search

miekg / exdns

Go DNS example programs
BSD 2-Clause "Simplified" License
301 stars 60 forks source link

invalid DNSSEC signature regarded as valid #1

Open mark-kubacki opened 10 years ago

mark-kubacki commented 10 years ago

This DANE test site has intentionally an invalid DNSSEC signature:

bad-sig.dane.verisignlabs.com - Valid TLSA record but the DNSSEC signature is invalid.

… yet the output is:

$ ./q -dnssec=true -check=true bad-sig.dane.verisignlabs.com
;+ Secure signature, bad-sig.dane.verisignlabs.com. RRSIG(A) validates (DNSKEY bad-sig.dane.verisignlabs.com./5647/net)

See also:

miekg commented 10 years ago

New versions print:

% ./q -dnssec -check=true @m2.nstld.net bad-sig.dane.verisignlabs.com TLSA                                                                                      ~/g/src/github.com/miekg/exdns/q linode git(master)
;+ Secure signature, bad-sig.dane.verisignlabs.com. RRSIG(DS) validates (DNSKEY verisignlabs.com./63023/net) (expired)
;+ Secure signature, ns1.verisignlabs.net. RRSIG(A) validates (DNSKEY verisignlabs.net./31097/net) (expired)

;; opcode: QUERY, status: NOERROR, id: 24024
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;bad-sig.dane.verisignlabs.com. IN   TLSA

;; AUTHORITY SECTION:
bad-sig.dane.verisignlabs.com.  60  IN  NS  ns1.verisignlabs.net.
bad-sig.dane.verisignlabs.com.  60  IN  DS  5647 8 2 9999999999999999999999999999999999999999999999999999999999999999
bad-sig.dane.verisignlabs.com.  60  IN  RRSIG   DS 8 4 60 20140822130903 20140808130903 63023 verisignlabs.com. UMSra1TPz9x+OKy4LFl9bZMyIfWrSrYoPorhbFmPkuYeYcYQ/rRpWE+NFnxD7NVZa7IvClgVtRd4Wm0zJkWg7wwkUNXABkVgR+S1IIXncWH6Az21y0xWi6yFg/1sXmpFqwEATDkgL0udK59iTGvAd/V+ONNh9Yk8T0QWCARcbwA=

;; ADDITIONAL SECTION:
ns1.verisignlabs.net.   3600    IN  A   72.13.58.64
ns1.verisignlabs.net.   3600    IN  RRSIG   A 8 3 3600 20140821200900 20140807200900 31097 verisignlabs.net. ERAI3YojMqmeu3Mkj0d+sTCAlo/VKsJWADUQJT+Rvm0mxaMlcrhPLd+OW1E6aJ4xWkvkfrJ7RTJT454pyddRoPfaQ0IxgVz5V5QM5ioQvYlXVJoPTqqkptlUGOcZHvDJecUctKBXZ5B3ebYslstpgmeMDEYLRUz6rCjVP/ZRNqM=

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 4096

;; query time: 123869 µs, server: m2.nstld.net.:53(udp), size: 638 bytes
mark-kubacki commented 10 years ago

Thanks!

We seem to be using different versions, though I don't know of what. Please note the different expired and *EXPIRED* (which is in my and the latest copy of q.go#L419 on github).

I did update all packages just a minute ago and still get

this:

$  ./q -dnssec -check=true @m2.nstld.net bad-sig.dane.verisignlabs.com TLSA
;+ Secure signature, bad-sig.dane.verisignlabs.com. RRSIG(DS) validates (DNSKEY verisignlabs.com./63023/net)
;+ Secure signature, ns1.verisignlabs.net. RRSIG(A) validates (DNSKEY verisignlabs.net./31097/net)

;; opcode: QUERY, status: NOERROR, id: 57120
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;bad-sig.dane.verisignlabs.com. IN       TLSA

;; AUTHORITY SECTION:
[… stripped, identical; Mark]

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 4096

;; query time: 373990 µs, server: m2.nstld.net.:53(udp), size: 638 bytes

See also http://dnssec-debugger.verisignlabs.com/bad-sig.dane.verisignlabs.com

miekg commented 10 years ago

[ Quoting notifications@github.com in "Re: [exdns] invalid DNSSEC signatur..." ]

Thanks!

We seem to be using different versions, though I don't know of what. Please note the different expired and *EXPIRED* (which is in my and the latest copy of q.go on github).

I did update all packages just a minute ago and still get:

  • … without an expiration notice
  • … without a "invalid" because: DS=5647/SHA256 does not verify DNSKEY=5647/SEP

not the -check CHECKS the signature - nothing else! It's all on the packet level.

Might need to make that more clear.

I also look into this some more.

miekg commented 10 years ago

The capital EXPIRE is definitely in the repo: https://github.com/miekg/exdns/blob/master/q/q.go#L419

Cut and pasting from http://dnssec-debugger.verisignlabs.com/bad-sig.dane.verisignlabs.com Found 1 DS records for bad-sig.dane.verisignlabs.com in the verisignlabs.com zone Found 1 RRSIGs over DS RRset RRSIG=63023 and DNSKEY=63023 verifies the DS RRset

    Found 1 DNSKEY records for bad-sig.dane.verisignlabs.com
DS=5647/SHA256 does not verify DNSKEY=5647/SEP 
None of the 1 DNSKEY records could be validated by any of the 1 DS records
Found 1 RRSIGs over DNSKEY RRset
RRSIG=5647 is expired
None of the 1 RRSIG and 1 DNSKEY records validate the DNSKEY RRset
The DNSKEY RRset was not signed by any keys in the chain-of-trust
bad-sig.dane.verisignlabs.com A RR has value 72.13.58.38
Found 1 RRSIGs over A RRset * q says the same * 
RRSIG=5647 is expired * q says the same* 
None of the 1 RRSIG and 1 DNSKEY records validate the A RRset

The RRSIG(DS) seems not to be checked according to the list above, but happens in the step above this one.

mark-kubacki commented 10 years ago

Thanks again. Your first output has a lower case "expired", 504a12e on Github an upper case one. 504a12e does not reply with "expired", yours does (as does miekg/unbound). Hence my suspicion that we're using two versions of a package.

$ sha256sum $GOPATH/src/github.com/miekg/exdns/q/q.go
9390dfe56ce1cf882eb16862f5d346cc3335beb4c8d133faab0c1459944c6d3e …

$ cd $GOPATH/src/github.com/miekg/exdns/; and git rev-parse --short HEAD
504a12e

$ cd $GOPATH/src/github.com/miekg/dns/; and git rev-parse --short HEAD
9b0cfb5

According to http://dnscheck.pingdom.com/troubleshooting.php?domain=bad-sig.dane.verisignlabs.com it is:

Parent DS(DS(bad-sig.dane.verisignlabs.com/8/2/5647)) refers to invalid key at child: DNSKEY(bad-sig.dane.verisignlabs.com/8/5647)
The zone bad-sig.dane.verisignlabs.com has published DS records, but none of them work.

I am sorry if this out of the scope of this ticket and hope you don't mind me asking. How would I check for that mismatch?

miekg commented 10 years ago
  1. I think if seen this weird git/github behaviour before.. I just deleted my repo for exdns (dns' repo does not matter here).
  2. There is definitely a bug in my 'when is a sig expired code' (that live in the dns repo)
  3. An actual cmd line tool that checks DNSSEC chains you'll 'drill' from ldns or 'delve' from bind9