAkzZYgnccdlWA7lZmtQpQg9oNGecKwsmVrBgsbdSaf4WkIEjpSjNjE9sIT sh02Bg64wDVidY+RgFbe2UaeyvV6Tdx6KYKLi8/czVmo7xmthgovmbTn8L2zVVK4cRge nBpbJUncammTVoqypCpkZjQy+P7CbsGgpD+bedugyp/CHCIJwMmQV0yip1J3dpWEmtAh LH5H4WUoSgMpi2QnSw4CHv5u9dYEyWw86kRrKK07WkRv1fbie4un1weLTZN1RU6/ZhJE g3mQHOfG6s5dI5YF39jj+kBwDQ90TKVlabBbyLTFxldFYghsqmYN0ROSBwRa7mGABGCn oI0Q==
X-Gm-Message-State: AOAM531ZwvZdGcFNOjEUOT7VnCT7P8OY9BXRT04YvGd5NkXqbRDZyopb byK5jaNTUVLSdVdfu3Oimbd2nAzOl4xXn+NjaYulRS71Lfg=
X-Google-Smtp-Source: ABdhPJy2fBVHcROJA38iZ0pHqGhnMgTHoe5RE4LSrUbinGLD5t0MvZCCg74mAy+jbh12ZcVmug+p49cnXU0gg65IUYY=
X-Received: by 2002:a2e:a375:: with SMTP id i21mr4800375ljn.449.1638356877955; Wed, 01 Dec 2021 03:07:57 -0800 (PST)
MIME-Version: 1.0
References: <m1msK9b-0000HrC@stereo.hq.phicoh.net> <C3D5AC3A-CA5A-4F33-8BDA-DDFADD23649C@isc.org> <m1msN8S-0000HPC@stereo.hq.phicoh.net>
In-Reply-To: <m1msN8S-0000HPC@stereo.hq.phicoh.net>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Wed, 01 Dec 2021 06:07:47 -0500
Message-ID: <CADyWQ+FsS57YkN-fpqRdBSLMJGsCWyE4wdrENTUQw-ZFw+HXbA@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b9d57c05d213af0f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4XHOQrvhN-PAfiAhoPAjiS-EFBU>
Subject: Re: [DNSOP] How Slack didn't turn on DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2021 11:08:08 -0000
What I noticed in reading this nice write up was the warning image they missed in the Route53 console because of the automation they use. But most folks use automation/tooling/etc in their workflow, and catching those warnings via automation is a bit tricky. Right after this happened several different teams looking to sign their zones got a little nervous. This writeup helps to show people how things can break, but also, there is a great set of testing methods to assist others. Mark's comments about adding tests in DNSVIZ would be pretty great. tim On Wed, Dec 1, 2021 at 5:47 AM Philip Homburg <pch-dnsop-4@u-1.phicoh.com> wrote: > > Also stop hiding this > > breakage. Knot and unbound ignore the NSEC records which trigger > > this when synthesising. All it does is push the problem down the > > road and makes it harder for others to do proper synthesis based > > on the records returned. > > I'm confused what this means. In the report from Slack about the incident > I found that the problem started with a bad NSEC record, shown in their > debug output as: > > qqq.slackexperts.com. 2370 IN NSEC \000.qqq.slackexperts.com. > RRSIG NSEC > > This is returned in response to a AAAA query. The intent was that the NSEC > record should have the 'A' bit as well. > > What exactly do Knot and Unbound ignore in this case? > > Is it that they should have special processing for an NSEC that has only > RRSIG and NSEC and nothing more? > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] How Slack didn't turn on DNSSEC John Levine
- Re: [DNSOP] How Slack didn't turn on DNSSEC Viktor Dukhovni
- Re: [DNSOP] How Slack didn't turn on DNSSEC Philip Homburg
- Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
- Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
- Re: [DNSOP] How Slack didn't turn on DNSSEC Vladimír Čunát
- Re: [DNSOP] How Slack didn't turn on DNSSEC Philip Homburg
- Re: [DNSOP] How Slack didn't turn on DNSSEC libor.peltan
- Re: [DNSOP] How Slack didn't turn on DNSSEC Tim Wicinski
- Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
- Re: [DNSOP] How Slack didn't turn on DNSSEC Vladimír Čunát
- Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
- Re: [DNSOP] How Slack didn't turn on DNSSEC Vladimír Čunát
- Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews
- Re: [DNSOP] How Slack didn't turn on DNSSEC Paul Vixie
- Re: [DNSOP] How Slack didn't turn on DNSSEC Andrew Sullivan
- Re: [DNSOP] How Slack didn't turn on DNSSEC Jim Reid
- Re: [DNSOP] How Slack didn't turn on DNSSEC Viktor Dukhovni
- Re: [DNSOP] How Slack didn't turn on DNSSEC Paul Vixie
- Re: [DNSOP] How Slack didn't turn on DNSSEC Viktor Dukhovni
- Re: [DNSOP] How Slack didn't turn on DNSSEC John Levine
- Re: [DNSOP] How Slack didn't turn on DNSSEC Petr Špaček
- Re: [DNSOP] How Slack didn't turn on DNSSEC - is … Petr Špaček
- Re: [DNSOP] How Slack didn't turn on DNSSEC Philip Homburg
- Re: [DNSOP] How Slack didn't turn on DNSSEC Mark Andrews