IETF Logo Mail Archive

Re: [DNSOP] DNSSEC validates even if expired?

Bob Harold <rharolde@umich.edu> Thu, 14 May 2020 14:39 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B07A3A0AC9 for <dnsop@ietfa.amsl.com>; Thu, 14 May 2020 07:39:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.856
X-Spam-Level:
X-Spam-Status: No, score=-0.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uwEhWsRqaMOg for <dnsop@ietfa.amsl.com>; Thu, 14 May 2020 07:39:42 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EA043A0B44 for <dnsop@ietf.org>; Thu, 14 May 2020 07:39:39 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id b6so3833682ljj.1 for <dnsop@ietf.org>; Thu, 14 May 2020 07:39:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Bb/FvhW0U8gcV8HnU5TKIDsVsSoMoy8KTKtV89B3N+s=; b=nwf/6GecdXUTOn5J/y5K6gjyn28TEOYLmGh+jjTYNOHXEn/06zma/Zwtiati+e2i2Q 0eSx13LsiabmgOool9C0XUrfy/d8sHxuE80o4veAtNOLqnOJrHhuL6qgX6uMIO4T65PQ wp2R3fGf5EY5WQFjIt7a4NVwIam96j9M8sD1TC0Z2HtbVc6mydmQrPUTLg+kUGkfJdjt hfF148IRtBSAukK68ptl6lN1QF9H5fcaYxAWosLWua5nD+CoeXxtauP4Ph3mnWkPGAJF w2N/3HGQytebU1r3iQGMp4nOvBxyVYduJFgYnrN4fnH2P1bQpb0prgZZs02Zu3N+A4v4 4Bgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Bb/FvhW0U8gcV8HnU5TKIDsVsSoMoy8KTKtV89B3N+s=; b=Wmenzjn/drY0dXECf2wobmPCfF+v+3PWI+LfFFWQK/0bTpi2iXc7urBHYiTwAHyatv xJN5XjFNL0le8+AP0yPHrh1eRBUswkwK5xf9cCjiltFirbaYB/wddHD/g0gWPEjHO0nv nz5UmQgkL19r4lCuNfQ/xRh2lig7UcUBNGVhj+7NhxRLkSU5YW8+1BBh4ZsTAgkhFjNU V9S8HIOfm9D/y7EDlJzrTRuA2DNA1We4/JnYkrhOwMqZmxqOxZt9oeb0lyMcLwxZqvBJ NsWK/kyB1N8IC8i+KbQUHz100UrlQN4kDjZhHdnf1JgOazKhBDNaWH74i38qwf0txNFd L21w==
X-Gm-Message-State: AOAM5324M4OQT9YNey8JyFe9mFZYkzU1NUAyYb2olbg+AWulyoPLMMEp HlNwnftDmHklqOB9cUPh6oPPJnKLQniehCI+q7yMXCaJzRk=
X-Google-Smtp-Source: ABdhPJyCdG70/wP1dVP89CuJREbZHU3L6Ura5gsvwRKTdFh2AFf2zUvSVxanNOsflCxds3T5ezQa/XVrkT8+1pZZ7zM=
X-Received: by 2002:a2e:547:: with SMTP id 68mr2960163ljf.25.1589467177480; Thu, 14 May 2020 07:39:37 -0700 (PDT)
MIME-Version: 1.0
References: <CA+nkc8B6N8_CTJF570tfUYH0svcjCqR+1+o4zKJpRavuuqWyUA@mail.gmail.com> <20200514142450.GA36078@jurassic.vpn.mukund.org>
In-Reply-To: <20200514142450.GA36078@jurassic.vpn.mukund.org>
From: Bob Harold <rharolde@umich.edu>
Date: Thu, 14 May 2020 10:39:26 -0400
Message-ID: <CA+nkc8B-rbkSbiL3wpU9Q6F2fS56FvzQT5ahDZ4SeT=wUanOmw@mail.gmail.com>
To: Mukund Sivaraman <muks@mukund.org>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007f082a05a59caa2a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/a7EIrd22lsSKEX4VR6BEqB5_Dqo>
Subject: Re: [DNSOP] DNSSEC validates even if expired?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 14:39:48 -0000

On Thu, May 14, 2020 at 10:25 AM Mukund Sivaraman <muks@mukund.org> wrote:

> Hi Bob
>
> On Thu, May 14, 2020 at 10:02:45AM -0400, Bob Harold wrote:
> > I am preparing to enable DNSSEC validation, so I am working on alerts for
> > failed validations, so I can see whether they are user errors (that might
> > need negative trust anchors or other exceptions) or actual attacks.
> >
> > I stumbled on "mff.cuni.cz" which has RRSIG records that expired 3
> months
> > ago, but my validating server still gives an answer and says that it is
> > valid.
> > Is that expected?
> >
> > BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 (Extended Support Version)
> > <id:7107deb>
> >
> > [hostmast@ns-umd-nsbs-1 named]$ delv mff.cuni.cz   @127.0.0.1
> > ;; validating mff.cuni.cz/DNSKEY: verify failed due to bad signature
> > (keyid=47500): RRSIG has expired
> > ; fully validated
> > mff.cuni.cz.            28546   IN      A       195.113.27.221
> > mff.cuni.cz.            28546   IN      RRSIG   A 13 3 28800
> 20200611045052
> > 20200512043705 47500 mff.cuni.cz.
> > ZbW+RXOvA24E+Fb0Z/M3OfMJdFD9vdRKD8nhylZSfB0fkq236lohWHGu
> > 4A54HrqasAPkUHJd/LcoN1+k6bkAqw==
>
> delv is complaining a signature for the DNSKEY set has expired. There is
> a signature that has not expired though:
>
> [muks@jurassic ~]$ dig +rrcomments +dnssec mff.cuni.cz dnskey
>
> ; <<>> DiG 1.1.1.20200413085522.7eb91c6988 <<>> +rrcomments +dnssec
> mff.cuni.cz dnskey
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55595
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;mff.cuni.cz.                   IN      DNSKEY
>
> ;; ANSWER SECTION:
> mff.cuni.cz.            28291   IN      DNSKEY  257 3 13
> 1PMTgkDSUJEO8PbtFEtJ6sqtBUwlqv5yWMAQpedPoJtvJ9Oxoen3OJoF
> xEnZCFBCouNsR58PYdzYDowWEQAJVw==  ; KSK; alg = ECDSAP256SHA256 ; key id =
> 47500
> mff.cuni.cz.            28291   IN      RRSIG   DNSKEY 13 3 28800
> 20200206004306 20200107001237 47500 mff.cuni.cz.
> j9FdwbEIhxtLXPnTWNhTIuRDXEeF/1NDLoCT6obI+2LbjAEea9cfu3kr
> 1LKRJZRKmNlJIh4siJ+jQPXj7p+Kcw==
> mff.cuni.cz.            28291   IN      RRSIG   DNSKEY 13 3 28800
> 20200611043903 20200512034907 47500 mff.cuni.cz.
> +aAX+S8d8GpGLzytpqCAH0vLui8P2Pij9Y9TyiDIA4SsN1s02xSDz0ON
> iK6g8fwegqdiFv2yUqr/7XUZD0XSUw==
>
> ;; Query time: 1 msec
> ;; SERVER: 10.98.0.1#53(10.98.0.1)
> ;; WHEN: Thu May 14 19:53:56 IST 2020
> ;; MSG SIZE  rcvd: 334
>
> The second signature in the set above has not expired and is a valid
> path in the trust chain.
>
>                 Mukund
>

Thanks for explaining!  That was not clear, even when looking at places
like:
https://dnssec-analyzer.verisignlabs.com/mff.cuni.cz
https://dnsviz.net/d/mff.cuni.cz/dnssec/

-- 
Bob Harold

v2.46.0 | Report a Bug | By Email | System Status