Re: [dnsext] duplicate RRs and resulting RRSIG
bmanning@vacation.karoshi.com Wed, 04 January 2012 20:54 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6B1621F8626; Wed, 4 Jan 2012 12:54:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1325710457; bh=AyWjpCRL7+rIqHXzM1IRGF6gUoxvyWkRVTcr0EYA0Kw=; h=Date:From:To:Message-ID:References:Mime-Version:In-Reply-To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=f2j/5uM9dvG7YOYId1toXCXxJsmjFfNnhm8AAfEW7OiskCa3c6xvOCY9S/DZ5NFdR MM636I+xi5W+BjCSCyyIGZOMfBlQkWjfJ5lQUCxVmHRlbyq/mJ71yEczKYCmncCkQC UGumr+Gpat6C3+lTf1xRFyPLedzpsWRbiTJZ35k4=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF94021F8626 for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 12:54:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NiNp0nLV0R05 for <dnsext@ietfa.amsl.com>; Wed, 4 Jan 2012 12:54:15 -0800 (PST)
Received: from vacation.karoshi.com (vacation.karoshi.com [198.32.6.68]) by ietfa.amsl.com (Postfix) with ESMTP id 728CF21F8624 for <dnsext@ietf.org>; Wed, 4 Jan 2012 12:54:15 -0800 (PST)
Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id q04KsEJL004039; Wed, 4 Jan 2012 20:54:15 GMT
Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id q04KsEKw004038; Wed, 4 Jan 2012 20:54:14 GMT
Date: Wed, 04 Jan 2012 20:54:14 +0000
From: bmanning@vacation.karoshi.com
To: bert hubert <bert.hubert@netherlabs.nl>
Message-ID: <20120104205414.GB3917@vacation.karoshi.com.>
References: <CA+wr5LX8DbiGZnxEtQxRMsiW3Y+RnVHMZsBnuge=783BTL5PiQ@mail.gmail.com>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CA+wr5LX8DbiGZnxEtQxRMsiW3Y+RnVHMZsBnuge=783BTL5PiQ@mail.gmail.com>
User-Agent: Mutt/1.4.1i
Cc: "dnsext@ietf.org" <dnsext@ietf.org>
Subject: Re: [dnsext] duplicate RRs and resulting RRSIG
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On Wed, Jan 04, 2012 at 09:26:44PM +0100, bert hubert wrote: > Hi everybody, > > As part of a recent very big PowerDNS deployment as a DNSSEC signer, > we've encountered an interesting issue. I'm sharing this here in hopes > of hearing your wisdom, plus possibly to warn you about this happening > in your code or deployments too. > > In a zone there are three MX RRs for a name, of which 2 are identical. > PowerDNS signs all three records in canonical order when the zone is > transferred to BIND (at least I think it is BIND). > > That server subsequently drops one of the two identical records, and > serves only two MX RRs to the world, BUT with the RRSIG that was > calculated from all three records. Bad data ensues, and bounced > emails, since this is in the country that actually validates. > > Now, there are at least 3 places where we might call 'bug': 1) the > process that put duplicate RRs in the database 2) PowerDNS for signing > the 3 RRs or 3) the 'outer' server for silently dropping one of the > RRs, in the assumption that the RRSIG will survice this process. > > RFC 2181, section 5, says that servers should (lower case) 'suppress' > duplicate RRSIGs, which would argue that at least PowerDNS is > partially to blame, and should've dropped the duplicate record. > However, the outer server I think should also not feel free to drop > records on an DNSSEC signed zone. > > What do you think? > > Bert > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext RFC 2181 is DNSSEC oblivious. What you are asserting is that prior to signing, you have two -identical- RRs... which accordingto RFC 2181, would be two identical RRsets (of a single RR each). Once signed however, the RRsets are no longer identical, the NSEC RRs don't match, so you have three unique RRsets. (this may require a more careful reading of the definition of an RRset....) So the bug might be in PowerDNS allowing for identical RRsets when one should be suppressed. Once signed however, the RRsets are different and the external DNS server is ignoring the RRset and extracting just some of the RRs and doing the evaluation... /bill _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] duplicate RRs and resulting RRSIG bert hubert
- Re: [dnsext] duplicate RRs and resulting RRSIG Mohan Parthasarathy
- Re: [dnsext] duplicate RRs and resulting RRSIG bmanning
- Re: [dnsext] duplicate RRs and resulting RRSIG bert hubert
- Re: [dnsext] duplicate RRs and resulting RRSIG Doug Barton
- Re: [dnsext] duplicate RRs and resulting RRSIG SM
- Re: [dnsext] duplicate RRs and resulting RRSIG Marco Davids (SIDN)
- Re: [dnsext] duplicate RRs and resulting RRSIG Tony Finch
- Re: [dnsext] duplicate RRs and resulting RRSIG Tony Finch