What should be clear to all (DNSSEC) administrators is that it is useless to sign *your* zone(s) if they refer to other, non-signed, zones themselves !
The danger is that the attacker will not try to cache poison your CNAME, but the final destination A record ! Cache poisoning - Dan Kaminsky style - attacks glue (A) records anyway (not CNAME's). Recommendation : If you need to refer to other zones (webhosting, "email-in-the-cloud"), *insist* that they as well implement DNSSEC for their zones ! Kind regards, Marc Lampo Security Officer for EURid vzw/asbl -----Original Message----- From: Paul Wouters [mailto:p...@xelerance.com] Sent: 18 April 2011 08:35 PM To: John Williams Cc: bind-us...@isc.org Subject: Re: DNSSEC, whitehouse, isc, and troubleshooting... On Mon, 18 Apr 2011, John Williams wrote: > Subject: DNSSEC, whitehouse, isc, and troubleshooting... > >> From my signed domain when I query www.isc.org (w/ +dnssec) I get the ad flag as expected. I don't see that flag when I query whitehouse.gov (w/ +dnssec) and I know that zone is signed. > > Is anyone else seeing this behavior? Also, is there a link that addresses troubleshooting or diagnosing DNSSEC based queries? works for me: [paul@bofh ~]$ dig +dnssec whitehouse.gov ; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec whitehouse.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14133 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;whitehouse.gov. IN A ;; ANSWER SECTION: whitehouse.gov. 20 IN A 59.151.148.110 whitehouse.gov. 20 IN RRSIG A 7 2 20 20110420224012 20110417214012 43676 whitehouse.gov. M3z/ZHkI07JM+CC25GFf3NZnO9nVddZ+qnGtqnx2pVUtV0AFRa+VX+TX G8qgWL49xNEQzce4vrf0CocEGoqgDf/x0R+qntMy2GmK7go06KrvNoLG pJW0grr9ZLx0k6uN8xRcSDlI/H9/SJyfCWPJq1pHJpDCsHTeiSXtEb0J gnU= Note that www.whitehouse.gov is a CNAME into akamai that's unsigned, so you don't get the AD bit when querying that, unless you specifically ask for the CNAME: ; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> +dnssec -t cname www.whitehouse.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29148 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.whitehouse.gov. IN CNAME ;; ANSWER SECTION: www.whitehouse.gov. 3527 IN CNAME www.whitehouse.gov.edgesuite.net. www.whitehouse.gov. 3527 IN RRSIG CNAME 7 3 3600 20110420224012 20110417214012 43676 whitehouse.gov. n+pU7FVUMC3VvJ3yUQs7HrKCj6fQs4xTL9H35YvaSnKxc42GnoqfrbwM X1dRndkE9qBlD9PnEiu2mJDUgsz/8GDbZQ61/Bphdl/M+2533QwiAB9w dEj0AFRUTmkJFNZrUqM12YS84yvbArIv38OPvCxSGYSO21F4naxcla50 n5U= Paul _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
