Re: [dnsext] duplicate RRs and resulting RRSIG
Mohan Parthasarathy <suruti94@gmail.com> Wed, 04 January 2012 20:39 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B4B511E80A6; Wed, 4 Jan 2012 12:39:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1325709549; bh=3WsqSTrngKl/5nhlpnLQ267EtmlAxPlhJcXCDpuw4aQ=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=MFUXbH8JASZVGbTBoH82jy4ca+iO/BMewmsUbhaXFQzz95JQq1vqH2ZGqVan5fS0n 06xYaj4QKAlj3wgiL1O8t157NXhivkBFTfmj53bKwZHhEWxS60yMwNN1Y3stb+s2Ty 50J+tpnpIcdXGz0KgoyyfghJL+SGYVwSMOQpUkSY=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E04A11E809F for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 12:39:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNrTybLJ73Uu for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 12:39:06 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id CB70C11E80A6 for <dnsext@ietf.org>; Wed, 4 Jan 2012 12:39:06 -0800 (PST)
Received: by qadb15 with SMTP id b15so10466199qad.10 for <dnsext@ietf.org>; Wed, 04 Jan 2012 12:39:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=WXvQ1GKixOyNjPpkWr8SQk2sOeMFBtP3OdlU13DaU84=; b=SFMiJmmqMtBPUb9ziWf0HGTuYu6hXIcXdPAVC8+WjVDuWvI01RoQ1SjnAvnFhwiG+0 TKtvQigx6qkJFCeA6SJEker2y/ZDegoDM4XecwfxZTIc4qQrtamCpgF5pqWVyCvFd6MD 9CRWyZnsA+RCL/Q2L3a7EnFt8ttr1egvcwHJA=
MIME-Version: 1.0
Received: by 10.224.202.130 with SMTP id fe2mr14143052qab.16.1325709544924; Wed, 04 Jan 2012 12:39:04 -0800 (PST)
Received: by 10.229.212.4 with HTTP; Wed, 4 Jan 2012 12:39:04 -0800 (PST)
In-Reply-To: <CA+wr5LX8DbiGZnxEtQxRMsiW3Y+RnVHMZsBnuge=783BTL5PiQ@mail.gmail.com>
References: <CA+wr5LX8DbiGZnxEtQxRMsiW3Y+RnVHMZsBnuge=783BTL5PiQ@mail.gmail.com>
Date: Wed, 04 Jan 2012 12:39:04 -0800
Message-ID: <CACU5sDm8UZMqkL_jp-jrz5P6S_mOi8mYdi9xNUp7J=5k85d8zA@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: bert hubert <bert.hubert@netherlabs.nl>
Cc: "dnsext@ietf.org" <dnsext@ietf.org>
Subject: Re: [dnsext] duplicate RRs and resulting RRSIG
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On Wed, Jan 4, 2012 at 12:26 PM, bert hubert <bert.hubert@netherlabs.nl> wrote: > Hi everybody, > > As part of a recent very big PowerDNS deployment as a DNSSEC signer, > we've encountered an interesting issue. I'm sharing this here in hopes > of hearing your wisdom, plus possibly to warn you about this happening > in your code or deployments too. > > In a zone there are three MX RRs for a name, of which 2 are identical. > PowerDNS signs all three records in canonical order when the zone is > transferred to BIND (at least I think it is BIND). > > That server subsequently drops one of the two identical records, and > serves only two MX RRs to the world, BUT with the RRSIG that was > calculated from all three records. Bad data ensues, and bounced > emails, since this is in the country that actually validates. > > Now, there are at least 3 places where we might call 'bug': 1) the > process that put duplicate RRs in the database 2) PowerDNS for signing > the 3 RRs or 3) the 'outer' server for silently dropping one of the > RRs, in the assumption that the RRSIG will survice this process. > > RFC 2181, section 5, says that servers should (lower case) 'suppress' > duplicate RRSIGs, which would argue that at least PowerDNS is > partially to blame, and should've dropped the duplicate record. > However, the outer server I think should also not feel free to drop > records on an DNSSEC signed zone. > Section 6.3 of RFC 4034 states: 6.3. Canonical RR Ordering within an RRset For the purposes of DNS security, RRs with the same owner name, class, and type are sorted by treating the RDATA portion of the canonical form of each RR as a left-justified unsigned octet sequence in which the absence of an octet sorts before a zero octet. [RFC2181] specifies that an RRset is not allowed to contain duplicate records (multiple RRs with the same owner name, class, type, and RDATA). Therefore, if an implementation detects duplicate RRs when putting the RRset in canonical form, it MUST treat this as a protocol error. If the implementation chooses to handle this protocol error in the spirit of the robustness principle (being liberal in what it accepts), it MUST remove all but one of the duplicate RR(s) for the purposes of calculating the canonical form of the RRset. Going by this, PowerDNS should have removed the duplicate RRs before signing. -mohan > > What do you think? > > Bert > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] duplicate RRs and resulting RRSIG bert hubert
- Re: [dnsext] duplicate RRs and resulting RRSIG Mohan Parthasarathy
- Re: [dnsext] duplicate RRs and resulting RRSIG bmanning
- Re: [dnsext] duplicate RRs and resulting RRSIG bert hubert
- Re: [dnsext] duplicate RRs and resulting RRSIG Doug Barton
- Re: [dnsext] duplicate RRs and resulting RRSIG SM
- Re: [dnsext] duplicate RRs and resulting RRSIG Marco Davids (SIDN)
- Re: [dnsext] duplicate RRs and resulting RRSIG Tony Finch
- Re: [dnsext] duplicate RRs and resulting RRSIG Tony Finch