[Unbound-users] faa.gov is not resolvable using DNSSEC resolver.

Hauke Lampe lampe at hauke-lampe.de
Mon Oct 10 21:55:24 UTC 2011


On 10.10.2011 21:06, Chris Gotstein wrote:

> I do not see any other MTU or fragment issues on our network, yet we
> cannot resolve faa.gov.

My unbound resolver (svn rev. 2502) servfails faa.gov, too, and so does
DNS-OARC's:

dig +dnssec faa.gov dnskey @149.20.64.21
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45179

I think this might be a case of Unbound still being too strict on the
algorithm selection. OTOH, it really looks like a downgrade attack:

The DS records chain faa.gov to KSKs 28521 (NSEC3RSASHA1) and 4837
(RSASHA256). The DNSKEY RRSet is signed only by the "weaker" KSK 28521
(and ZSK 26230), not KSK 4837.

So, Unbound doesn't accept the DNSKEY RRSet:

| info: Did not match a DS to a DNSKEY, thus bogus.
| info: Could not establish a chain of trust to keys for faa.gov. DNSKEY IN
| info: validation failure <faa.gov. DNSKEY IN>: signature missing from
162.58.35.104 for key faa.gov. while building chain of trust

The KSK signature also looks a bit odd. You'll see it if you query the
servers with different case. The KSK RRSIG is returned in all-lowercase:

dig +dnssec +norec FaA.GOV dnskey @204.108.10.2
[...]
| FaA.GOV. DNSKEY 256 3 7 ; ZSK; alg = NSEC3RSASHA1; key id = 26230
| FaA.GOV. DNSKEY 257 3 8 ; KSK; alg = RSASHA256; key id = 4837
| FaA.GOV. DNSKEY 257 3 7 ; KSK; alg = NSEC3RSASHA1; key id = 28521
| FaA.GOV. RRSIG DNSKEY 7 2 600 20120105145312 20111007145312 26230
| faa.gov. RRSIG DNSKEY 7 2 600 20120105145312 20111007145312 28521

Detailed unbound-host log here:
https://www.hauke-lampe.de/temp/unbound-faa-debuglog.txt

BIND however resolves the query and sets "AD" in the answer.


Hauke.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20111010/a967a9dd/attachment.bin>


More information about the Unbound-users mailing list