Validation succeeds when keys with multiple algorithms present, but not RRSIGs for both
Mark Andrews
marka at isc.org
Fri Aug 2 12:25:46 UTC 2013
In message <51FB9C18.23133.401EA34 at tmorizot.sd.is.irs.gov>, "Scott Morizot" wri
tes:
> Hello all,
>
> I ran into an interesting situation resolving dfas.mil. It appears that
> they have attempted to roll their ZSKs to algorithm 8 while leaving their
> KSKs on algorithm 7. Unfortunately, RFC 4035 specifies that if DNSKEYs
> for multiple algorithms exist in the apex DNSKEY RRset, then an RRSIG for
> each record set in the zone MUST include at least one RRSIG for each
> algorithm. (The distinction between KSK and ZSK is an operational
> convenience and not part of the standard, per se.) The relevant excerpt
> from Section 2.2 of RFC 4035:
>
> There MUST be an RRSIG for each RRset using at least one DNSKEY of
> each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset
> itself MUST be signed by each algorithm appearing in the DS RRset
> located at the delegating parent (if any).
>
> DNSViz and Verisign's DNSSEC debugger correctly report the error.
>
> http://dnssec-debugger.verisignlabs.com/dfas.mil
>
> http://dnsviz.net/d/dfas.mil/dnssec/
>
> However, I discovered when I checked against DNS-OARC ODVR (and my own
> personal validating recursive nameserver at home) that BIND 9 apparently
> doesn't correctly enforce that requirement.
Because the requirement is *only* on the signer. You will note
that the validator is NOT required to check for this as part of the
list of things it is supposed to check for and that is a deliberate
design decision. If the signer follows this and the timing rules
the zone will not be treated as bogus. The unbound developers
didn't realise this initially and added unspecified checks to their
validator.
As the zone currently stands a validator that only support alg 8
will treat it as insecure as there is no DS record from alg 8. A
validator that only supports alg 7 will treat it as secure. A
validator that supports alg 7 and alg 8 will treat it as secure.
Remember when you introduce a new algorithm you will have cached
records that only have old signature on them which are being returned
to down stream validators and their is no syncronisation of record
expiry. You may have a old DNSKEY set and new signatures on other
records in the zone or you may have the new DNSKEY set and old
signatures on other records in the zone. The validator has to work
under both circumstances.
The only RRset that it is possible to perform this consistancy check
on is the DNSKEY RRset itself and both algorithms exist in the RRSIGs.
; <<>> DiG 9.10.0pre-alpha <<>> +dnssec dfas.mil dnskey +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51859
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dfas.mil. IN DNSKEY
;; ANSWER SECTION:
dfas.mil. 25300 IN DNSKEY 257 3 7 (
AwEAAXLZgixJU1KVrdcv+evwuKlDFDmUQR7FsC2zghPU
mERiPR9wwgpuKdkQ6BQizeObACqfUwepXuBp1b3t0480
Oyn7OlCaaV+M/O1hH5pkCaRV69iVuWRqPAXfCu6XvHUz
xL2ugzwr+uYeGrRLfDNsZ1VN/b1zc33c2qdepPbcMDv7
8ZzXlgy1DJ6DjylOQx7Jm/5uKQiA6sA+W9ViZTHZ9BX9
9mQcaRqFzY4eVCGid7sgrD71hTxSOnK3b1B1gQEv8CCP
eZwFsCOG2/9ToTXRxRP1dvIHoWkEEGHy2czb2FbGrfiW
sRF1uVwoMJRX28D4QndyFy1yWLOMKh0DNyjyePc=
) ; KSK; alg = NSEC3RSASHA1; key id = 4069
dfas.mil. 25300 IN DNSKEY 256 3 8 (
AwEAAeIV8hHiYnEiREniwiz5NkAP2yuklG9b0iEBCij0
F/1Z//Yps0Kk3ss9DprQXqs5MlyCwVJZ1JOIlTe3dlhW
+fiTBGnSlo/VeBJIfflMAdbzQh7ls9mesdr2kOyjgZzg
iO8snht0kGYYlr3Qa+4zvSi4p7uJ7oMYEVc7OD13P2PN
2pM+lwGgB78m9BXLcibw6GBiqVL2M7sY3j0BV1Zbzjd6
/lEWN1QVktueetc1PfTco9RiJ7vnkw9VpI/FtaKQLDIp
YWCRPOUoUxLk/ji5r3jez8zQbbe8VxjuH+hyMvb69GMd
k6Y88vskrCotECqbG/TijhPnDjhfJ0IWY5Kj8Mk=
) ; ZSK; alg = RSASHA256; key id = 8389
dfas.mil. 25300 IN DNSKEY 256 3 8 (
AwEAAXzmgOtId7xGSjccxMfW8WlEEJKH7GTnzD58VqhF
2CJBN0eiyKFxQVwmSdrr9TG/mCVTbAH7RGAP/R3pYxhB
fBybZp+WwlryBSQIeWpgLFwwv4oLlKxopcpsFcG23Oh5
BxTuBPW/NCWSu6deGpkA4WQP275Q0gRwjlBKZtD3b8wD
PsRhL9TsxsYNzLELIW2dnE82YcZB22XVyV0NVbNE1Ks0
S6oZznxXCp3d2lVw8ImgVm2hCD0c9EZUi7pYf6NedMVH
mxI5t/JGC22z0Z1/zmQu3z76ZsEhl/uetzSqK9VczmZ3
JPNNbOtyQHf23lne33mxnZaAuTn81sGLyaVLS6s=
) ; ZSK; alg = RSASHA256; key id = 1213
dfas.mil. 25300 IN DNSKEY 257 3 7 (
AwEAAenwNSQi4dIwyzW8Sk27HDklyrQM/2n/TuPRR03k
ql1Ln4W05Hel9tBiPQ/bmZP5ce11JojB/hekKbKljHA4
snytiS9Wyd0YHLm7N+kIdDjt95k+aySuJ72YXqgSbexr
fAOWDtiatyJmd1S/cKvC3S71QIQEUVNS+UsYqAUj6pJ9
X5kF3L7KS+PoPw0DXBLK6+9KcF4k4RC9siJADVvZy9ay
fhLq8MxjHW6Qid8nTYn3IGd7nGWfpgrNbugi/BBoYWh1
+kwtShZcEFx17IkUlUjwuN5nDdvCY6ALofWY9x/sxQdM
IZi2bprJM71V/UOrsRvRYhwcx+qqYIRLeVa0K08=
) ; KSK; alg = NSEC3RSASHA1; key id = 32598
dfas.mil. 25300 IN RRSIG DNSKEY 7 2 86400 (
20130808070034 20130801060034 4069 dfas.mil.
A2oCGrAHQ+3hlMHqKb5Cst90JyQsJgcWxrbcg4r+rul5
J2Kg++rIOzMneVI1XDbrke/qZkgkM6+FwGGl8eDpqb5O
VZdDLtZx4llXeyCKjWKon9gTJu1gdHal3nKZDJsJhfL3
tqEbPp29XNEyFxb3m+0V6ubYXXh6n/iCSHQfAIVBmWHL
A0Wp5I9jldzibLK5fqgNq65JTw6/a8WHkOWI/PZMV7g0
eej3WzUz0C2GC5k6ULgHmSS/wAHHzHz4z0IDGV3vGkJe
xqHj4FhsgYDNP1cVqw7b4mJyGjKa/samugq3sUnRw0C+
KRP8o0J0nZos65DmMpJtb5yA9EHwMVLMFg== )
dfas.mil. 25300 IN RRSIG DNSKEY 8 2 86400 (
20130808070034 20130801060034 8389 dfas.mil.
EEpPNXelw1QusMw8awFwf7ScAkRNZOEj9RCDk/V9BsTl
XXvP65lCPD/QEiInJ3I9rglNllzKZxXAWRDjcemwSgkO
bZdUy/8rsyWm7/KDx7DtzpmS5TS4spdNgmiutH6386YE
tBf7hjxPR3qE1SqyY+NN4R4QQ3o0M9LGaU4tg+i2laFx
Gl2K6H4svUbgR8yekVOLqwD9plKGxIpYslMBOK+JW/Zs
Cae4yY+qwpK6iBZYRdHcvdulEz1ODeRbMsjuec0EOuvw
DCSY23ltsUR1Hz/D/By/QsL922DUQ3NO2ZD0HcJa1aPp
lGS/s+q/4yHHd8xT2t7bOse/Ro3CyQkZ5g== )
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 02 22:18:34 EST 2013
;; MSG SIZE rcvd: 1733
> https://www.dns-oarc.net/oarc/services/odvr
>
> The BIND 9 resolver returns an answer with the AD bit set. Unbound
> returns SERVFAIL. Secure64 Caches also return SERVFAIL. Those are the
> only three nameservers I've tested.
Version 1.4.8 onwards should validate the zone. Earlier versions were
broken. http://www.unbound.net/documentation/info_algo.html
> It looks like a validation bug in BIND to me, but I thought I would see
> what others thought. It's probably a pretty rare situation, since I can't
> imagine most people who choose to use separate KSKs and ZSKs would try to
> migrate only their ZSKs to a new algorithm while leaving their KSKs at
> the old algorithm.
It is not a bug. Named is working as expected.
> Thanks,
>
> Scott
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list