search

internetstandards / Internet.nl

Internet standards compliance test suite
https://internet.nl
173 stars 37 forks source link

Possible issue with CNAME on DNSSEC test #1370

Open fkyanai opened 6 months ago

fkyanai commented 6 months ago

Hi !

Recently I faced the following situation on top.nic.br and Internet.nl:

image

But checking the DNSSEC servers , all of them are signed:

https://dnssec-analyzer.verisignlabs.com/www.iana.org

DNSSEC-Debugger-www-iana-org

https://dnsviz.net/d/www.iana.org/dnssec/

www-iana-org-DNSViz

This problems happens only with CNAME record (www) with the A record no issues are verified.

Any suggestions ? Is related to the issue #188 ?

Best Regards Flavio

bwbroersma commented 6 months ago

The DNSSEC test does a SOA check on the domain, in this case www.iana.org to check it's delegated, this sometimes results in an invalid signature of NSEC or some other weird DNS behavior that results in this correct detection of a DNSSEC failure, which is not perfectly explained. ~I'm not sure what I see here: https://dnsviz.net/d/www.iana.org/dnssec/?rr=6&a=all&ds=all&ta=.&tk=~ Update: probably a dnsvis :bug:

Thanks to @mdavids:

$ unbound-host -d -v -f /usr/share/dns/root.key -t SOA www.iana.org
...
www.iana.org is an alias for ianawww.vip.icann.org. (insecure)
ianawww.vip.icann.org has no SOA record (insecure)
mdavids commented 6 months ago

Have to delve deeper, but weird things are happening here:

dig +dnssec @9.9.9.9 -t SOA ianawww.vip.icann.org has no AD-bit dig +dnssec @8.8.8.8 -t SOA ianawww.vip.icann.org has.

Unbound indeed has no AD-bit too. Neither has BIND9.

gthess commented 6 months ago

From a quick look at the domain and Unbound's code. The NSEC3 record we get back is:

<hash>.vip.icann.org. 60 IN NSEC3 1 0 1 <salt> <next-hash> A NS MX TXT AAAA RRSIG DNSKEY NSEC3PARAM

The owner of the record after hash computation is ianawww.vip.icann.org. The actual hash and salt values are not important because they are autogenerated on the fly (online signing).

The NSEC3 record has an NS bit but no SOA bit. This means a delegation. Because there is no DS, this means an insecure delegation. Thus the final insecure status. If DS was there that would have been bogus.

I believe this is because there is no SOA record at ianawww.vip.icann.org as it should from what I see at least.

mdavids commented 6 months ago

Also; https://github.com/PowerDNS/pdns/issues/7143