Issue with dns resolution for www.ssa.gov

Mark Andrews marka at isc.org
Fri Sep 2 00:33:49 UTC 2022 

Just because a broken configuration “works” some of the time for some
people, that doesn’t mean that it is not broken.

RFC 1034 says:

"The domain system provides such a feature using the canonical name
(CNAME) RR.  A CNAME RR identifies its owner name as an alias, and
specifies the corresponding canonical name in the RDATA section of the
RR.  If a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases
cannot be different.  This rule also insures that a cached CNAME can be
used without checking with an authoritative server for other RR types."

Now www.ssa.gov has (or should have) NS and SOA records besides the CNAME
as it is (supposedly) a delegated zone.  The nameservers hosting this zone
should be rejecting it according to RFC 1034.

On top of this the parent zone is signed and validating clients need to be
able to retrieve the non-existence proof for the DS RRset from the parent
zone.  If you are validating through a server then when you ask for
www.ssa.gov DS and it finds a CNAME record at www.ssa.gov then that should
be a valid reply because CNAMEs are not supposed to have other records at
the same name.  There is an exception for KEY to allow SIG(0) signed messages
using the private part of that key to update the CNAME record and for NSEC
to prove the non-existence of KEY and names in the zone’s namespace after the
CNAME record.

No RFC says “If the query type is DS and you find a CNAME, ignore that CNAME
and perform a lookup for the DS”.  This text doesn’t exist because RFC 1034
says this is an illegal (broken) configuration.  There is no exception for
DS like there is for KEY and NSEC.

If you investigate further the “servers" for www.ssa.gov are DNSSEC aware
as they don’t return CNAME for a KEY lookup.  What they do return is a
non-existence response using a SOA record with the owner name of ssa.gov
which means the “delegation” is pointing into the middle of a different
instance of “ssa.gov” which has a CNAME rather than NS records at www.ssa.gov
so there isn’t even a proper delegation.  This also means that any sanity
checking in the server for CNAME and other data is defeated by the broken
delegation. 

% dig key www.ssa.gov @gtmu2.ssa.gov

; <<>> DiG 9.19.5-dev <<>> key www.ssa.gov @gtmu2.ssa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47786
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ssa.gov.			IN	KEY

;; AUTHORITY SECTION:
ssa.gov.		60	IN	SOA	gtmu1.ssa.gov. 1G. 2022082605 10800 3600 604800 60

;; Query time: 273 msec
;; SERVER: 137.200.43.17#53(gtmu2.ssa.gov) (UDP)
;; WHEN: Fri Sep 02 10:18:46 AEST 2022
;; MSG SIZE  rcvd: 93

%

Mark

> On 2 Sep 2022, at 08:16, Bhangui, Sandeep - BLS CTR via bind-users <bind-users at lists.isc.org> wrote:
> 
> 
> If I go to my personal computer or my personal phone ( not on VPN connected to BLS network or using BLS resources) I can get to the site www.ssa.gov which I would mean to believe that it is able to resolve www.ssa.gov.
> 
> Does that mean the dns resolution for www.ssa.gov is not broken globally as explained below?
> 
> Or maybe personal computer & my personal phone are querying different DNS servers over the internet which are able to resolve www.ssa.gov correctly and get to the website?
> 
> Thanks
> Sandeep
> 
> 
> 
> -----Original Message-----
> From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Bjørn Mork
> Sent: Thursday, September 1, 2022 5:26 PM
> To: BIND users <bind-users at lists.isc.org>
> Subject: Re: Issue with dns resolution for www.ssa.gov
> 
> CAUTION: This email originated from outside of BLS. DO NOT click links or open attachments unless you recognize the sender and know the content is safe. Please send suspicious emails as an attachment to SECURE at BLS.GOV.
> 
> www.ssa.gov is a separate zone according to the ssa.gov NS:
> 
> bjorn at idefix:~$ dig ns www.ssa.gov @dns1.ssa.gov
> 
> ; <<>> DiG 9.16.27-Debian <<>> ns www.ssa.gov @dns1.ssa.gov ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9 ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 3419fe2b41b19e86fd0d2330631122fd3a26a591e846d4b1 (good) ;; QUESTION SECTION:
> ;www.ssa.gov.                   IN      NS
> 
> ;; AUTHORITY SECTION:
> www.ssa.gov.            60      IN      NS      gtms2.ssa.gov.
> www.ssa.gov.            60      IN      NS      gtms1.ssa.gov.
> www.ssa.gov.            60      IN      NS      gtmu1.ssa.gov.
> www.ssa.gov.            60      IN      NS      gtmu2.ssa.gov.
> 
> ;; ADDITIONAL SECTION:
> GTMS1.ssa.gov.          36000   IN      AAAA    2001:1930:e03::13
> GTMS2.ssa.gov.          36000   IN      AAAA    2001:1930:e03::14
> GTMU1.ssa.gov.          36000   IN      AAAA    2001:1930:d07:1::10
> GTMU2.ssa.gov.          36000   IN      AAAA    2001:1930:d07:1::11
> GTMS1.ssa.gov.          36000   IN      A       137.200.4.203
> GTMS2.ssa.gov.          36000   IN      A       137.200.4.204
> GTMU1.ssa.gov.          36000   IN      A       137.200.43.16
> GTMU2.ssa.gov.          36000   IN      A       137.200.43.17
> 
> ;; Query time: 107 msec
> ;; SERVER: 2001:1930:d07:1::8#53(2001:1930:d07:1::8)
> ;; WHEN: Thu Sep 01 23:24:13 CEST 2022
> ;; MSG SIZE  rcvd: 348
> 
> 
> 
> But it's a CNAME according to the www.ssa.gov NS:
> 
> 
> bjorn at idefix:~$ dig a www.ssa.gov @gtms1.ssa.gov
> 
> ; <<>> DiG 9.16.27-Debian <<>> a www.ssa.gov @gtms1.ssa.gov ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43620 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;www.ssa.gov.                   IN      A
> 
> ;; ANSWER SECTION:
> www.ssa.gov.            300     IN      CNAME   www.ssa.gov.edgekey.net.
> 
> ;; Query time: 127 msec
> ;; SERVER: 2001:1930:e03::13#53(2001:1930:e03::13)
> ;; WHEN: Thu Sep 01 23:25:01 CEST 2022
> ;; MSG SIZE  rcvd: 77
> 
> 
> 
> CDNs playing tricks. This won't fly.
> 
> 
> 
> Bjørn
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list