search

minvws / nl-kat-coordination

Repo nl-kat-coordination for minvws
European Union Public License 1.2
123 stars 55 forks source link

DNSSEC boefje shows finding while the DNSSEC chain is valid #2566

Closed underdarknl closed 3 months ago

stephanie0x00 commented 3 months ago

Can confirm this bug for the domain provided by the owner. What happens is: 

;; Number of trusted keys: 1\n;; Chasing: <REDACTED>.net. A\n\n\nDNSSEC Trust tree:\<REDACTED>.net. (A)\nNo trusted keys found in tree: first error was: No DNSSEC public key(s)\n;; Chase failed.\n"

The DNS zone RAW file for this domain has the following output: 

{"dns_records": "RESOLVER: 1.1.1.1\nid 8549\nopcode QUERY\nrcode NOERROR\nflags QR RD RA\nedns 0\npayload 1232\n;QUESTION\nREDACTED.net. IN SOA\n;ANSWER\nREDACTED.net. 3600 IN SOA 1-you.njalla.no. you.can-get-no.info. 2405071000 21600 7200 1814400 3600\n;AUTHORITY\n;ADDITIONAL\n\nRESOLVER: 1.1.1.1\nid 33276\nopcode QUERY\nrcode NOERROR\nflags QR RD RA\nedns 0\npayload 1232\n;QUESTION\nREDACTED.net. IN TXT\n;ANSWER\nREDACTED.net. 900 IN TXT \"v=spf1 include:_spf.protonmail.ch mx ~all\"\nREDACTED.net. 900 IN TXT \"have-i-been-pwned-verification=7b1750f1a92d621c19d61ca874e633ca\"\nREDACTED.net. 900 IN TXT \"have-i-been-pwned-verification=aa7a494f6a6509e136290b3aa7baf24c\"\nREDACTED.net. 900 IN TXT \"protonmail-verification=0238f35c2f8472d1963d728079b9eb85ee18f775\"\nREDACTED.net. 900 IN TXT \"google-site-verification=ARp-Dha6qo9hGsco0eAFEe1_MYVVHxYMZY98N1sJixM\"\n;AUTHORITY\n;ADDITIONAL\n\nRESOLVER: 1.1.1.1\nid 28204\nopcode QUERY\nrcode NOERROR\nflags QR RD RA\nedns 0\npayload 1232\n;QUESTION\nREDACTED.net. IN AAAA\n;ANSWER\nREDACTED.net. 10800 IN AAAA 2a01:4f8:13b:204b::\n;AUTHORITY\n;ADDITIONAL\n\nRESOLVER: 1.1.1.1\nid 43551\nopcode QUERY\nrcode NOERROR\nflags QR RD RA\nedns 0\npayload 1232\n;QUESTION\nREDACTED.net. IN SOA\n;ANSWER\nREDACTED.net. 3600 IN SOA 1-you.njalla.no. you.can-get-no.info. 2405071000 21600 7200 1814400 3600\n;AUTHORITY\n;ADDITIONAL\n\nRESOLVER: 1.1.1.1\nid 10346\nopcode QUERY\nrcode NOERROR\nflags QR RD RA\nedns 0\npayload 1232\n;QUESTION\nREDACTED.net. IN NS\n;ANSWER\nREDACTED.net. 36000 IN NS 1-you.njalla.no.\nREDACTED.net. 36000 IN NS 2-can.njalla.in.\nREDACTED.net. 36000 IN NS 3-get.njalla.fo.\n;AUTHORITY\n;ADDITIONAL\n\nRESOLVER: 1.1.1.1\nid 18670\nopcode QUERY\nrcode NOERROR\nflags QR RD RA\nedns 0\npayload 1232\n;QUESTION\nREDACTED.net. IN A\n;ANSWER\nREDACTED.net. 10800 IN A REDACTEDIP\n;AUTHORITY\n;ADDITIONAL\n\nRESOLVER: 1.1.1.1\nid 23994\nopcode QUERY\nrcode NOERROR\nflags QR RD RA\nedns 0\npayload 1232\n;QUESTION\nREDACTED.net. IN MX\n;ANSWER\nREDACTED.net. 10800 IN MX 10 mail.protonmail.ch.\nREDACTED.net. 10800 IN MX 20 mailsec.protonmail.ch.\n;AUTHORITY\n;ADDITIONAL", "dmarc_response": "id 58177\nopcode QUERY\nrcode NOERROR\nflags QR RD RA\nedns 0\npayload 1232\n;QUESTION\n_dmarc.REDACTED.net. IN TXT\n;ANSWER\n_dmarc.REDACTED.net. 900 IN TXT \"v=DMARC1; p=quarantine;\"\n;AUTHORITY\n;ADDITIONAL", "dkim_response": "id 64432\nopcode QUERY\nrcode NOERROR\nflags QR RD RA\nedns 0\npayload 1232\n;QUESTION\n_domainkey.REDACTED.net. IN TXT\n;ANSWER\n;AUTHORITY\nREDACTED.net. 3600 IN SOA 1-you.njalla.no. you.can-get-no.info. 2405071000 21600 7200 1814400 3600\n;ADDITIONAL"}

When manually checking the DNS:

$ dig REDACTED.net    

; <<>> DiG 9.18.24-1-Debian <<>> REDACTED.net  
;; global options: +cmd  
;; Got answer:  
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55908  
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1     <--- ad flag is present, thus the domain has DNSSEC (chain is not verified with this command).

;; OPT PSEUDOSECTION:  
; EDNS: version: 0, flags:; udp: 512  
;; QUESTION SECTION:  
REDACTED.net.                 IN      A  

;; ANSWER SECTION:  
REDACTED.net.          10684   IN      A      REDACTED  

;; Query time: 4 msec  
;; SERVER: 10.255.1.1#53(10.255.1.1) (UDP)  
;; WHEN: Thu May 16 13:05:51 CEST 2024  
;; MSG SIZE  rcvd: 58
stephanie0x00 commented 3 months ago

I've verified that the same error message is shown "No trusted keys found in tree" before change https://github.com/minvws/nl-kat-coordination/pull/2917, so that PR is not the cause of the error.

Troubleshooting the issue shows the following: 

$ drill -SD -k /usr/share/dns/root.key REDACTED.net @1.1.1.1  
;; Number of trusted keys: 1  
;; Chasing: REDACTED.net. A  

DNSSEC Trust tree:  
REDACTED.net. (A)  
No trusted keys found in tree: first error was: No DNSSEC public key(s)  
;; Chase failed.

When we remove the nameserver check at the end (@1.1.1.1) the chase works like a charm. 

drill -SD -k /usr/share/dns/root.key REDACTED.net    
;; Number of trusted keys: 1  
;; Chasing: REDACTED.net. A  

DNSSEC Trust tree:  
REDACTED.net. (A)  
|---REDACTED.net. (DNSKEY keytag: 7788 alg: 8 flags: 256)  
|   |---REDACTED.net. (DNSKEY keytag: 49149 alg: 8 flags: 256)  
|   |---REDACTED.net. (DNSKEY keytag: 49379 alg: 8 flags: 257)  
|   |---REDACTED.net. (DS keytag: 49379 digest type: 2)  
|       |---net. (DNSKEY keytag: 51809 alg: 13 flags: 256)  
|           |---net. (DNSKEY keytag: 37331 alg: 13 flags: 257)  
|           |---net. (DS keytag: 37331 digest type: 2)  
|               |---. (DNSKEY keytag: 5613 alg: 8 flags: 256)  
|                   |---. (DNSKEY keytag: 20326 alg: 8 flags: 257)  
|---REDACTED.net. (DNSKEY keytag: 49149 alg: 8 flags: 256)  
   |---REDACTED.net. (DNSKEY keytag: 7788 alg: 8 flags: 256)  
   |---REDACTED.net. (DNSKEY keytag: 49379 alg: 8 flags: 257)  
   |---REDACTED.net. (DS keytag: 49379 digest type: 2)  
       |---net. (DNSKEY keytag: 51809 alg: 13 flags: 256)  
           |---net. (DNSKEY keytag: 37331 alg: 13 flags: 257)  
           |---net. (DS keytag: 37331 digest type: 2)  
               |---. (DNSKEY keytag: 5613 alg: 8 flags: 256)  
                   |---. (DNSKEY keytag: 20326 alg: 8 flags: 257)  
;; Chase successful

When trying the chase command against a domain without DNSSEC it gives an error(as expected):

$ drill -SD -k /usr/share/dns/root.key badssl.com    
;; Number of trusted keys: 1  
;; Chasing: badssl.com. A  

DNSSEC Trust tree:  
<no data>  
No trusted keys found in tree: first error was: No DNSSEC public key(s)  
;; Chase failed.

When performing the query against the Google nameservers the dnssec is valid:

$ drill -S -k /usr/share/dns/root.key REDACTED.net @8.8.8.8  
;; Number of trusted keys: 1  
;; Chasing: REDACTED.net. A  

DNSSEC Trust tree:  
REDACTED.net. (A)  
|---REDACTED.net. (DNSKEY keytag: 7788 alg: 8 flags: 256)  
|   |---REDACTED.net. (DNSKEY keytag: 49149 alg: 8 flags: 256)  
|   |---REDACTED.net. (DNSKEY keytag: 49379 alg: 8 flags: 257)  
|   |---REDACTED.net. (DS keytag: 49379 digest type: 2)  
|       |---net. (DNSKEY keytag: 51809 alg: 13 flags: 256)  
|           |---net. (DNSKEY keytag: 37331 alg: 13 flags: 257)  
|           |---net. (DS keytag: 37331 digest type: 2)  
|               |---. (DNSKEY keytag: 5613 alg: 8 flags: 256)  
|                   |---. (DNSKEY keytag: 20326 alg: 8 flags: 257)  
|---REDACTED.net. (DNSKEY keytag: 49149 alg: 8 flags: 256)  
   |---REDACTED.net. (DNSKEY keytag: 7788 alg: 8 flags: 256)  
   |---REDACTED.net. (DNSKEY keytag: 49379 alg: 8 flags: 257)  
   |---REDACTED.net. (DS keytag: 49379 digest type: 2)  
       |---net. (DNSKEY keytag: 51809 alg: 13 flags: 256)  
           |---net. (DNSKEY keytag: 37331 alg: 13 flags: 257)  
           |---net. (DS keytag: 37331 digest type: 2)  
               |---. (DNSKEY keytag: 5613 alg: 8 flags: 256)  
                   |---. (DNSKEY keytag: 20326 alg: 8 flags: 257)  
;; Chase successful

When performing the query against the Quad9 nameservers, it also gives an invalid dnssec. 

$ drill -S -k /usr/share/dns/root.key REDACTED.net @9.9.9.9  
;; Number of trusted keys: 1  
;; Chasing: REDACTED.net. A  

DNSSEC Trust tree:  
REDACTED.net. (A)  
No trusted keys found in tree: first error was: No DNSSEC public key(s)  
;; Chase failed.

There are two solutions: