Insecurity proof failed resolving newsletter.postbank.de - but why?
Mark Andrews
marka at isc.org
Tue Jan 21 03:32:49 UTC 2014
In message <alpine.LSU.2.00.1401201234190.13417 at hermes-2.csi.cam.ac.uk>, Tony Finch writes:
> Graham Clinch <g.clinch at lancaster.ac.uk> wrote:
> >
> > I'm seeing a dnssec validation error that I can't pin down, for the domain:
> > newsletter.postbank.de.
>
> Looks like a bug in BIND to me. It works out that there is no DS in the
> parent then gets muddled. I note that postbank.de is in the middle of a
> double-signature ZSK rollover. Dunno if that is relevant, but it is a bit
> unusual.
It looks like a missing NS bit in the NSEC3 record which causes the
isdelegation check to fail. DNSSEC proves delegations exist, or
don't exist, as the case may be unless the delegation is in a optout
range.
; <<>> DiG 9.10.0a1 <<>> newsletter.postbank.de +dnssec ds
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28762
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;newsletter.postbank.de. IN DS
;; AUTHORITY SECTION:
postbank.de. 8981 IN SOA ns1.postbank.de. webmaster.postbank.de. 2010022883 86400 7200 604800 86400
postbank.de. 8981 IN RRSIG SOA 7 2 86400 20140125074615 20140118074615 55913 postbank.de. MAyl9jCfxylOItqAJc/Pyb55D/KI8reTVkxLYJ2oecBzhNoKTiaYw7o9 ceU7CSXRjIwWLe6DL2SKbHKrwe8G3lYHgoYOwmV62k+TgpM9Cvr8gyV/ LdheakhaDuWYmnehF5+Q1gDWQpNwoqpBLsZxQYC9B9Lg+Q2EYJflVRKf /8o=
postbank.de. 8981 IN RRSIG SOA 7 2 86400 20140126152235 20140119152235 32699 postbank.de. KWYHjij78NobHPVWt4SpPQUWCR/uxTjQ9ZlAplju25xazg4aPcN5g5Qw wQDPXNLVSMRhb6YZdfffN877a7CBlWPlRC5s488wwqT94kUHyOdIT+Oi UqNACz6i5Tmv9bf6ViS97sjF3JoAg2Uc3nDHFojVojzC6C6MG8tqmy49 0Pg=
393dv6p4d1fhr0kisru6alkuv0vq5th0.postbank.de. 8981 IN RRSIG NSEC3 7 3 86400 20140128024505 20140121024505 55913 postbank.de. fsi6k+JrX3ohDihsO0XG9Upl7UOs7ceMLAv3UBqgf/u7KCJiA/rp6kMO o9nqk0dJVPhcIKnB01aV+2/+MKsX0Df346CCVF11y2+mztL2Cem5K0dj vEnziZCYam34IhbKE+LuWTfPQFq4sUaMYDyXAsZi8anoMgwYtQTUdpRg Ego=
393dv6p4d1fhr0kisru6alkuv0vq5th0.postbank.de. 8981 IN RRSIG NSEC3 7 3 86400 20140128024505 20140121024505 32699 postbank.de. cCDLXMaENZIu31d1Qb4CStZAKxwtRScfyBAGoJ5LQ4mlAjNnnlhqyxNv ig+dnMWa24qL9TLoeBMr25cpcXrHi/+SkSJkQvpuzMf5lVFWekVPPOx1 ZcCPui+etUdrIRcB49a1ksT71STTQUI0noXKH6gZ/k5AisRoN/I/Z+TB ku4=
393dv6p4d1fhr0kisru6alkuv0vq5th0.postbank.de. 8981 IN NSEC3 1 0 1 D252CA1843C35103 393DV6P4D1FHR0KISRU6ALKUV0VQ5TH1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 21 14:20:11 EST 2014
;; MSG SIZE rcvd: 864
> 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: in authvalidated
> 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: resuming nsecvalidate
> 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: looking for relevant NSEC3
> 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: looking for relevant NSEC3
> 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: NSEC3 proves name exists (owner) data=0
> 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x8071e8300: newsletter.postbank.de DS: nonexistence proof(s) found
> 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): received validation completion event
> 20-Jan-2014 12:18:51.415 dnssec: debug 3: validator @0x8071e8300: dns_validator_destroy
> 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): nonexistence validation OK
>
> ... right ...
>
> 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): clone_results
> 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): done
> 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): stopeverything
> 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): cancelqueries
> 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): sendevents
> 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): doshutdown
> 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): stopeverything
> 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): cancelqueries
> 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): unlink
> 20-Jan-2014 12:18:51.415 resolver: debug 3: fctx 0x80ac04000(postbank.de/DNSKEY): destroy
> 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x80bb74500: newsletter.postbank.de A: in dsfetched2: ncache nxrrset
> 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x80bb74500: newsletter.postbank.de A: resuming proveunsecure
> 20-Jan-2014 12:18:51.415 dnssec: debug 3: validating @0x80bb74500: newsletter.postbank.de A: insecurity proof failed
>
> ... what? ...
>
> 20-Jan-2014 12:18:51.416 resolver: debug 3: fetch 0x801859ff0 (fctx 0x80b044860(newsletter.postbank.de/DS)): destroyfetch
> 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx 0x80b044860(newsletter.postbank.de/DS): shutdown
> 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx 0x80b044430(newsletter.postbank.de/A): received validation completion event
> 20-Jan-2014 12:18:51.416 dnssec: debug 3: validator @0x80bb74500: dns_validator_destroy
> 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx 0x80b044430(newsletter.postbank.de/A): validation failed
> 20-Jan-2014 12:18:51.416 resolver: debug 3: fctx 0x80b044430(newsletter.postbank.de/A): add_bad
> 20-Jan-2014 12:18:51.416 lame-servers: info: error (insecurity proof failed) resolving 'newsletter.postbank.de/A/IN': 195.140.184.21#53
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
> Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
> occasionally poor at first.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list