[Cerowrt-devel] Had to disable dnssec today
Just too many sites aren't working correctly with dnsmasq and using Google's DNS servers. - Bank of America (sso-fi.bankofamerica.com) - Weather Underground (cdnjs.cloudflare.com) - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net) And I'm not getting any traction with reporting the errors to those sites, so it's frustrating in getting it properly fixed. While Akamai and cloudflare appear to be issues with their entries in google dns, or with dnsmasq's validation of them being insecure domains, the BofA issue appears to be an outright bad key. And BofA isn't being helpful (just a continual we use ssl sort of quasi-automated response). So I'm disabling it for now, or rather, falling back to using my ISP's dns servers, which don't support DNSSEC at this time. I'll be periodically turning it back on, but too much is broken (mainly due to the cdns) to be able to rely on it at this time. -Aaron ___ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel
Re: [Cerowrt-devel] Had to disable dnssec today
Is this just a dnsmasq issue or is the DNSSEC mechanism broken at these sites? If it is the latter, I can get attention from executives at some of these companies (Heartbleed has sensitized all kinds of companies to the need to strengthen security infrastructure). If the former, the change process is going to be more tricky, because dnsmasq is easily dismissed as too small a proportion of the market to care. (wish it were not so). On Saturday, April 26, 2014 7:38am, Aaron Wood wood...@gmail.com said: Just too many sites aren't working correctly with dnsmasq and using Google's DNS servers. - Bank of America ([http://sso-fi.bankofamerica.com] sso-fi.bankofamerica.com) - Weather Underground ([http://cdnjs.cloudflare.com] cdnjs.cloudflare.com) - Akamai ([http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net] e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net) And I'm not getting any traction with reporting the errors to those sites, so it's frustrating in getting it properly fixed. While Akamai and cloudflare appear to be issues with their entries in google dns, or with dnsmasq's validation of them being insecure domains, the BofA issue appears to be an outright bad key. And BofA isn't being helpful (just a continual we use ssl sort of quasi-automated response). So I'm disabling it for now, or rather, falling back to using my ISP's dns servers, which don't support DNSSEC at this time. I'll be periodically turning it back on, but too much is broken (mainly due to the cdns) to be able to rely on it at this time. -Aaron___ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel
Re: [Cerowrt-devel] Had to disable dnssec today
David, With two of them (akamai and cloudflare), I _think_ it's a dnsmasq issue with the DS records for proving insecure domains are insecure. But Simon Kelley would know that better than I. With BofA, I'm nearly certain it's them, or an issue with one of their partners (since the domain that fails isn't BofA, but something else): (with dnssec turned off): ;; QUESTION SECTION: ;sso-fi.bankofamerica.com. IN A ;; ANSWER SECTION: sso-fi.bankofamerica.com. 3599 IN CNAME saml-bac.onefiserv.com. saml-bac.onefiserv.com. 299 IN CNAME saml-bac.gslb.onefiserv.com. saml-bac.gslb.onefiserv.com. 119 IN A 208.235.248.157 And it's the saml-bac.gslb.onefiserv.com host that's failing (see here for debug info): http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com -Aaron On Sat, Apr 26, 2014 at 6:00 PM, dpr...@reed.com wrote: Is this just a dnsmasq issue or is the DNSSEC mechanism broken at these sites? If it is the latter, I can get attention from executives at some of these companies (Heartbleed has sensitized all kinds of companies to the need to strengthen security infrastructure). If the former, the change process is going to be more tricky, because dnsmasq is easily dismissed as too small a proportion of the market to care. (wish it were not so). On Saturday, April 26, 2014 7:38am, Aaron Wood wood...@gmail.com said: Just too many sites aren't working correctly with dnsmasq and using Google's DNS servers. - Bank of America (sso-fi.bankofamerica.com) - Weather Underground (cdnjs.cloudflare.com) - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net) And I'm not getting any traction with reporting the errors to those sites, so it's frustrating in getting it properly fixed. While Akamai and cloudflare appear to be issues with their entries in google dns, or with dnsmasq's validation of them being insecure domains, the BofA issue appears to be an outright bad key. And BofA isn't being helpful (just a continual we use ssl sort of quasi-automated response). So I'm disabling it for now, or rather, falling back to using my ISP's dns servers, which don't support DNSSEC at this time. I'll be periodically turning it back on, but too much is broken (mainly due to the cdns) to be able to rely on it at this time. -Aaron ___ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel
Re: [Cerowrt-devel] [Dnsmasq-discuss] Had to disable dnssec today
On 26/04/14 17:20, Aaron Wood wrote: David, With two of them (akamai and cloudflare), I _think_ it's a dnsmasq issue with the DS records for proving insecure domains are insecure. But Simon Kelley would know that better than I. The result of the analysis of the akamai domain was that there's a problem with the domain (ie it's an akamai problem) See the post in the Cerowrt list by Evan Hunt for the origin of this conclusion. There's a dnsmasq issue to the extent that dnsmasq uses a different strategy for proving that a name should not be signed than other nameservers (dnsmasq works bottom-up, the others can work top-down, since they are recursive servers, not forwarders.) This means that dnsmasq sees the akamai problem, whilst eg unbound happens not to. I plan to see if dnsmasq can be modified to improve this. I'm not sure of cloudflare has been looked at in detail, but my impression was that it's the same as akamai. With BofA, I'm nearly certain it's them, or an issue with one of their partners (since the domain that fails isn't BofA, but something else): (with dnssec turned off): ;; QUESTION SECTION: ;sso-fi.bankofamerica.com. IN A ;; ANSWER SECTION: sso-fi.bankofamerica.com. 3599 IN CNAME saml-bac.onefiserv.com. saml-bac.onefiserv.com. 299 IN CNAME saml-bac.gslb.onefiserv.com. saml-bac.gslb.onefiserv.com. 119 IN A 208.235.248.157 And it's the saml-bac.gslb.onefiserv.com host that's failing (see here for debug info): http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com -Aaron On Sat, Apr 26, 2014 at 6:00 PM, dpr...@reed.com wrote: Is this just a dnsmasq issue or is the DNSSEC mechanism broken at these sites? If it is the latter, I can get attention from executives at some of these companies (Heartbleed has sensitized all kinds of companies to the need to strengthen security infrastructure). If the former, the change process is going to be more tricky, because dnsmasq is easily dismissed as too small a proportion of the market to care. (wish it were not so). Given it's less than a month since the first DNSSEC-capable dnsmasq release, anything other than small market share would be fairly miraculous! Cheers, Simon. ___ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel
Re: [Cerowrt-devel] [Dnsmasq-discuss] Had to disable dnssec today
On 26/04/14 20:44, Simon Kelley wrote: I plan to see if dnsmasq can be modified to improve this. In the git repo now, the change allows the akamai domain to resolve successfully. Simon. ___ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel
Re: [Cerowrt-devel] [Dnsmasq-discuss] Had to disable dnssec today
On Sat, Apr 26, 2014 at 12:44 PM, Simon Kelley si...@thekelleys.org.uk wrote: On 26/04/14 17:20, Aaron Wood wrote: David, With two of them (akamai and cloudflare), I _think_ it's a dnsmasq issue with the DS records for proving insecure domains are insecure. But Simon Kelley would know that better than I. The result of the analysis of the akamai domain was that there's a problem with the domain (ie it's an akamai problem) See the post in the Cerowrt list by Evan Hunt for the origin of this conclusion. There's a dnsmasq issue to the extent that dnsmasq uses a different strategy for proving that a name should not be signed than other nameservers (dnsmasq works bottom-up, the others can work top-down, since they are recursive servers, not forwarders.) This means that dnsmasq sees the akamai problem, whilst eg unbound happens not to. I plan to see if dnsmasq can be modified to improve this. If it's not a violation of the specification, the bottom-up method might be good to add to a dnssec validation tool. I'm not sure of cloudflare has been looked at in detail, but my impression was that it's the same as akamai. With BofA, I'm nearly certain it's them, or an issue with one of their partners (since the domain that fails isn't BofA, but something else): (with dnssec turned off): ;; QUESTION SECTION: ;sso-fi.bankofamerica.com. IN A ;; ANSWER SECTION: sso-fi.bankofamerica.com. 3599 IN CNAME saml-bac.onefiserv.com. saml-bac.onefiserv.com. 299 IN CNAME saml-bac.gslb.onefiserv.com. saml-bac.gslb.onefiserv.com. 119 IN A 208.235.248.157 And it's the saml-bac.gslb.onefiserv.com host that's failing (see here for debug info): http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com -Aaron On Sat, Apr 26, 2014 at 6:00 PM, dpr...@reed.com wrote: Is this just a dnsmasq issue or is the DNSSEC mechanism broken at these sites? If it is the latter, I can get attention from executives at some of these companies (Heartbleed has sensitized all kinds of companies to the need to strengthen security infrastructure). If the former, the change process is going to be more tricky, because dnsmasq is easily dismissed as too small a proportion of the market to care. (wish it were not so). Given it's less than a month since the first DNSSEC-capable dnsmasq release, anything other than small market share would be fairly miraculous! Cheers, Simon. ___ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article ___ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel
[Cerowrt-devel] looks like dhcpv4 has sprouted dhcp v4 support
And it's not configured right. (This may be an artifact of me trying hnetd out.) Anyone else seen this? # logread Sun Apr 27 00:03:22 2014 daemon.warn odhcpd[22321]: DHCPv4 range out of assigned network Sun Apr 27 00:03:25 2014 daemon.warn odhcpd[22321]: DHCPv4 range out of assigned network Sun Apr 27 00:03:28 2014 daemon.warn odhcpd[22321]: DHCPv4 range out of assigned network -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article ___ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel
