DNSSEC, whitehouse, isc, and troubleshooting...

Marc Lampo marc.lampo at eurid.eu
Tue Apr 19 12:46:07 UTC 2011 

What should be clear to all (DNSSEC) administrators is that it is useless
to sign *your* zone(s) if they refer to other, non-signed, zones
themselves !

The danger is that the attacker will not try to cache poison your CNAME,
but the final destination A record !
Cache poisoning - Dan Kaminsky style - attacks glue (A) records anyway
(not CNAME's).

Recommendation :
If you need to refer to other zones (webhosting, "email-in-the-cloud"),
*insist* that they as well implement DNSSEC for their zones !

Kind regards,

Marc Lampo
Security Officer for EURid vzw/asbl



-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 18 April 2011 08:35 PM
To: John Williams
Cc: bind-users at isc.org
Subject: Re: DNSSEC, whitehouse, isc, and troubleshooting...

On Mon, 18 Apr 2011, John Williams wrote:

> Subject: DNSSEC, whitehouse, isc, and troubleshooting...
> 
>> From my signed domain when I query www.isc.org (w/ +dnssec) I get the
ad flag as expected.  I don't see that flag when I query whitehouse.gov
(w/ +dnssec) and I know that zone is signed.
>
> Is anyone else seeing this behavior?  Also, is there a link that
addresses troubleshooting or diagnosing DNSSEC based queries?

works for me:

[paul at bofh ~]$ dig +dnssec whitehouse.gov

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec whitehouse.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14133
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;whitehouse.gov.			IN	A

;; ANSWER SECTION:
whitehouse.gov.		20	IN	A	59.151.148.110
whitehouse.gov.		20	IN	RRSIG	A 7 2 20 20110420224012
20110417214012 43676 whitehouse.gov.
M3z/ZHkI07JM+CC25GFf3NZnO9nVddZ+qnGtqnx2pVUtV0AFRa+VX+TX
G8qgWL49xNEQzce4vrf0CocEGoqgDf/x0R+qntMy2GmK7go06KrvNoLG
pJW0grr9ZLx0k6uN8xRcSDlI/H9/SJyfCWPJq1pHJpDCsHTeiSXtEb0J gnU=

Note that www.whitehouse.gov is a CNAME into akamai that's unsigned, so
you
don't get the AD bit when querying that, unless you specifically ask for
the CNAME:

; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec -t cname
www.whitehouse.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29148
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.whitehouse.gov.		IN	CNAME

;; ANSWER SECTION:
www.whitehouse.gov.	3527	IN	CNAME
www.whitehouse.gov.edgesuite.net.
www.whitehouse.gov.	3527	IN	RRSIG	CNAME 7 3 3600
20110420224012 20110417214012 43676 whitehouse.gov.
n+pU7FVUMC3VvJ3yUQs7HrKCj6fQs4xTL9H35YvaSnKxc42GnoqfrbwM
X1dRndkE9qBlD9PnEiu2mJDUgsz/8GDbZQ61/Bphdl/M+2533QwiAB9w
dEj0AFRUTmkJFNZrUqM12YS84yvbArIv38OPvCxSGYSO21F4naxcla50 n5U=

Paul

More information about the bind-users mailing list