Re: [DNSOP] DNSSEC validates even if expired?
Mukund Sivaraman <muks@mukund.org> Thu, 14 May 2020 14:25 UTC
Return-Path: <muks@mukund.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A97143A0B15 for <dnsop@ietfa.amsl.com>; Thu, 14 May 2020 07:25:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.079
X-Spam-Level:
X-Spam-Status: No, score=-2.079 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mukund.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i105CQTKiHnK for <dnsop@ietfa.amsl.com>; Thu, 14 May 2020 07:24:59 -0700 (PDT)
Received: from jupiter.mukund.org (jupiter.mukund.org [IPv6:2a01:4f8:231:3f69::9e]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CABEF3A0B05 for <dnsop@ietf.org>; Thu, 14 May 2020 07:24:57 -0700 (PDT)
Date: Thu, 14 May 2020 19:54:50 +0530
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mukund.org; s=mail; t=1589466295; bh=IIQefmGmhRJGR9GkrLZK9R5hxAHY8flzR3iaKbQSFo8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=S0R05JJwmCaLE3R6kwQpVjGhHNQBIGSbYI9JkWx1+B9IMdLENXGmZ1qR+HTr8oaTP w3RHJWuOtZgFy/Av5Vj4amoxH50OeBEsQUFtdYFbGjE4scoPgJxeJ2iwXx+olXHjNE FEP1mOOZ/Ej0ZJR/pKv4gsQJIQUDmuKcD/VjjC+U=
From: Mukund Sivaraman <muks@mukund.org>
To: Bob Harold <rharolde@umich.edu>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Message-ID: <20200514142450.GA36078@jurassic.vpn.mukund.org>
References: <CA+nkc8B6N8_CTJF570tfUYH0svcjCqR+1+o4zKJpRavuuqWyUA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CA+nkc8B6N8_CTJF570tfUYH0svcjCqR+1+o4zKJpRavuuqWyUA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tjtAvORJF-gmijO5kN39J09t6Zc>
Subject: Re: [DNSOP] DNSSEC validates even if expired?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 14:25:10 -0000
Hi Bob On Thu, May 14, 2020 at 10:02:45AM -0400, Bob Harold wrote: > I am preparing to enable DNSSEC validation, so I am working on alerts for > failed validations, so I can see whether they are user errors (that might > need negative trust anchors or other exceptions) or actual attacks. > > I stumbled on "mff.cuni.cz" which has RRSIG records that expired 3 months > ago, but my validating server still gives an answer and says that it is > valid. > Is that expected? > > BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 (Extended Support Version) > <id:7107deb> > > [hostmast@ns-umd-nsbs-1 named]$ delv mff.cuni.cz @127.0.0.1 > ;; validating mff.cuni.cz/DNSKEY: verify failed due to bad signature > (keyid=47500): RRSIG has expired > ; fully validated > mff.cuni.cz. 28546 IN A 195.113.27.221 > mff.cuni.cz. 28546 IN RRSIG A 13 3 28800 20200611045052 > 20200512043705 47500 mff.cuni.cz. > ZbW+RXOvA24E+Fb0Z/M3OfMJdFD9vdRKD8nhylZSfB0fkq236lohWHGu > 4A54HrqasAPkUHJd/LcoN1+k6bkAqw== delv is complaining a signature for the DNSKEY set has expired. There is a signature that has not expired though: [muks@jurassic ~]$ dig +rrcomments +dnssec mff.cuni.cz dnskey ; <<>> DiG 1.1.1.20200413085522.7eb91c6988 <<>> +rrcomments +dnssec mff.cuni.cz dnskey ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55595 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;mff.cuni.cz. IN DNSKEY ;; ANSWER SECTION: mff.cuni.cz. 28291 IN DNSKEY 257 3 13 1PMTgkDSUJEO8PbtFEtJ6sqtBUwlqv5yWMAQpedPoJtvJ9Oxoen3OJoF xEnZCFBCouNsR58PYdzYDowWEQAJVw== ; KSK; alg = ECDSAP256SHA256 ; key id = 47500 mff.cuni.cz. 28291 IN RRSIG DNSKEY 13 3 28800 20200206004306 20200107001237 47500 mff.cuni.cz. j9FdwbEIhxtLXPnTWNhTIuRDXEeF/1NDLoCT6obI+2LbjAEea9cfu3kr 1LKRJZRKmNlJIh4siJ+jQPXj7p+Kcw== mff.cuni.cz. 28291 IN RRSIG DNSKEY 13 3 28800 20200611043903 20200512034907 47500 mff.cuni.cz. +aAX+S8d8GpGLzytpqCAH0vLui8P2Pij9Y9TyiDIA4SsN1s02xSDz0ON iK6g8fwegqdiFv2yUqr/7XUZD0XSUw== ;; Query time: 1 msec ;; SERVER: 10.98.0.1#53(10.98.0.1) ;; WHEN: Thu May 14 19:53:56 IST 2020 ;; MSG SIZE rcvd: 334 The second signature in the set above has not expired and is a valid path in the trust chain. Mukund
- [DNSOP] DNSSEC validates even if expired? Bob Harold
- Re: [DNSOP] DNSSEC validates even if expired? Mukund Sivaraman
- Re: [DNSOP] DNSSEC validates even if expired? Bob Harold