search

ibauersachs / dnssecjava

A DNSSEC validating stub resolver for Java.
Other
43 stars 15 forks source link

nsec3 issue with sgkb.ch #19

Closed ralfhauser closed 5 years ago

ralfhauser commented 5 years ago

sgkb.ch's mail is operated (like many others such as tkb.ch) by swisscom and all worked fine till Aug 2, 2019 Now we get 

INFO [Thread-133881] (DnsSecVerifier.java:209) - RRset failed to verify: all signatures were BOGUS
DEBUG [Thread-133881] (ValUtils.java:309) - verifySRRset: rrset <51kk3ii7rptu8ph8oa9tpn65ndhdh51c.ch./NSEC3/IN> found to be BAD
DEBUG [Thread-133881] (ValidatingResolver.java:943) - skipping bad nsec3
DEBUG [Thread-133881] (NSEC3ValUtils.java:367) - Could not find proof that the closest encloser was the closest encloser
DEBUG [Thread-133881] (KeyEntry.java:198) - NSEC3s proved bogus.
DEBUG [Thread-133881] (ValidatingResolver.java:1044) - processKeyValidate: no signerName.
DEBUG [Thread-133881] (SMessage.java:239) - Could not establish validation of INSECURE status of unsigned response. Reason: NSEC3s proved bogus.>>

Alternatives like "dig" appear to be happy:
<< dig +dnssec mx sgkb.ch

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec mx sgkb.ch
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16667
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;sgkb.ch.                       IN      MX

;; ANSWER SECTION:
sgkb.ch.                3600    IN      MX      20 mail20.swisscom.com.
sgkb.ch.                3600    IN      MX      20 mail10.swisscom.com.
sgkb.ch.                3600    IN      MX      10 mail.swisscom.com.

;; Query time: 7 msec
;; SERVER: 212.25.1.1#53(212.25.1.1)
;; WHEN: Mon Aug 12 07:14:10 CEST 2019
;; MSG SIZE  rcvd: 115

Any hint who made an/the error would be useful ?

ralfhauser commented 5 years ago

dig +dnssec +trace mx sgkb.ch

shows more on the NSEC3 level...

ibauersachs commented 5 years ago

Can you please add the output of dig with the +trace flag? I probably won't be able to work in it this week and things might change in the meantime. A full packet capture to add a unit test would also be helpful. Wrt to dnsviz: it also shows a warning in the delegation from ch to sgkb, so something is off there (but not necessarily wrong).

Which version of dnssecjava are you using? And what is an Unbound resolver reporting if you install one on your Debian system?

ralfhauser commented 5 years ago

Using the 2018 version

dig +dnssec +trace mx sgkb.ch

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec +trace mx sgkb.ch
;; global options: +cmd
.                       79887   IN      NS      f.root-servers.net.
.                       79887   IN      NS      c.root-servers.net.
.                       79887   IN      NS      h.root-servers.net.
.                       79887   IN      NS      a.root-servers.net.
.                       79887   IN      NS      l.root-servers.net.
.                       79887   IN      NS      d.root-servers.net.
.                       79887   IN      NS      j.root-servers.net.
.                       79887   IN      NS      g.root-servers.net.
.                       79887   IN      NS      e.root-servers.net.
.                       79887   IN      NS      i.root-servers.net.
.                       79887   IN      NS      m.root-servers.net.
.                       79887   IN      NS      b.root-servers.net.
.                       79887   IN      NS      k.root-servers.net.
.                       79887   IN      RRSIG   NS 8 0 518400 20190825050000 20190812040000 59944 . Ha3yht/tkEGrtMotzp1gaiTMe0loSeFonH1Erceoszt+99Iu547pVMyC Vw65uPSZ6S3jSrv6RZq0nwA49fIsAg1uZxVacKEitiZESEdUdf/4pdVF PK07TVvDQbNYBAHUVSBa/P4/MhaPZliG9iVv3wbiMBStL0f9sHjp8UbR ZnVX2zdFOXRTcJgEbi5JBTFw48eQjmr9KJrJXP8ZpQqhaRr95Q7HewjU m04GDoZ0iys44sWrcjMFSlTLZNk085FlOl3lvmQg1sU7bacReMWkiCmD ZAZnw2MrpXrIt4/nv8ljHD37dXdVYd+bz4reXwn73GbHlLw2tTEYRS6O 5TZPOw==
;; Received 540 bytes from 212.25.1.1#53(212.25.1.1) in 1 ms

ch.                     172800  IN      NS      a.nic.ch.
ch.                     172800  IN      NS      b.nic.ch.
ch.                     172800  IN      NS      c.nic.ch.
ch.                     172800  IN      NS      d.nic.ch.
ch.                     172800  IN      NS      e.nic.ch.
ch.                     172800  IN      NS      f.nic.ch.
ch.                     172800  IN      NS      g.nic.ch.
ch.                     172800  IN      NS      h.nic.ch.
ch.                     86400   IN      DS      11896 13 2 24EE6537B1C452D3AEBF439DCF74024717054152DA7F206D5FCBA1A9 0F70711F
ch.                     86400   IN      RRSIG   DS 8 1 86400 20190825050000 20190812040000 59944 . WlwT2ekGXTnVZQ8cu+D90pE9VjVV7xM8CvTVkrfOs/uuSHeOSpauyJcy h9vWvifxL+YaEHgzTSen1PNdsLC8+OKEPVfwFeZB0yXwh2Qe7iFzpUvr zr6KH2puhV/wupOIl+/0vvGiUOgJciq0hlCMSSb5Fw0UV7bDDlTrI7w4 SJpeOCBrBABeVcuy6rgXToUnkM8udUrRcv3Adq5Dr7+o3CvkOFMyYuq+ yV9d62EPXo6yRNtA4dK6ntaXTPpvaenQtI37+LzsYxSb/kPwKafEt4VA NUm6FCeS5bz6ucq6VFSHw+h9qPqf0YQCpbdnvhByuuOVbMyIr1m9U5nO 5vrlZg==
;; Received 855 bytes from 199.7.83.42#53(l.root-servers.net) in 4 ms

sgkb.ch.                3600    IN      NS      dns1.swisscom.com.
sgkb.ch.                3600    IN      NS      dns2.swisscom.com.
fvb2pvjai1gkqna53kcugpspc8ickt5u.ch. 900 IN NSEC3 1 1 2 10F114D4 FVBG88QTCHGNCF3NK6GTQKDSPVE2PPME NS SOA RRSIG DNSKEY NSEC3PARAM
fvb2pvjai1gkqna53kcugpspc8ickt5u.ch. 900 IN RRSIG NSEC3 13 2 900 20190901131652 20190802130123 61432 ch. dKo3bHUp2440DpbaZqG36Uc8+WmKKo5CIp7P8WsaVq8typLBXkQ78cCf lX16VcNe/KQRQtmimetwIQ48U04Ijw==
51kk3ii7rptu8ph8oa9tpn65ndhdh51c.ch. 900 IN NSEC3 1 1 2 10F114D4 51KU0VF08701R023AQDTT48T5NE5GNJK NS DS RRSIG
51kk3ii7rptu8ph8oa9tpn65ndhdh51c.ch. 900 IN RRSIG NSEC3 13 2 900 20190901143051 20190802140124 61432 ch. AAhHIew14F+xAfIELg1h1hzyrJNFO++V8GTb1Ry4KG2EES+z6rUwxwl/ xZNH8DZ4TPxySnuQcGfQXxHYlZaloA==
;; Received 465 bytes from 194.0.1.40#53(g.nic.ch) in 1 ms

sgkb.ch.                3600    IN      MX      20 mail20.swisscom.com.
sgkb.ch.                3600    IN      MX      20 mail10.swisscom.com.
sgkb.ch.                3600    IN      MX      10 mail.swisscom.com.
sgkb.ch.                3600    IN      NS      dns1.swisscom.com.
sgkb.ch.                3600    IN      NS      dns3.swisscom.com.
sgkb.ch.                3600    IN      NS      dns2.swisscom.com.
;; Received 172 bytes from 138.190.34.196#53(dns1.swisscom.com) in 5 ms

And what is an Unbound resolver reporting if you install one on your Debian system?

As a non-expert here, what do you recommend to install

ibauersachs commented 5 years ago

https://packages.debian.org/buster/unbound

Then use localhost as your nameserver. I currently don't know which files/options need to be set to get debug output, please refer to the manual.

ibauersachs commented 5 years ago

And please use dnssecjava 1.2.0. It contains fixes for some CVEs and there was also an issue with stub NS records that has been fixed. You might encounter just that.

ralfhauser commented 5 years ago

just got today's head from git and still get:

INFO [Thread-29] (DnsSecVerifier.java:172) - RRset failed to verify: all signatures were BOGUS
DEBUG [Thread-29] (ValUtils.java:382) - verifySRRset: rrset <51kk3ii7rptu8ph8oa9tpn65ndhdh51c.ch./NSEC3/IN> found to be BAD
DEBUG [Thread-29] (ValidatingResolver.java:952) - skipping bad nsec3
DEBUG [Thread-29] (NSEC3ValUtils.java:367) - Could not find proof that the closest encloser was the closest encloser
DEBUG [Thread-29] (KeyEntry.java:198) - failed.ds.nsec3
DEBUG [Thread-29] (ValidatingResolver.java:1058) - processKeyValidate: no signerName.
DEBUG [Thread-29] (SMessage.java:239) - validate.bogus:failed.ds.nsec3
DEBUG [Thread-29] (SMessage.java:239) - validate.bogus:failed.ds.nsec3
ralfhauser commented 5 years ago

Seems that dnsjava-2.1.8.jar (Oct 2018) creates 

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62043
;; flags: qr ; qd: 1 an: 0 au: 0 ad: 1
;; QUESTIONS:
;;      sgkb.ch., type = MX, class = IN

;; ANSWERS:

;; AUTHORITY RECORDS:

;; ADDITIONAL RECORDS:
.                       0       CLASS65280      TXT     "validate.bogus:failed.ds.nsec3"

;; Message size: 67 bytes

while a more recent version from Feb 2019 creates

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7014
;; flags: qr rd ra cd ; qd: 1 an: 3 au: 0 ad: 2
;; QUESTIONS:
;;      sgkb.ch., type = MX, class = IN

;; ANSWERS:
sgkb.ch.                221     IN      MX      10 mail.swisscom.com.
sgkb.ch.                221     IN      MX      20 mail10.swisscom.com.
sgkb.ch.                221     IN      MX      20 mail20.swisscom.com.

;; AUTHORITY RECORDS:

;; ADDITIONAL RECORDS:
.                       32768   CLASS1280       OPT      ; payload 1280, xrcode 0, version 0, flags 32768
.                       0       CLASS65280      TXT     "insecure.ds.nsec3"

;; Message size: 144 bytes
ibauersachs commented 5 years ago

dnsjava 2.1.8 is also outdated, current version is 2.1.9 which fixes dnsjava/dnsjava#17 (among others).

dnssecjava 1.2.0 contains the fix for what you experienced (PR #18).