Sparklight and DNSSEC
Philip Prindeville
philipp_subx at redfish-solutions.com
Fri Sep 23 16:54:28 UTC 2022
Hi all,
I was seeing a lot of noise about RRSIG's using the Sparklight name servers dns1.cableonet.net and c1dns.cableone.net, like this:
Sep 23 10:44:24 OpenWrt3 named[28113]: validating net/SOA: got insecure response; parent indicates it should be secure
Sep 23 10:44:24 OpenWrt3 named[28113]: no valid RRSIG resolving 'azurefd.net/DS/IN': 24.116.0.53#53
Sep 23 10:44:24 OpenWrt3 named[28113]: validating net/SOA: got insecure response; parent indicates it should be secure
Sep 23 10:44:24 OpenWrt3 named[28113]: no valid RRSIG resolving 'azurefd.net/DS/IN': 24.116.2.50#53
So I asked on #bind (I'm philipp64 on IRC) and it was suggested that I do some debugging with dig (always a good idea) and I was seeing:
philipp at macbook3 netgear % dig +dnssec ns . @24.116.2.50
; <<>> DiG 9.10.6 <<>> +dnssec ns . @24.116.2.50
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56814
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 352343 IN NS b.root-servers.net.
. 352343 IN NS m.root-servers.net.
. 352343 IN NS f.root-servers.net.
. 352343 IN NS a.root-servers.net.
. 352343 IN NS i.root-servers.net.
. 352343 IN NS j.root-servers.net.
. 352343 IN NS e.root-servers.net.
. 352343 IN NS c.root-servers.net.
. 352343 IN NS l.root-servers.net.
. 352343 IN NS g.root-servers.net.
. 352343 IN NS d.root-servers.net.
. 352343 IN NS k.root-servers.net.
. 352343 IN NS h.root-servers.net.
;; Query time: 199 msec
;; SERVER: 24.116.2.50#53(24.116.2.50)
;; WHEN: Fri Sep 23 10:47:06 MDT 2022
;; MSG SIZE rcvd: 239
philipp at macbook3 netgear %
philipp at macbook3 netgear % dig +dnssec ns . @24.116.0.53
; <<>> DiG 9.10.6 <<>> +dnssec ns . @24.116.0.53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32668
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 352318 IN NS e.root-servers.net.
. 352318 IN NS h.root-servers.net.
. 352318 IN NS i.root-servers.net.
. 352318 IN NS l.root-servers.net.
. 352318 IN NS g.root-servers.net.
. 352318 IN NS a.root-servers.net.
. 352318 IN NS f.root-servers.net.
. 352318 IN NS c.root-servers.net.
. 352318 IN NS k.root-servers.net.
. 352318 IN NS b.root-servers.net.
. 352318 IN NS d.root-servers.net.
. 352318 IN NS j.root-servers.net.
. 352318 IN NS m.root-servers.net.
;; Query time: 148 msec
;; SERVER: 24.116.0.53#53(24.116.0.53)
;; WHEN: Fri Sep 23 10:47:31 MDT 2022
;; MSG SIZE rcvd: 239
philipp at macbook3 netgear %
But when I query a root-server directly I get:
philipp at macbook3 netgear % dig @192.112.36.4 . NS +dnssec
; <<>> DiG 9.10.6 <<>> @192.112.36.4 . NS +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14311
;; flags: qr aa rd; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS c.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN RRSIG NS 8 0 518400 20221006040000 20220923030000 20826 . kdM5bBa8kWQGO+VHvUEfhK0dtAkquKtvUXP8SOTpVL2LUL1dI16scZQq O47f0N44+a0UiemadNcobEA3DacAjRLBfv7kA8h1520w2KL59ds66hZq ZumTiKgEUiU5nuX7cnOUYJwN1A/UZuvlSJ1fUHtokDBi2hRq6U/wKJw9 e0mt0j9B1jgi67yJuRQ/XTAh12B2pbABQCJs74cUHn+TMU7LYwdMAt56 Zznnk14gYcXvwpR5IBwM9FQ8ROxFLKG8i9lua6+bxenkBl1E6xGiPvnA g7RicBqdwzQ2JdvfoMyTiqh9xfWmaatqiivzEwiHl9Zjiw87y8T29F3n J9lWwQ==
;; ADDITIONAL SECTION:
m.root-servers.net. 518400 IN A 202.12.27.33
l.root-servers.net. 518400 IN A 199.7.83.42
k.root-servers.net. 518400 IN A 193.0.14.129
j.root-servers.net. 518400 IN A 192.58.128.30
i.root-servers.net. 518400 IN A 192.36.148.17
h.root-servers.net. 518400 IN A 198.97.190.53
g.root-servers.net. 518400 IN A 192.112.36.4
f.root-servers.net. 518400 IN A 192.5.5.241
e.root-servers.net. 518400 IN A 192.203.230.10
d.root-servers.net. 518400 IN A 199.7.91.13
c.root-servers.net. 518400 IN A 192.33.4.12
b.root-servers.net. 518400 IN A 199.9.14.201
a.root-servers.net. 518400 IN A 198.41.0.4
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
b.root-servers.net. 518400 IN AAAA 2001:500:200::b
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
;; Query time: 186 msec
;; SERVER: 192.112.36.4#53(192.112.36.4)
;; WHEN: Fri Sep 23 10:48:35 MDT 2022
;; MSG SIZE rcvd: 1109
philipp at macbook3 netgear %
Ah, there it is. So I asked Sparklight directly (via my sales rep) and he said:
> DNSSEC is intentionally disabled on the Sparklight recursive DNS servers. We did enable this as a test in late 2019 and disabled it in January 2020. The reason for the disable was there were and are many major service providers, at the time Netflix was one of them, that had DNSSEC incorrectly or incompletely set up on their side. With DNSSEC enabled on our recursive servers this cause a complete outage to many of these services for our customers and greatly impacted the call centers with calls regarding these services, at the time it even had the visibility of our CEO. To enable DNSSEC on our recursive servers a project would need to be created for testing of services through our recursive services to ensure the enablement of DNSSEC does not negatively impact our subscribers.
Which I don't get, because Netflix figured that one out a while ago. I get that Sparklight is a cable MSP and as such, sees the world through streaming-tinted glasses, but still.
Anyway, I suggested that they standup a second pair of DNS servers, this time with DNSSEC enabled, and let their customers decide if streaming is more important than security. Waiting to hear back...
How many ISP's squelch DNSSEC like that? I hope it's not a common practice!
-Philip
More information about the bind-users
mailing list