Re: wildcard dnssec test fails

2017-12-15 Thread Sebastian Schmidt via Unbound-users 

Hi,

Thanks so much for finding the problem. I've recompiled unbound with GNU gcc 
for now. It seamed like the simplest solution. 
I never would have thought that the access to a internet service (to the end 
user) could be broken because of a compiler optimisation. Still so many things 
have to go "wrong" for this to happen. 

Will this be reported to the clang developers?

Regards,
Sebastian


On 15 December 2017 at 8:50:14 pm, W.C.A. Wijngaards via Unbound-users 
(unbound-users@unbound.net) wrote:
> Hi,
>  
> Wait, no, just CFLAGS=-g ./configure disables -O2, but you also need the
> code change. So that won't work as a workaround.
>  
> Best regards, Wouter
>  
> On 15/12/17 11:40, W.C.A. Wijngaards via Unbound-users wrote:
> > Hi Sebastian
> >
> > On 15/12/17 10:19, Sebastian Schmidt via Unbound-users wrote:
> >> On 15 December 2017 at 6:09:19 pm, W.C.A. Wijngaards via Unbound-users
> >> (unbound-users@unbound.net ) wrote:
> >>> When I run unbound-host, I get no errors,
> >>> ./unbound-host www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz
> >>> -f
> >>> root.key -v -t A
> >>> www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz
> >>> has address
> >>> 85.239.227.179 (secure)
> >>>
> >>> Unbound performs serial arithmatic on the timestamps in the rrsig,
> >>> according to RFC.
> >>>
> >>> (What does that mean? The timestamps are 32bit in the RRSIG, but the
> >>> value is interpreted relative to the current date. And what you cannot
> >>> do is express something like a point more than some number of years
> >>> future or past.)
> >>>
> >>> Best regards, Wouter
> >>
> >>
> >> Hello Wouter,
> >>
> >>
> >> Thanks for the insight. Maybe this has something to with the platform?
> >
> > Yes it is the compiler. Clang fails, gcc succeeds. I can make clang
> > succeed with a small code change together with the removal of -O2
> > (disabling clang's optimizer).
> >
> > The code change is instead of if(incep - expi > 0) ..fail.. it now has
> > var=incep-expi; if(var > 0) ..fail..
> >
> > Clangs optimizer seems to take the wrong branch in the if statement. If
> > I printout the value calculated, I get the correct output. Something
> > like if(!((incep-expi)&0x8000)) ..fail.. does not trick the
> > optimizer into taking the right branch.
> >
> > The code change is in the code repository.
> > CFLAGS=-g ./configure
> > This disables -O2 as well, with the current version of unbound.
> >
> > Or as a workaround, maybe ignore this, perhaps with domain-insecure,
> > because it seems to only happen for the int32_t values of (1391084010 -
> > -823674496 > 0). And 2080 is uncommon in RRSIG timestamps.
> >
> > Best regards, Wouter
> >
> >>
> >> CentOS 6.9:
> >>
> >> $ unbound-host -v -f /etc/unbound/root.key -t A www.wilda.nsec.0skar.cz
> >>
> >> www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (secure)
> >>
> >> flexi.oskarcz.net has address 85.239.227.179 (secure)
> >>
> >>
> >> MacOS 10.13.2 (High Sierra):
> >>
> >> $ unbound-host -v -t A -f /usr/local/etc/unbound/root.key
> >> www.wilda.nsec.0skar.cz
> >>
> >> www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS
> >> (security failure))
> >>
> >> flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
> >>
> >> validation failure : signature
> >> inception after expiration from 85.239.227.179 for key nsec.0skar.cz.
> >> while building chain of trust
> >>
> >>
> >> FreeBSD 11.1:
> >>
> >> $ unbound-host -v -f /usr/local/etc/unbound/root.key -t A
> >> www.wilda.nsec.0skar.cz
> >>
> >> www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS
> >> (security failure))
> >>
> >> flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
> >>
> >> validation failure : signature
> >> inception after expiration from 2001:1528:132:70::1 for key
> >> nsec.0skar.cz. while building chain of trust
> >>
> >>
> >> Kind Regards
> >>
> >> Sebastian
> >>
> >
> >
>  
>  
>

Re: wildcard dnssec test fails

2017-12-15 Thread W.C.A. Wijngaards via Unbound-users 
Hi,

Wait, no, just CFLAGS=-g ./configure disables -O2, but you also need the
code change.  So that won't work as a workaround.

Best regards, Wouter

On 15/12/17 11:40, W.C.A. Wijngaards via Unbound-users wrote:
> Hi Sebastian
> 
> On 15/12/17 10:19, Sebastian Schmidt via Unbound-users wrote:
>> On 15 December 2017 at 6:09:19 pm, W.C.A. Wijngaards via Unbound-users
>> (unbound-users@unbound.net ) wrote:
>>> When I run unbound-host, I get no errors, 
>>> ./unbound-host  www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz
>>>  -f 
>>> root.key -v -t A 
>>> www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz
>>>  has address 
>>> 85.239.227.179 (secure) 
>>>
>>> Unbound performs serial arithmatic on the timestamps in the rrsig, 
>>> according to RFC. 
>>>
>>> (What does that mean? The timestamps are 32bit in the RRSIG, but the 
>>> value is interpreted relative to the current date. And what you cannot 
>>> do is express something like a point more than some number of years 
>>> future or past.) 
>>>
>>> Best regards, Wouter 
>>
>>
>> Hello Wouter,
>>
>>
>> Thanks for the insight. Maybe this has something to with the platform?
> 
> Yes it is the compiler.  Clang fails, gcc succeeds.  I can make clang
> succeed with a small code change together with the removal of -O2
> (disabling clang's optimizer).
> 
> The code change is instead of if(incep - expi > 0) ..fail..  it now has
> var=incep-expi; if(var > 0) ..fail..
> 
> Clangs optimizer seems to take the wrong branch in the if statement.  If
> I printout the value calculated, I get the correct output.  Something
> like if(!((incep-expi)&0x8000)) ..fail.. does not trick the
> optimizer into taking the right branch.
> 
> The code change is in the code repository.
> CFLAGS=-g ./configure
> This disables -O2 as well, with the current version of unbound.
> 
> Or as a workaround, maybe ignore this, perhaps with domain-insecure,
> because it seems to only happen for the int32_t values of (1391084010 -
> -823674496 > 0).  And 2080 is uncommon in RRSIG timestamps.
> 
> Best regards, Wouter
> 
>>
>>  CentOS 6.9:
>>
>>   $ unbound-host -v -f /etc/unbound/root.key -t A www.wilda.nsec.0skar.cz
>>
>>   www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (secure)
>>
>>   flexi.oskarcz.net has address 85.239.227.179 (secure)
>>
>>
>> MacOS 10.13.2 (High Sierra):
>>
>>   $ unbound-host -v -t A -f /usr/local/etc/unbound/root.key
>> www.wilda.nsec.0skar.cz
>>
>>   www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS
>> (security failure))
>>
>>   flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
>>
>>   validation failure : signature
>> inception after expiration from 85.239.227.179 for key nsec.0skar.cz.
>> while building chain of trust
>>
>>
>> FreeBSD 11.1:
>>
>>   $ unbound-host -v -f /usr/local/etc/unbound/root.key -t A
>> www.wilda.nsec.0skar.cz
>>
>>   www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS
>> (security failure))
>>
>>   flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
>>
>>   validation failure : signature
>> inception after expiration from 2001:1528:132:70::1 for key
>> nsec.0skar.cz. while building chain of trust
>>
>>
>> Kind Regards
>>
>> Sebastian
>>
> 
> 




signature.asc
Description: OpenPGP digital signature

Re: wildcard dnssec test fails

2017-12-15 Thread W.C.A. Wijngaards via Unbound-users 
Hi Sebastian

On 15/12/17 10:19, Sebastian Schmidt via Unbound-users wrote:
> On 15 December 2017 at 6:09:19 pm, W.C.A. Wijngaards via Unbound-users
> (unbound-users@unbound.net ) wrote:
>> When I run unbound-host, I get no errors, 
>> ./unbound-host  www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz
>>  -f 
>> root.key -v -t A 
>> www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz
>>  has address 
>> 85.239.227.179 (secure) 
>>
>> Unbound performs serial arithmatic on the timestamps in the rrsig, 
>> according to RFC. 
>>
>> (What does that mean? The timestamps are 32bit in the RRSIG, but the 
>> value is interpreted relative to the current date. And what you cannot 
>> do is express something like a point more than some number of years 
>> future or past.) 
>>
>> Best regards, Wouter 
> 
> 
> Hello Wouter,
> 
> 
> Thanks for the insight. Maybe this has something to with the platform?

Yes it is the compiler.  Clang fails, gcc succeeds.  I can make clang
succeed with a small code change together with the removal of -O2
(disabling clang's optimizer).

The code change is instead of if(incep - expi > 0) ..fail..  it now has
var=incep-expi; if(var > 0) ..fail..

Clangs optimizer seems to take the wrong branch in the if statement.  If
I printout the value calculated, I get the correct output.  Something
like if(!((incep-expi)&0x8000)) ..fail.. does not trick the
optimizer into taking the right branch.

The code change is in the code repository.
CFLAGS=-g ./configure
This disables -O2 as well, with the current version of unbound.

Or as a workaround, maybe ignore this, perhaps with domain-insecure,
because it seems to only happen for the int32_t values of (1391084010 -
-823674496 > 0).  And 2080 is uncommon in RRSIG timestamps.

Best regards, Wouter

> 
>  CentOS 6.9:
> 
>   $ unbound-host -v -f /etc/unbound/root.key -t A www.wilda.nsec.0skar.cz
> 
>   www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (secure)
> 
>   flexi.oskarcz.net has address 85.239.227.179 (secure)
> 
> 
> MacOS 10.13.2 (High Sierra):
> 
>   $ unbound-host -v -t A -f /usr/local/etc/unbound/root.key
> www.wilda.nsec.0skar.cz
> 
>   www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS
> (security failure))
> 
>   flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
> 
>   validation failure : signature
> inception after expiration from 85.239.227.179 for key nsec.0skar.cz.
> while building chain of trust
> 
> 
> FreeBSD 11.1:
> 
>   $ unbound-host -v -f /usr/local/etc/unbound/root.key -t A
> www.wilda.nsec.0skar.cz
> 
>   www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS
> (security failure))
> 
>   flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
> 
>   validation failure : signature
> inception after expiration from 2001:1528:132:70::1 for key
> nsec.0skar.cz. while building chain of trust
> 
> 
> Kind Regards
> 
> Sebastian
> 




signature.asc
Description: OpenPGP digital signature

Re: wildcard dnssec test fails

2017-12-15 Thread Sebastian Schmidt via Unbound-users 
On 15 December 2017 at 6:09:19 pm, W.C.A. Wijngaards via Unbound-users 
(unbound-users@unbound.net) wrote:
When I run unbound-host, I get no errors, 
./unbound-host  www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz -f 
root.key -v -t A 
www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz has address 
85.239.227.179 (secure) 

Unbound performs serial arithmatic on the timestamps in the rrsig, 
according to RFC. 

(What does that mean? The timestamps are 32bit in the RRSIG, but the 
value is interpreted relative to the current date. And what you cannot 
do is express something like a point more than some number of years 
future or past.) 

Best regards, Wouter 


Hello Wouter,



Thanks for the insight. Maybe this has something to with the platform?

 CentOS 6.9:

  $ unbound-host -v -f /etc/unbound/root.key -t A www.wilda.nsec.0skar.cz

  www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (secure)

  flexi.oskarcz.net has address 85.239.227.179 (secure)



MacOS 10.13.2 (High Sierra):

  $ unbound-host -v -t A -f /usr/local/etc/unbound/root.key 
www.wilda.nsec.0skar.cz

  www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS (security 
failure))

  flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))

  validation failure : signature inception after 
expiration from 85.239.227.179 for key nsec.0skar.cz. while building chain of 
trust



FreeBSD 11.1:

  $ unbound-host -v -f /usr/local/etc/unbound/root.key -t A 
www.wilda.nsec.0skar.cz

  www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS (security 
failure))

  flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))

  validation failure : signature inception after 
expiration from 2001:1528:132:70::1 for key nsec.0skar.cz. while building chain 
of trust


Kind Regards

Sebastian

Re: wildcard dnssec test fails

2017-12-15 Thread W.C.A. Wijngaards via Unbound-users 
Hi Sebastian, Viktor,

On 15/12/17 01:26, Viktor Dukhovni via Unbound-users wrote:
> On Thu, Dec 14, 2017 at 02:21:15PM +1000, Sebastian Schmidt wrote:
> 
>> I�ve unbound setup on FreeBSD 11.1 and I can�t figure out why "drill
>> www.wilda.nsec.0skar.cz" gives SERVFAIL. The domain is from this
>> (http://0skar.cz/dns/en) test site where it reports three failures (2a,
>> 2b and 4). Any help would be appreciated.
> 
> The zone's signatures are weird:
> 
> $ unbound-host -f /usr/local/etc/unbound/root.key -v 
> www.wilda.nsec.0skar.cz

When I run unbound-host, I get no errors,
./unbound-host  www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz -f
root.key -v -t A
www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz has address
85.239.227.179 (secure)

Unbound performs serial arithmatic on the timestamps in the rrsig,
according to RFC.

(What does that mean?  The timestamps are 32bit in the RRSIG, but the
value is interpreted relative to the current date.  And what you cannot
do is express something like a point more than some number of years
future or past.)

Best regards, Wouter

> ...
> validation failure : signature inception 
> after expiration from 2001:1528:132:70::1 for key nsec.0skar.cz. while 
> building chain of trust
> ...
> 
> $ dig +noall +ans +nocl +nottl +nosplit +cd +dnssec -t a 
> www.wilda.nsec.0skar.cz
> www.wilda.nsec.0skar.cz. CNAME  flexi.oskarcz.net.
> www.wilda.nsec.0skar.cz. RRSIG  CNAME 10 5 300 2080010100 
> 20140130121330 28887 nsec.0skar.cz. ...
> flexi.oskarcz.net.  A   85.239.227.179
> flexi.oskarcz.net.  RRSIG   A 10 3 3600 20180108024403 20171209024403 
> 31880 oskarcz.net. ...
> 
> Note the RRSIG dates for the CNAME:
> 
> Inception:  20140130121330
> Expiration: 2080010100
> 
> Perhaps unbound is comparing these as 32-bit timestamps.  Just
> under 66 years is an impressive validity range, if intentional.
> 




signature.asc
Description: OpenPGP digital signature