[DNSOP] DNSSEC validates even if expired?
Bob Harold <rharolde@umich.edu> Thu, 14 May 2020 14:03 UTC
Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75C3B3A0A63 for <dnsop@ietfa.amsl.com>; Thu, 14 May 2020 07:03:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.856
X-Spam-Level:
X-Spam-Status: No, score=-0.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oBvGCJjWeTNE for <dnsop@ietfa.amsl.com>; Thu, 14 May 2020 07:02:59 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81A383A0A3B for <dnsop@ietf.org>; Thu, 14 May 2020 07:02:59 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id a9so2717133lfb.8 for <dnsop@ietf.org>; Thu, 14 May 2020 07:02:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:from:date:message-id:subject:to; bh=4Kvsn16mA4xREPq2mH0nNWAeJr5yBjm/8e/NXXHMZJI=; b=dmLYi5uVIpQkPDldLN7blmZ599zY21aujWjeM4tWBleSlfNuPsP/7YK5vyAIdPlzA2 j/pZZb+tHGbBqRDb6qMX/t+IOdFsntAPO1UFYVaZnODEXx8A2+vx4uX0ci2vPW0kFgwA BbMpxK72uqQdusrcRAv4kdBHDitvbkfkyHjNW8cTZoNcghKpFAvuwe2Lu06MAUv6sViT d72QMUlM7cGWs2tT74dwoonu5iZQFNja2dzIc/qenZiX4uGvQ7c/GujesI/9fn4BQlso S9IspY2UdExm2JPeNJUC9nAyO8gMiB5Ldg+JfzDPFv2vQsMCTC+LOApV1n4RmuqfHcG5 /Mtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4Kvsn16mA4xREPq2mH0nNWAeJr5yBjm/8e/NXXHMZJI=; b=m3GD4+p4OCeIKP0I7VIHj+OPEAUX/BbeXSrm43sujkYCSuWgX9nDa44RhXeLhRKUyp EvDx0+pFPhTVXEEKcTbkLb9KX7pNgoVcgqqfsONxveK9lInmsxJBi0yp+gWWcOlXL4La R5CuOYG1mo9FjC2UIMWgamG/8xciuBJqV/qGNSb30jQN7FrXxZ4kt0B75c9lFp6w5gaE 5HPouJr71yIsu3bGXLwCzua/JpZiKVKITQPK8rEma9ivZ8z1SJWwTaWs6Kh+IkQVK41o mCWGXR5BelqnRNOSha6jEiqtt7RVoGeQltTUbpNwNq3VAGaCd5gLvqA4SvFHA7dzFONe tVvg==
X-Gm-Message-State: AOAM530oG8db1LktF4p9xm77SbJi3Nt+bZ2tS/gNJdX+5+Y4bPPBnkRz mJ5cflwY1aEtPdDG8+4FLn+2kefnUeRlBlNvAvMm5P7UTmY=
X-Google-Smtp-Source: ABdhPJzsl4fA8Ii1mwzVEbYtVOfpzXYrlEcMj/xcJlfDo2VwZIz8XFBPLWhq17P8On151ZCizRSpnq+VJUdqaHp6uyA=
X-Received: by 2002:a19:84b:: with SMTP id 72mr3452937lfi.133.1589464976751; Thu, 14 May 2020 07:02:56 -0700 (PDT)
MIME-Version: 1.0
From: Bob Harold <rharolde@umich.edu>
Date: Thu, 14 May 2020 10:02:45 -0400
Message-ID: <CA+nkc8B6N8_CTJF570tfUYH0svcjCqR+1+o4zKJpRavuuqWyUA@mail.gmail.com>
To: IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000052940d05a59c27e3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7gJ26eKt0wOoSGU7Sm6dtFcj7p8>
Subject: [DNSOP] DNSSEC validates even if expired?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 14:03:03 -0000
I am preparing to enable DNSSEC validation, so I am working on alerts for failed validations, so I can see whether they are user errors (that might need negative trust anchors or other exceptions) or actual attacks. I stumbled on "mff.cuni.cz" which has RRSIG records that expired 3 months ago, but my validating server still gives an answer and says that it is valid. Is that expected? BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 (Extended Support Version) <id:7107deb> [hostmast@ns-umd-nsbs-1 named]$ delv mff.cuni.cz @127.0.0.1 ;; validating mff.cuni.cz/DNSKEY: verify failed due to bad signature (keyid=47500): RRSIG has expired ; fully validated mff.cuni.cz. 28546 IN A 195.113.27.221 mff.cuni.cz. 28546 IN RRSIG A 13 3 28800 20200611045052 20200512043705 47500 mff.cuni.cz. ZbW+RXOvA24E+Fb0Z/M3OfMJdFD9vdRKD8nhylZSfB0fkq236lohWHGu 4A54HrqasAPkUHJd/LcoN1+k6bkAqw== [hostmast@ns-umd-nsbs-1 named]$ dig mff.cuni.cz @127.0.0.1 +adflag ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> mff.cuni.cz @127.0.0.1 +adflag ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17300 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;mff.cuni.cz. IN A ;; ANSWER SECTION: mff.cuni.cz. 28784 IN A 195.113.27.221 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 14 09:51:53 EDT 2020 ;; MSG SIZE rcvd: 56 -- Bob Harold
- [DNSOP] DNSSEC validates even if expired? Bob Harold
- Re: [DNSOP] DNSSEC validates even if expired? Mukund Sivaraman
- Re: [DNSOP] DNSSEC validates even if expired? Bob Harold