DNSSEC, whitehouse, isc, and troubleshooting...
Marc Lampo
marc.lampo at eurid.eu
Tue Apr 19 12:46:07 UTC 2011
What should be clear to all (DNSSEC) administrators is that it is useless
to sign *your* zone(s) if they refer to other, non-signed, zones
themselves !
The danger is that the attacker will not try to cache poison your CNAME,
but the final destination A record !
Cache poisoning - Dan Kaminsky style - attacks glue (A) records anyway
(not CNAME's).
Recommendation :
If you need to refer to other zones (webhosting, "email-in-the-cloud"),
*insist* that they as well implement DNSSEC for their zones !
Kind regards,
Marc Lampo
Security Officer for EURid vzw/asbl
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: 18 April 2011 08:35 PM
To: John Williams
Cc: bind-users at isc.org
Subject: Re: DNSSEC, whitehouse, isc, and troubleshooting...
On Mon, 18 Apr 2011, John Williams wrote:
> Subject: DNSSEC, whitehouse, isc, and troubleshooting...
>
>> From my signed domain when I query www.isc.org (w/ +dnssec) I get the
ad flag as expected. I don't see that flag when I query whitehouse.gov
(w/ +dnssec) and I know that zone is signed.
>
> Is anyone else seeing this behavior? Also, is there a link that
addresses troubleshooting or diagnosing DNSSEC based queries?
works for me:
[paul at bofh ~]$ dig +dnssec whitehouse.gov
; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec whitehouse.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14133
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;whitehouse.gov. IN A
;; ANSWER SECTION:
whitehouse.gov. 20 IN A 59.151.148.110
whitehouse.gov. 20 IN RRSIG A 7 2 20 20110420224012
20110417214012 43676 whitehouse.gov.
M3z/ZHkI07JM+CC25GFf3NZnO9nVddZ+qnGtqnx2pVUtV0AFRa+VX+TX
G8qgWL49xNEQzce4vrf0CocEGoqgDf/x0R+qntMy2GmK7go06KrvNoLG
pJW0grr9ZLx0k6uN8xRcSDlI/H9/SJyfCWPJq1pHJpDCsHTeiSXtEb0J gnU=
Note that www.whitehouse.gov is a CNAME into akamai that's unsigned, so
you
don't get the AD bit when querying that, unless you specifically ask for
the CNAME:
; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec -t cname
www.whitehouse.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29148
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.whitehouse.gov. IN CNAME
;; ANSWER SECTION:
www.whitehouse.gov. 3527 IN CNAME
www.whitehouse.gov.edgesuite.net.
www.whitehouse.gov. 3527 IN RRSIG CNAME 7 3 3600
20110420224012 20110417214012 43676 whitehouse.gov.
n+pU7FVUMC3VvJ3yUQs7HrKCj6fQs4xTL9H35YvaSnKxc42GnoqfrbwM
X1dRndkE9qBlD9PnEiu2mJDUgsz/8GDbZQ61/Bphdl/M+2533QwiAB9w
dEj0AFRUTmkJFNZrUqM12YS84yvbArIv38OPvCxSGYSO21F4naxcla50 n5U=
Paul
More information about the bind-users
mailing list