search

keybase / client

Keybase Go Library, Client, Service, OS X, iOS, Android, Electron
BSD 3-Clause "New" or "Revised" License
8.86k stars 1.22k forks source link

DNSSEC for api-0.core.keybaseapi.com failing #16219

Closed lmlsna closed 5 years ago

lmlsna commented 5 years ago

Regular DNSSEC validation is failing. This issue prevents those enforcing DNSSEC from logging into the app, and does not provide much insight into what the issue is. I have included the output of dig, as well as dnssec-analyzer, and dnsviz to confirm this issue is not just on my end.

I believe this issued started happening a few days ago. Turning off DNSSEC validation fixes the issue. While regular DNSSEC validation is failing due to missing RRSIG records, top-down validation appears to be working, for what that's worth.

dig . DNSKEY @8.8.8.8 | grep -Ev '^($|;)' | tee /tmp/root.keys

.           106294  IN  DNSKEY  256 3 8 AwEAAcH+axCdUOsTc9o+jmyVq5rsGTh1EcatSumPqEfsPBT+whyj0/Uh D7cWeixV9Wqzj/cnqs8iWELqhdzGX41ZtaNQUfWNfOriASnWmX2D9m/E unplHu8nMSlDnDcT7+llE9tjk5HI1Sr7d9N16ZTIrbVALf65VB2ABbBG 39dyAb7tz21PICJbSp2cd77UF7NFqEVkqohl/LkDw+7Apalmp0qAQT1M gwi2cVxZMKUiciA6EqS+KNajf0A6olO2oEhZnGGY6b1LTg34/YfHdiII ZQqAfqbieruCGHRiSscC2ZE7iNreL/76f4JyIEUNkt6bQA29JsegxorL zQkpF7NKqZc=
.           106294  IN  DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
.           106294  IN  DNSKEY  385 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=

dig +additional +besteffort +crypto +dnssec +nofail +identify +question +recurse +sigchase +trace +trusted-key=/tmp/root.keys +topdown api-0.core.keybaseapi.com @8.8.8.8

; <<>> DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> +additional +besteffort +crypto +dnssec +nofail +identify +question +recurse +sigchase +trace +trusted-key=/tmp/root.keys api-0.core.keybaseapi.com @8.8.8.8
;; global options: +cmd
.           13922   IN  NS  j.root-servers.net.
.           13922   IN  NS  k.root-servers.net.
.           13922   IN  NS  e.root-servers.net.
.           13922   IN  NS  b.root-servers.net.
.           13922   IN  NS  h.root-servers.net.
.           13922   IN  NS  l.root-servers.net.
.           13922   IN  NS  a.root-servers.net.
.           13922   IN  NS  d.root-servers.net.
.           13922   IN  NS  g.root-servers.net.
.           13922   IN  NS  i.root-servers.net.
.           13922   IN  NS  m.root-servers.net.
.           13922   IN  NS  c.root-servers.net.
.           13922   IN  NS  f.root-servers.net.
.           13922   IN  RRSIG   NS 8 0 518400 20190305180000 20190220170000 16749 . RO9vbRY1ba30qUOz1850rvUOaC3NulvHBMzSECXChjHihOXroPLt/IEm PmYLg7yDlyekwjNyE8UNFMEB+O9YcTtPPO+Pis/3Wt8xayZIj4o2otHw tt3o7SgiDxqK8aupRxJooImaBJqXz2r8WxjXT1uAOja7mp2vtyjZwqWU YgFU6Rn+Aca62RS41V+i4gSte2sAvVSwoU3u8evDC4uLjOdqc2HrvSGi DFv5J9pQnBljge9Gcutw74q3aPwjcRauFgZ5d/YZwmScbeVwfOwSibME nXVx0+jtmWfKE+XxdG3uQj7kvDZ/N74JAmDp0wAMFWCSwnlpTjuaizBj O0MZrQ==
com.            172800  IN  NS  b.gtld-servers.net.
com.            172800  IN  NS  m.gtld-servers.net.
com.            172800  IN  NS  e.gtld-servers.net.
com.            172800  IN  NS  j.gtld-servers.net.
com.            172800  IN  NS  g.gtld-servers.net.
com.            172800  IN  NS  a.gtld-servers.net.
com.            172800  IN  NS  l.gtld-servers.net.
com.            172800  IN  NS  i.gtld-servers.net.
com.            172800  IN  NS  d.gtld-servers.net.
com.            172800  IN  NS  h.gtld-servers.net.
com.            172800  IN  NS  k.gtld-servers.net.
com.            172800  IN  NS  c.gtld-servers.net.
com.            172800  IN  NS  f.gtld-servers.net.
com.            86400   IN  DS  30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.            86400   IN  RRSIG   DS 8 1 86400 20190308170000 20190223160000 16749 . JI1Ucc/thWUydXM16hX+xAH64173z8rYEcAkuie81u3O92eSiyDakmPD Fdn4va61rxgH54IsS0mMn7qdEyGLibDbLPDfPVp5lDl3PYyiZa6YoMLk ZOiY5hIZ4uqbf03ioMezL/qwQA9F1TXYYOxX11SfKZv03ZjhWrgHtJIu P71xz682JRixdSrCDvB9sFqmPjm67dVkvlhDxb4wgBJ5ka0hlFbJupS0 mMIke68dspu+ICcb3EAMJFeXeKgyLSCMyATc3UPhleNv5zIh8FxqCIu1 awmgSc8QhPBtdY52y5xHdgKr40WWrplL5xOD79Xh9f9lTNHmrcN9lhOO Ka/xvQ==
keybaseapi.com.     172800  IN  NS  ns-467.awsdns-58.com.
keybaseapi.com.     172800  IN  NS  ns-788.awsdns-34.net.
keybaseapi.com.     172800  IN  NS  ns-1197.awsdns-21.org.
keybaseapi.com.     172800  IN  NS  ns-1867.awsdns-41.co.uk.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190228054417 20190221043417 16883 com. RiB0Vau40snx25D4+erUpcMrBRp1TPMc1So1NNWgaWdeGyw8I0E2+xFt jeDWy+HvxTbimSKBWem8KoY/sTtlsMRlYA0621UYqSCnNhuMNPRinFUo aBLeVZ0oitwZ+Y45mOE0UpOnG9IPuYGHJ3wQLPjOEhWt7/dqHdr+lCc2 t3s=
BNCLDMFMP5K1222TAN15G7DHV19RD26S.com. 86400 IN NSEC3 1 1 0 - BNCM9F8A7K6HTTCLG03JMTD2GEOL2IIV NS DS RRSIG
BNCLDMFMP5K1222TAN15G7DHV19RD26S.com. 86400 IN RRSIG NSEC3 8 2 86400 20190228060503 20190221045503 16883 com. QFUMaPHA+WmTrqnR1gvG/sKp6p5aNTZ5nO31ZwU1IW/6ceovRXxtLreo kCYbZ9T58+Yu1mG3oBKnYZOhOF1AGw8iUzOncGWv+/Cgskp5QofJG+pA dZ7zwzIccZy2Xs+1xbajClh1Rx0471Z+8ylWvTXD3H8uUcQHV1DjsNQj CsQ=
api-0.core.keybaseapi.com. 60   IN  A   52.201.110.180
api-0.core.keybaseapi.com. 60   IN  A   52.205.52.74
keybaseapi.com.     172800  IN  NS  ns-1197.awsdns-21.org.
keybaseapi.com.     172800  IN  NS  ns-1867.awsdns-41.co.uk.
keybaseapi.com.     172800  IN  NS  ns-467.awsdns-58.com.
keybaseapi.com.     172800  IN  NS  ns-788.awsdns-34.net.
;; RRset to chase:
api-0.core.keybaseapi.com. 60   IN  A   52.201.110.180
api-0.core.keybaseapi.com. 60   IN  A   52.205.52.74

Launch a query to find a RRset of type RRSIG for zone: api-0.core.keybaseapi.com.
api-0.core.keybaseapi.com. 60   IN  A   52.201.110.180
api-0.core.keybaseapi.com. 60   IN  A   52.205.52.74
keybaseapi.com.     172800  IN  NS  ns-1197.awsdns-21.org.
keybaseapi.com.     172800  IN  NS  ns-1867.awsdns-41.co.uk.
keybaseapi.com.     172800  IN  NS  ns-467.awsdns-58.com.
keybaseapi.com.     172800  IN  NS  ns-788.awsdns-34.net.

;; RRSIG is missing for continue validation: FAILED

Top down validation is working however: dig +additional +besteffort +crypto +dnssec +nofail +identify +question +recurse +sigchase +trace +trusted-key=/tmp/root.keys +topdown api-0.core.keybaseapi.com @8.8.8.8

; <<>> DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> +additional +besteffort +crypto +dnssec +nofail +identify +question +recurse +sigchase +trace +trusted-key=/tmp/root.keys +topdown api-0.core.keybaseapi.com @8.8.8.8
;; global options: +cmd
.           209854  IN  NS  a.root-servers.net.
.           209854  IN  NS  b.root-servers.net.
.           209854  IN  NS  c.root-servers.net.
.           209854  IN  NS  d.root-servers.net.
.           209854  IN  NS  e.root-servers.net.
.           209854  IN  NS  f.root-servers.net.
.           209854  IN  NS  g.root-servers.net.
.           209854  IN  NS  h.root-servers.net.
.           209854  IN  NS  i.root-servers.net.
.           209854  IN  NS  j.root-servers.net.
.           209854  IN  NS  k.root-servers.net.
.           209854  IN  NS  l.root-servers.net.
.           209854  IN  NS  m.root-servers.net.
.           209854  IN  RRSIG   NS 8 0 518400 20190307200000 20190222190000 16749 . jTDXZpkqGjhKvf4L1D7Kh1KJ5jXC01Y7be9FyaLjL63OlYJyUylMCnoC zv4nXl7urnJeFRRZR4RpxoW2VEf5BiLufgzKPtyC862x5E+poYIFFnww x2Sc4/QNiiAVHJRxY3GDBFuoQ4+TG/LL9iG04AWpbLfF7jqVTq1XzMnm vFyOPYw/ygqO8dqNbPPXrEeg1lnKPcqYwxXKF5njcfqQfGKExUmnW4ZH i0QLAVIf/VTGoqCjn7sTOnQ9vPc3LjAQzFA9f41/EfA3gDNOKm9WHUKw XutA82F5UdNjycEJMg6v9KfXC/NJ9PvwaNU1SM2IjSJSUe2BYMYDOU3R TwxsYg==
.           518400  IN  NS  a.root-servers.net.
.           518400  IN  NS  b.root-servers.net.
.           518400  IN  NS  c.root-servers.net.
.           518400  IN  NS  d.root-servers.net.
.           518400  IN  NS  e.root-servers.net.
.           518400  IN  NS  f.root-servers.net.
.           518400  IN  NS  g.root-servers.net.
.           518400  IN  NS  h.root-servers.net.
.           518400  IN  NS  i.root-servers.net.
.           518400  IN  NS  j.root-servers.net.
.           518400  IN  NS  k.root-servers.net.
.           518400  IN  NS  l.root-servers.net.
.           518400  IN  NS  m.root-servers.net.
.           518400  IN  RRSIG   NS 8 0 518400 20190308170000 20190223160000 16749 . D1fW1mD8f+bOvNvXv1/MiFPH6H2M5ejRilQAdjZZDd/qKQXWqewplc17 hXHVVxhZRwddD5uM7RGq14nO71g24fklLM3vXQzDX3sHGhIVtM/tNc86 Eo5kJyPdEa/+mr3ho3SJ/Tz3+WeXJvEI3+H82GxHP8CnfsNarhY4r6kr bwa3WiQiqukSt1ZH7/tYXXqSc2zc6Hfw7qqQ5Wy6glNI2PtmIGbcVHKL cmmbMNopQhrB7f6J3LR8f0Hx41LgG6YETzZplMpNWggUWwURcoTtF0+Z 5Q0dpuRfmv+gJ6XNuDi2r4SuG8iZqa4L4ZSsH8O704t39pbzPMZVwo7+ WzfLwA==
ns name: 198.41.0.4
ns name: 199.9.14.201
ns name: 192.33.4.12
ns name: 199.7.91.13
ns name: 192.203.230.10
ns name: 192.5.5.241
ns name: 192.112.36.4
ns name: 198.97.190.53
ns name: 192.36.148.17
ns name: 192.58.128.30
ns name: 193.0.14.129
ns name: 199.7.83.42
ns name: 202.12.27.33

Launch a query to find a RRset of type NS for zone: . with nameservers:
.           209854  IN  NS  a.root-servers.net.
.           209854  IN  NS  b.root-servers.net.
.           209854  IN  NS  c.root-servers.net.
.           209854  IN  NS  d.root-servers.net.
.           209854  IN  NS  e.root-servers.net.
.           209854  IN  NS  f.root-servers.net.
.           209854  IN  NS  g.root-servers.net.
.           209854  IN  NS  h.root-servers.net.
.           209854  IN  NS  i.root-servers.net.
.           209854  IN  NS  j.root-servers.net.
.           209854  IN  NS  k.root-servers.net.
.           209854  IN  NS  l.root-servers.net.
.           209854  IN  NS  m.root-servers.net.

.           518400  IN  NS  e.root-servers.net.
.           518400  IN  NS  h.root-servers.net.
.           518400  IN  NS  l.root-servers.net.
.           518400  IN  NS  i.root-servers.net.
.           518400  IN  NS  a.root-servers.net.
.           518400  IN  NS  d.root-servers.net.
.           518400  IN  NS  c.root-servers.net.
.           518400  IN  NS  b.root-servers.net.
.           518400  IN  NS  j.root-servers.net.
.           518400  IN  NS  k.root-servers.net.
.           518400  IN  NS  g.root-servers.net.
.           518400  IN  NS  m.root-servers.net.
.           518400  IN  NS  f.root-servers.net.
.           518400  IN  RRSIG   NS 8 0 518400 20190308170000 20190223160000 16749 . D1fW1mD8f+bOvNvXv1/MiFPH6H2M5ejRilQAdjZZDd/qKQXWqewplc17 hXHVVxhZRwddD5uM7RGq14nO71g24fklLM3vXQzDX3sHGhIVtM/tNc86 Eo5kJyPdEa/+mr3ho3SJ/Tz3+WeXJvEI3+H82GxHP8CnfsNarhY4r6kr bwa3WiQiqukSt1ZH7/tYXXqSc2zc6Hfw7qqQ5Wy6glNI2PtmIGbcVHKL cmmbMNopQhrB7f6J3LR8f0Hx41LgG6YETzZplMpNWggUWwURcoTtF0+Z 5Q0dpuRfmv+gJ6XNuDi2r4SuG8iZqa4L4ZSsH8O704t39pbzPMZVwo7+ WzfLwA==
ns name: 198.41.0.4
ns name: 199.9.14.201
ns name: 192.33.4.12
ns name: 199.7.91.13
ns name: 192.203.230.10
ns name: 192.5.5.241
ns name: 192.112.36.4
ns name: 198.97.190.53
ns name: 192.36.148.17
ns name: 192.58.128.30
ns name: 193.0.14.129
ns name: 199.7.83.42
ns name: 202.12.27.33

Launch a query to find a RRset of type NS for zone: . with nameservers:
.           209854  IN  NS  a.root-servers.net.
.           209854  IN  NS  b.root-servers.net.
.           209854  IN  NS  c.root-servers.net.
.           209854  IN  NS  d.root-servers.net.
.           209854  IN  NS  e.root-servers.net.
.           209854  IN  NS  f.root-servers.net.
.           209854  IN  NS  g.root-servers.net.
.           209854  IN  NS  h.root-servers.net.
.           209854  IN  NS  i.root-servers.net.
.           209854  IN  NS  j.root-servers.net.
.           209854  IN  NS  k.root-servers.net.
.           209854  IN  NS  l.root-servers.net.
.           209854  IN  NS  m.root-servers.net.

.           518400  IN  NS  a.root-servers.net.
.           518400  IN  NS  b.root-servers.net.
.           518400  IN  NS  c.root-servers.net.
.           518400  IN  NS  d.root-servers.net.
.           518400  IN  NS  e.root-servers.net.
.           518400  IN  NS  f.root-servers.net.
.           518400  IN  NS  g.root-servers.net.
.           518400  IN  NS  h.root-servers.net.
.           518400  IN  NS  i.root-servers.net.
.           518400  IN  NS  j.root-servers.net.
.           518400  IN  NS  k.root-servers.net.
.           518400  IN  NS  l.root-servers.net.
.           518400  IN  NS  m.root-servers.net.
.           518400  IN  RRSIG   NS 8 0 518400 20190308170000 20190223160000 16749 . D1fW1mD8f+bOvNvXv1/MiFPH6H2M5ejRilQAdjZZDd/qKQXWqewplc17 hXHVVxhZRwddD5uM7RGq14nO71g24fklLM3vXQzDX3sHGhIVtM/tNc86 Eo5kJyPdEa/+mr3ho3SJ/Tz3+WeXJvEI3+H82GxHP8CnfsNarhY4r6kr bwa3WiQiqukSt1ZH7/tYXXqSc2zc6Hfw7qqQ5Wy6glNI2PtmIGbcVHKL cmmbMNopQhrB7f6J3LR8f0Hx41LgG6YETzZplMpNWggUWwURcoTtF0+Z 5Q0dpuRfmv+gJ6XNuDi2r4SuG8iZqa4L4ZSsH8O704t39pbzPMZVwo7+ WzfLwA==

Launch a query to find a RRset of type DNSKEY for zone: .
.           172800  IN  DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
.           172800  IN  DNSKEY  256 3 8 AwEAAcH+axCdUOsTc9o+jmyVq5rsGTh1EcatSumPqEfsPBT+whyj0/Uh D7cWeixV9Wqzj/cnqs8iWELqhdzGX41ZtaNQUfWNfOriASnWmX2D9m/E unplHu8nMSlDnDcT7+llE9tjk5HI1Sr7d9N16ZTIrbVALf65VB2ABbBG 39dyAb7tz21PICJbSp2cd77UF7NFqEVkqohl/LkDw+7Apalmp0qAQT1M gwi2cVxZMKUiciA6EqS+KNajf0A6olO2oEhZnGGY6b1LTg34/YfHdiII ZQqAfqbieruCGHRiSscC2ZE7iNreL/76f4JyIEUNkt6bQA29JsegxorL zQkpF7NKqZc=
.           172800  IN  DNSKEY  385 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
.           172800  IN  RRSIG   DNSKEY 8 0 172800 20190313000000 20190220000000 20326 . bKvs4iBtsS7x4UItBsNxJnGzKUowmON76AJt6DQlUjcDXdmNUGW0DNfw z91UCnfonlNeG09mCbRFzhfrgNiE2Niu0Qxh+EcygOjuy1uObcPgFBUs Kp201u0WFQwrUl4O0NQfPY5Fa01e44v1u+L/yj2WK4gW2BKfW+5d9GIJ hWRAPYWphOiG0+G1MUlWQ45cS07wu2X90+UDREw0prI0c4yJ9OiI6OnS vUvDhoyIgf5oHHYPieU7qu/aaiY8MdyJgfIelmFA65VzLDsTAHGoaagx JEolJehWSJl6AhY0mIs6lF2WXVCtEQbdLocsuCXln3w/n8jO2oJBotQ7 S6E4bQ==
.           172800  IN  RRSIG   DNSKEY 8 0 172800 20190313000000 20190220000000 19164 . eyvOQiC637051ggBwNwq0Kle0vatTO4HrfxgLlRcVDWGZeYVoDRGkqPi CyC1K1HvUrRQHB8vbXfdhrVfXJpjh9e1+Uf403++n6J94wMi2UlAmUkN wo6ROE9JcT4QFpQrUj1TPqY9DpdRrRUYgAPl/PNCvKwIvbwSt4I070PL GGPeumOIPCeZr7YMt8ewiCS3uwOUJB6bk8qUo4tQeL5pkPpmFgozw2v7 JT/8nTZfbu6T0+9GmqRDxvizFVZ8lQRKZZif+Ilyb+Lz7j2XHiI0JszL EQ5vQKLKEtBtyHwcL7ZPgbN/mpN9ik8h/Jx0H1hjhaS+jSCBBulq+hde 8GFH0A==

;; DNSKEYset:
.           172800  IN  DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
.           172800  IN  DNSKEY  256 3 8 AwEAAcH+axCdUOsTc9o+jmyVq5rsGTh1EcatSumPqEfsPBT+whyj0/Uh D7cWeixV9Wqzj/cnqs8iWELqhdzGX41ZtaNQUfWNfOriASnWmX2D9m/E unplHu8nMSlDnDcT7+llE9tjk5HI1Sr7d9N16ZTIrbVALf65VB2ABbBG 39dyAb7tz21PICJbSp2cd77UF7NFqEVkqohl/LkDw+7Apalmp0qAQT1M gwi2cVxZMKUiciA6EqS+KNajf0A6olO2oEhZnGGY6b1LTg34/YfHdiII ZQqAfqbieruCGHRiSscC2ZE7iNreL/76f4JyIEUNkt6bQA29JsegxorL zQkpF7NKqZc=
.           172800  IN  DNSKEY  385 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=

;; RRSIG of the DNSKEYset:
.           172800  IN  RRSIG   DNSKEY 8 0 172800 20190313000000 20190220000000 20326 . bKvs4iBtsS7x4UItBsNxJnGzKUowmON76AJt6DQlUjcDXdmNUGW0DNfw z91UCnfonlNeG09mCbRFzhfrgNiE2Niu0Qxh+EcygOjuy1uObcPgFBUs Kp201u0WFQwrUl4O0NQfPY5Fa01e44v1u+L/yj2WK4gW2BKfW+5d9GIJ hWRAPYWphOiG0+G1MUlWQ45cS07wu2X90+UDREw0prI0c4yJ9OiI6OnS vUvDhoyIgf5oHHYPieU7qu/aaiY8MdyJgfIelmFA65VzLDsTAHGoaagx JEolJehWSJl6AhY0mIs6lF2WXVCtEQbdLocsuCXln3w/n8jO2oJBotQ7 S6E4bQ==
.           172800  IN  RRSIG   DNSKEY 8 0 172800 20190313000000 20190220000000 19164 . eyvOQiC637051ggBwNwq0Kle0vatTO4HrfxgLlRcVDWGZeYVoDRGkqPi CyC1K1HvUrRQHB8vbXfdhrVfXJpjh9e1+Uf403++n6J94wMi2UlAmUkN wo6ROE9JcT4QFpQrUj1TPqY9DpdRrRUYgAPl/PNCvKwIvbwSt4I070PL GGPeumOIPCeZr7YMt8ewiCS3uwOUJB6bk8qUo4tQeL5pkPpmFgozw2v7 JT/8nTZfbu6T0+9GmqRDxvizFVZ8lQRKZZif+Ilyb+Lz7j2XHiI0JszL EQ5vQKLKEtBtyHwcL7ZPgbN/mpN9ik8h/Jx0H1hjhaS+jSCBBulq+hde 8GFH0A==

;; Ok, find a Trusted Key in the DNSKEY RRset: 20326
;; VERIFYING DNSKEY RRset for . with DNSKEY:20326: success
;; VERIFYING NS RRset for . with DNSKEY:16749: success

;; The Answer:
.           209854  IN  NS  a.root-servers.net.
.           209854  IN  NS  b.root-servers.net.
.           209854  IN  NS  c.root-servers.net.
.           209854  IN  NS  d.root-servers.net.
.           209854  IN  NS  e.root-servers.net.
.           209854  IN  NS  f.root-servers.net.
.           209854  IN  NS  g.root-servers.net.
.           209854  IN  NS  h.root-servers.net.
.           209854  IN  NS  i.root-servers.net.
.           209854  IN  NS  j.root-servers.net.
.           209854  IN  NS  k.root-servers.net.
.           209854  IN  NS  l.root-servers.net.
.           209854  IN  NS  m.root-servers.net.

;; FINISH : we have validate the DNSSEC chain of trust: SUCCESS

;; cleanandgo

dnsviz:

api-0.core.keybaseapi.com/A: A query for api-0.core.keybaseapi.com results in a NOERROR response, while a query for its ancestor, core.keybaseapi.com, returns a name error (NXDOMAIN), which indicates that subdomains of core.keybaseapi.com, including api-0.core.keybaseapi.com, don't exist. (205.251.193.211, 205.251.195.20, 205.251.196.173, 205.251.199.75, 2600:9000:5301:d300::1, 2600:9000:5303:1400::1, 2600:9000:5304:ad00::1, 2600:9000:5307:4b00::1, UDP_-_EDNS0_4096_D_K)

dnssec-analyzer:

Checking DS between com and keybaseapi.com
No DS records found for keybaseapi.com in the com zone
No DNSKEY records found
keybaseapi.com is authoritative for api-0.core.keybaseapi.com
api-0.core.keybaseapi.com A RR has value 52.201.110.180
api-0.core.keybaseapi.com A RR has value 52.205.52.74
No RRSIGs found

systemd-resolve logs

Feb 22 22:04:02 server systemd-resolved[1754]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN SOA: failed-auxiliary
-- Subject: DNSSEC validation failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- Documentation: man:systemd-resolved.service(8)
-- 
-- A DNS query or resource record set failed DNSSEC validation. This is usually
-- indication that the communication channel used was tampered with.
Feb 22 22:04:02 server systemd-resolved[1754]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN AAAA: failed-auxiliary
-- Subject: DNSSEC validation failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- Documentation: man:systemd-resolved.service(8)
-- 
-- A DNS query or resource record set failed DNSSEC validation. This is usually
-- indication that the communication channel used was tampered with.
Feb 22 22:04:02 server systemd-resolved[1754]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN A: failed-auxiliary
-- Subject: DNSSEC validation failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- Documentation: man:systemd-resolved.service(8)
-- 
-- A DNS query or resource record set failed DNSSEC validation. This is usually
-- indication that the communication channel used was tampered with.
Feb 22 22:04:02 server systemd-resolved[1754]: DNSSEC validation failed for question bserver-0.kbfs.keybaseapi.com IN A: failed-auxiliary
-- Subject: DNSSEC validation failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- Documentation: man:systemd-resolved.service(8)
-- 
-- A DNS query or resource record set failed DNSSEC validation. This is usually
-- indication that the communication channel used was tampered with.
Feb 22 22:04:02 server systemd-resolved[1754]: DNSSEC validation failed for question mdserver-1.kbfs.keybaseapi.com IN A: failed-auxiliary
-- Subject: DNSSEC validation failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- Documentation: man:systemd-resolved.service(8)
strib commented 5 years ago

@maxtaco know anything about our dnssec records?

pzduniak commented 5 years ago

Thank you for your report! Unfortunately we do not support DNSSEC on our domains due to our provider's restrictions (AWS Route53) - so if you're enforcing DNSSEC on all DNS requests coming out from your resolver, it will fail on all of our domains, just like it fails on amazon.com and other non-DNSSEC domains.

Effectively what DNSSEC protects from is DNS server hijacking (such as the MyEtherWallet hack), which given AWS' security is not that far away in its complexity from performing a BGP hijack on EC2 itself (which would hijack our IPs rather the DNS servers).

Thankfully Keybase's security model protects the users from such attacks! The protocol is built in such a way that the app will know when the server is not being honest. You can read more about how that works here.

Avamander commented 5 years ago

@pzduniak It might be worth reading this output:

api-0.core.keybaseapi.com/A: A query for api-0.core.keybaseapi.com results in a NOERROR response, while a query for its ancestor, core.keybaseapi.com, returns a name error (NXDOMAIN), which indicates that subdomains of core.keybaseapi.com, including api-0.core.keybaseapi.com, don't exist. (205.251.193.211, 205.251.195.20, 205.251.196.173, 205.251.199.75, 2600:9000:5301:d300::1, 2600:9000:5303:1400::1, 2600:9000:5304:ad00::1, 2600:9000:5307:4b00::1, UDP_-_EDNS0_4096_D_K)

It's not a DNSSEC issue but rather a general DNS error, core.keybaseapi.com should not return NXDOMAIN.

lmlsna commented 5 years ago

FWIW, I have allow-downgrade set, so I can resolve domains that don't provide DNSSEC, but it's throwing an error because core.keybaseapi.com has no records pointing to where to resolve the next level up (*.core.keybaseapi.com). Which is also why I think it validates when resolved from the top down, but not the bottom up.

I think adding the same amazon NS records for the core subdomain would fix it (it being minor usability, not security, issue).

pzduniak commented 5 years ago

Huh, that's weird, I haven't ran into this before. Can you please check if you can resolve test.doesntexist.oakmail.io using your configuration? It's set up in such a way that test.doesntexist.oakmail.io and oakmail.io resolve, whereas doesntexist.oakmail.io doesn't.

lmlsna commented 5 years ago

@pzduniak I get NXDOMAIN responses for both, and as far as I can tell, there is no A/AAAA record for test.doesntexist.oakmail.io, so might not be a 1:1 comparison.

I get a SERVFAIL when trying to resolve either of the sub-sub-domans myself using recursion from the root nameservers (using the systemd resolver with the DNSSEC=allow-downgrade option set):


; <<>> DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> +recurse test.doesntexist.oakmail.io doesntexist.oakmail.io api-0.core.keybaseapi.com core.keybaseapi.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21690
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;test.doesntexist.oakmail.io.   IN  A

;; Query time: 135 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Mar 01 12:10:21 PST 2019
;; MSG SIZE  rcvd: 56

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 272
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;doesntexist.oakmail.io.        IN  A

;; Query time: 2 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Mar 01 12:10:21 PST 2019
;; MSG SIZE  rcvd: 51

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51061
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;api-0.core.keybaseapi.com. IN  A

;; Query time: 9 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Mar 01 12:10:21 PST 2019
;; MSG SIZE  rcvd: 54

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27484
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;core.keybaseapi.com.       IN  A

;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Mar 01 12:10:21 PST 2019
;; MSG SIZE  rcvd: 48

However, if I get A records for api-0.core.keybaseapi.com and NXDOMAIN responses for the others if I disable DNSSEC completely and run top down query like most people probably do:


; <<>> DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> +topdown test.doesntexist.oakmail.io doesntexist.oakmail.io api-0.core.keybaseapi.com core.keybaseapi.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64933
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;test.doesntexist.oakmail.io.   IN  A

;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Mar 01 12:14:57 PST 2019
;; MSG SIZE  rcvd: 56

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8645
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;doesntexist.oakmail.io.        IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Mar 01 12:14:57 PST 2019
;; MSG SIZE  rcvd: 51

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30980
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;api-0.core.keybaseapi.com. IN  A

;; ANSWER SECTION:
api-0.core.keybaseapi.com. 43   IN  A   52.205.52.74
api-0.core.keybaseapi.com. 43   IN  A   52.201.110.180

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Mar 01 12:14:57 PST 2019
;; MSG SIZE  rcvd: 86

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3008
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;core.keybaseapi.com.       IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Mar 01 12:14:57 PST 2019
;; MSG SIZE  rcvd: 48

So this actually may be an implementation error (or unhelpful over-strictness) issue with the systemd resolver, but I don't see the same errors on dnsviz for the two examples:

¯\_(ツ)_/¯

lmlsna commented 5 years ago

Yeah, wow, looks like it's probably a systemd-resolve bug https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1650877. Occam's razor is not always helpful I guess. Apologies.

Avamander commented 5 years ago

@lmlsna If you look at the dnsviz output it too complains about the non-standard response. It's just systemd-resolved errors on it (because it's not actually valid). It would still be nice if that warning/error would be fixed.

pzduniak commented 5 years ago

Ahh, I moved that domain I posted to Google DNS while the change was on Route 53, oops! I added the A record on my domain in gcloud and the error is not shown in dnsviz there, it looks like this is a Route 53 issue (or rather not adhering to some spec? haven't heard anything about such a restriction).

The warning is on a Route 53 domain, so feel free to report it to them. The error is, I think, dnsviz simply getting confused - I haven't seen anything in the spec that would disallow configuring domains without A records.

Avamander commented 5 years ago

it looks like this is a Route 53 issue (or rather not adhering to some spec? haven't heard anything about such a restriction).

The error is, I think, dnsviz simply getting confused - I haven't seen anything in the spec that would disallow configuring domains without A records.

@pzduniak core.keybaseapi.com is not Route 53's, is it? It would probably suffice just to create the zone without any records (except glue) to make it resolvable top-down.

Avamander commented 5 years ago

FYI it's not also just dnsviz, other tools online also fail to resolve it top-down: http://www.webdnstools.com/dnstools/domain_check And RIPE's tool: https://dnscheck.ripe.net/test/99738d5a22ccdfec

Avamander commented 5 years ago

This is how a domain should look like at RIPE's DNS scanner: https://dnscheck.ripe.net/test/7a78e87f39df1096

pzduniak commented 5 years ago

The zone is keybaseapi.com, it's using Route 53. If the behaviour is not adhering to the spec, it's Amazon's fault. They should indeed return an empty NOERROR packet for core.keybaseapi.com rather than a NXDOMAIN, but my guess is this is an optimization of the lookup process.

Avamander commented 5 years ago

@pzduniak You are correct, Route53 seems to be non-standard: https://forums.aws.amazon.com/thread.jspa?threadID=260905

It seems that just adding a TXT record to core.keybaseapi.com would make it work according to the spec, could that be done to make RFC-enforcing resolvers work?

pzduniak commented 5 years ago

image

Done.

Avamander commented 5 years ago

@lmlsna Can you test, does systemd-resolved now resolve it?

lmlsna commented 5 years ago

Confirmed! Working just fine now:

dig +dnssec api-0.core.keybaseapi.com core.keybaseapi.com -t any

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> +dnssec api-0.core.keybaseapi.com core.keybaseapi.com -t any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58958
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;api-0.core.keybaseapi.com. IN  A

;; ANSWER SECTION:
api-0.core.keybaseapi.com. 24   IN  A   52.205.52.74
api-0.core.keybaseapi.com. 24   IN  A   52.201.110.180

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 05 20:36:04 PST 2019
;; MSG SIZE  rcvd: 86

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62023
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;core.keybaseapi.com.       IN  ANY

;; ANSWER SECTION:
core.keybaseapi.com.    299 IN  TXT "keybase core services"

;; Query time: 56 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 05 20:36:04 PST 2019
;; MSG SIZE  rcvd: 82

Much thanks.