Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible issue with CNAME on DNSSEC test #1370

Open
fkyanai opened this issue Mar 28, 2024 · 4 comments
Open

Possible issue with CNAME on DNSSEC test #1370

fkyanai opened this issue Mar 28, 2024 · 4 comments

Comments

@fkyanai
Copy link

fkyanai commented Mar 28, 2024
edited

Hi !

Recently I faced the following situation on top.nic.br and Internet.nl:

image

But checking the DNSSEC servers , all of them are signed:

https://dnssec-analyzer.verisignlabs.com/www.iana.org

DNSSEC-Debugger-www-iana-org

https://dnsviz.net/d/www.iana.org/dnssec/

www-iana-org-DNSViz

This problems happens only with CNAME record (www) with the A record no issues are verified.

Any suggestions ? Is related to the issue #188 ?

Best Regards
Flavio
@bwbroersma
Copy link
Collaborator

bwbroersma commented Mar 29, 2024
edited

The DNSSEC test does a SOA check on the domain, in this case www.iana.org to check it's delegated, this sometimes results in an invalid signature of NSEC or some other weird DNS behavior that results in this correct detection of a DNSSEC failure, which is not perfectly explained.
I'm not sure what I see here: https://dnsviz.net/d/www.iana.org/dnssec/?rr=6&a=all&ds=all&ta=.&tk= Update: probably a dnsvis 🐛

Thanks to @mdavids:

$ unbound-host -d -v -f /usr/share/dns/root.key -t SOA www.iana.org
...
www.iana.org is an alias for ianawww.vip.icann.org. (insecure)
ianawww.vip.icann.org has no SOA record (insecure)

@mdavids
Copy link

mdavids commented Mar 29, 2024

Have to delve deeper, but weird things are happening here:

dig +dnssec @9.9.9.9 -t SOA ianawww.vip.icann.org has no AD-bit
dig +dnssec @8.8.8.8 -t SOA ianawww.vip.icann.org has.

Unbound indeed has no AD-bit too. Neither has BIND9.

@gthess
Copy link
Collaborator

gthess commented Mar 29, 2024
edited

From a quick look at the domain and Unbound's code.
The NSEC3 record we get back is:

<hash>.vip.icann.org. 60 IN NSEC3 1 0 1 <salt> <next-hash> A NS MX TXT AAAA RRSIG DNSKEY NSEC3PARAM

The owner of the record after hash computation is ianawww.vip.icann.org.
The actual hash and salt values are not important because they are autogenerated on the fly (online signing).

The NSEC3 record has an NS bit but no SOA bit. This means a delegation. Because there is no DS, this means an insecure delegation. Thus the final insecure status. If DS was there that would have been bogus.

I believe this is because there is no SOA record at ianawww.vip.icann.org as it should from what I see at least.

@mdavids
Copy link

mdavids commented Mar 29, 2024

Also; PowerDNS/pdns#7143

@bwbroersma bwbroersma mentioned this issue Mar 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fkyanai @mdavids @bwbroersma @gthess