Re: dnssec validation issue

[dhungyel]

Hi Mukund

> Are you able to reproduce the bug with the latest stock version of BIND 
> 9.9?  9.9.4 is very old and that branch has had numerous bugfixes since. 

> I'm not able to reproduce such a validation failure with 9.9.11: 

At the moment the latest patched version of bind available for CentOS 7 is
9.9.4-50. The policy has been to stick with the patches / versions
distributed by the Distro rather than getting the latest. So, I will have to
try the new version and see if the problem persists.

I have looked around a bit more and this is where it starts getting
interesting. For hosts that are not mapped to CNAME, this works perfectly
fine. See below for host ns.icann.org

# dig @localhost ns.icann.org A +dnssec

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost ns.icann.org A
+dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31866
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns.icann.org.  IN  A

;; ANSWER SECTION:
ns.icann.org.   3600IN  A   199.4.138.53
ns.icann.org.   3600IN  RRSIG   A 7 3 3600 20170914022301 
20170824010741 56445
icann.org. DFfGY0h65bDzMHNSkf9cmM8vHbIeOyupdw5HeagBiWzQMAbzvtc4w5et
N+1P2zeOPvCvYiBcUsHi+JGqyB0q6gpyZMcXFbMGRPnp931B+F6MUnZL
H2+2PDhkBrZ1EtyVaS8s8IyZ9XOuzJKNwOQBt4mNdFhpvrpWmXMc1zTQ OYX1Kqg=

;; AUTHORITY SECTION:
icann.org.  86393   IN  NS  a.iana-servers.net.
icann.org.  86393   IN  NS  ns.icann.org.
icann.org.  86393   IN  NS  c.iana-servers.net.
icann.org.  86393   IN  NS  b.iana-servers.net.
icann.org.  86393   IN  RRSIG   NS 7 2 86400 20170915091737 
20170825024031 56445
icann.org. P7offNJTV/zX8mZVC7x6uwvhZrdLzLNM/r1tsp4g7yaprD6LY//TLbNc
tIdbFjZdml7CYYZxZSecmb5Uzo8O7sHS+1xdandh6KxPfo47mO+Ge6JI
JmspnEaOxOlK7Vp3RGCqdeUasxIpwjHlNa+4rZ30ImmKxsAGC9oq01ey d/JE8j8=

;; ADDITIONAL SECTION:
a.iana-servers.net. 172793  IN  A   199.43.135.53
a.iana-servers.net. 172793  IN  2001:500:8f::53
b.iana-servers.net. 172793  IN  A   199.43.133.53
b.iana-servers.net. 172793  IN  2001:500:8d::53
c.iana-servers.net. 172793  IN  A   199.43.134.53
c.iana-servers.net. 172793  IN  2001:500:8e::53
ns.icann.org.   86393   IN  2001:500:89::53
ns.icann.org.   3600IN  RRSIG    7 3 3600 20170913162548 
20170824010741
56445 icann.org. cSpl1KEIPeFTzXBhjn9CMA+Y4iVG92++kdzxoTzRhgEMsH2Xud/s8Mg1
DBEc07xMgou5OqyGvlbOxP1F2c/dOFrQBMBuojBmG4ltIj663GYshyFy
3sxqNJGATHDDJ7Sk8eiYFazct09Z2wQ73UdwKGXuzM4bD9LrXUYP0rnJ l0xEen8=

However, when I try the same thing for www.icann.org, I get SERVFAIL like
below:

# dig @localhost www.icann.org A +dnssec

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org A
+dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30814
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.icann.org. IN  A

;; Query time: 4237 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Aug 31 10:06:23 +06 2017
;; MSG SIZE  rcvd: 42

So, I am beginning to wonder if there is issue between dissed and CNAME in
9.9.4-50 version of bind. With checking disabled (as suggested by Tony), it
resolves correctly:

# dig @localhost www.icann.org A +cd

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org A +cd
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53618
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.icann.org. IN  A

;; ANSWER SECTION:
www.icann.org.  3386IN  CNAME   www.vip.icann.org.
www.vip.icann.org.  30  IN  A   192.0.32.7

;; AUTHORITY SECTION:
vip.icann.org.  3382IN  NS  gtm1.dc.icann.org.
vip.icann.org.  3382IN  NS  gtm1.mdr.icann.org.
vip.icann.org.  3382IN  NS  gtm1.lax.icann.org.

with +cd and +sigchase, the resolver is able to find the RRSIG data fine but
once checking is enabled, it just fails:


/# dig @localhost www.icann.org A +cd +sigchase
;; RRset to chase:
www.icann.org.  3039IN  CNAME   www.vip.icann.org.


;; RRSIG of the RRset to chase:
www.icann.org.  3039IN  RRSIG   CNAME 7 3 3600 20170914195717 
20170824110741
56445 icann.org. GoSDthX9s2BsyaT/AYyfNKixR8UMVF/fx3zz5U9XPIVJUkpp3g9xyuZy
wxO7aTVgiPaESUOttGGn4xs9KMzZ4BcI6bmOAehYubS6AaAb6YdbweR4
S6O3qiNMT5Sai4BrfmvITGjigyNXSb3vc8fsSeUPJVdR8gmObfzbJbdn 

dnssec validation issue

[Ganga R. Dhungyel]

.icann.org/> DS: NSEC3 proves name exists 
(owner) data=0
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: 
www.vip.icann.org <http://www.vip.icann.org/> DS: nonexistence proof(s) found
23-Aug-2017 16:17:57.872 dnssec: debug 3: validator @0x7f3ffc96f160: 
dns_validator_destroy
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0: 
www.vip.icann.org <http://www.vip.icann.org/> A: in dsfetched2: ncache nxrrset
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0: 
www.vip.icann.org <http://www.vip.icann.org/> A: resuming proveunsecure
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0: 
www.vip.icann.org <http://www.vip.icann.org/> A: insecurity proof failed


With dnssec-validation turned on, resolving sites like www.icann.org 
<http://www.icann.org/> fails. The alternative is to remove validation which of 
course is not the desired solution.

Any help would be appreciated.

Thanks.

—
Dhungyel

smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users