Just because a broken configuration “works” some of the time for some people, that doesn’t mean that it is not broken.
RFC 1034 says: "The domain system provides such a feature using the canonical name (CNAME) RR. A CNAME RR identifies its owner name as an alias, and specifies the corresponding canonical name in the RDATA section of the RR. If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. This rule also insures that a cached CNAME can be used without checking with an authoritative server for other RR types." Now www.ssa.gov has (or should have) NS and SOA records besides the CNAME as it is (supposedly) a delegated zone. The nameservers hosting this zone should be rejecting it according to RFC 1034. On top of this the parent zone is signed and validating clients need to be able to retrieve the non-existence proof for the DS RRset from the parent zone. If you are validating through a server then when you ask for www.ssa.gov DS and it finds a CNAME record at www.ssa.gov then that should be a valid reply because CNAMEs are not supposed to have other records at the same name. There is an exception for KEY to allow SIG(0) signed messages using the private part of that key to update the CNAME record and for NSEC to prove the non-existence of KEY and names in the zone’s namespace after the CNAME record. No RFC says “If the query type is DS and you find a CNAME, ignore that CNAME and perform a lookup for the DS”. This text doesn’t exist because RFC 1034 says this is an illegal (broken) configuration. There is no exception for DS like there is for KEY and NSEC. If you investigate further the “servers" for www.ssa.gov are DNSSEC aware as they don’t return CNAME for a KEY lookup. What they do return is a non-existence response using a SOA record with the owner name of ssa.gov which means the “delegation” is pointing into the middle of a different instance of “ssa.gov” which has a CNAME rather than NS records at www.ssa.gov so there isn’t even a proper delegation. This also means that any sanity checking in the server for CNAME and other data is defeated by the broken delegation. % dig key www.ssa.gov @gtmu2.ssa.gov ; <<>> DiG 9.19.5-dev <<>> key www.ssa.gov @gtmu2.ssa.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47786 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.ssa.gov. IN KEY ;; AUTHORITY SECTION: ssa.gov. 60 IN SOA gtmu1.ssa.gov. 1G. 2022082605 10800 3600 604800 60 ;; Query time: 273 msec ;; SERVER: 137.200.43.17#53(gtmu2.ssa.gov) (UDP) ;; WHEN: Fri Sep 02 10:18:46 AEST 2022 ;; MSG SIZE rcvd: 93 % Mark > On 2 Sep 2022, at 08:16, Bhangui, Sandeep - BLS CTR via bind-users > <bind-users@lists.isc.org> wrote: > > > If I go to my personal computer or my personal phone ( not on VPN connected > to BLS network or using BLS resources) I can get to the site www.ssa.gov > which I would mean to believe that it is able to resolve www.ssa.gov. > > Does that mean the dns resolution for www.ssa.gov is not broken globally as > explained below? > > Or maybe personal computer & my personal phone are querying different DNS > servers over the internet which are able to resolve www.ssa.gov correctly and > get to the website? > > Thanks > Sandeep > > > > -----Original Message----- > From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Bjørn Mork > Sent: Thursday, September 1, 2022 5:26 PM > To: BIND users <bind-users@lists.isc.org> > Subject: Re: Issue with dns resolution for www.ssa.gov > > CAUTION: This email originated from outside of BLS. DO NOT click links or > open attachments unless you recognize the sender and know the content is > safe. Please send suspicious emails as an attachment to sec...@bls.gov. > > www.ssa.gov is a separate zone according to the ssa.gov NS: > > bjorn@idefix:~$ dig ns www.ssa.gov @dns1.ssa.gov > > ; <<>> DiG 9.16.27-Debian <<>> ns www.ssa.gov @dns1.ssa.gov ;; global > options: +cmd ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 ;; flags: qr rd; > QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9 ;; WARNING: recursion > requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: 3419fe2b41b19e86fd0d2330631122fd3a26a591e846d4b1 (good) ;; QUESTION > SECTION: > ;www.ssa.gov. IN NS > > ;; AUTHORITY SECTION: > www.ssa.gov. 60 IN NS gtms2.ssa.gov. > www.ssa.gov. 60 IN NS gtms1.ssa.gov. > www.ssa.gov. 60 IN NS gtmu1.ssa.gov. > www.ssa.gov. 60 IN NS gtmu2.ssa.gov. > > ;; ADDITIONAL SECTION: > GTMS1.ssa.gov. 36000 IN AAAA 2001:1930:e03::13 > GTMS2.ssa.gov. 36000 IN AAAA 2001:1930:e03::14 > GTMU1.ssa.gov. 36000 IN AAAA 2001:1930:d07:1::10 > GTMU2.ssa.gov. 36000 IN AAAA 2001:1930:d07:1::11 > GTMS1.ssa.gov. 36000 IN A 137.200.4.203 > GTMS2.ssa.gov. 36000 IN A 137.200.4.204 > GTMU1.ssa.gov. 36000 IN A 137.200.43.16 > GTMU2.ssa.gov. 36000 IN A 137.200.43.17 > > ;; Query time: 107 msec > ;; SERVER: 2001:1930:d07:1::8#53(2001:1930:d07:1::8) > ;; WHEN: Thu Sep 01 23:24:13 CEST 2022 > ;; MSG SIZE rcvd: 348 > > > > But it's a CNAME according to the www.ssa.gov NS: > > > bjorn@idefix:~$ dig a www.ssa.gov @gtms1.ssa.gov > > ; <<>> DiG 9.16.27-Debian <<>> a www.ssa.gov @gtms1.ssa.gov ;; global > options: +cmd ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43620 ;; flags: qr aa rd; > QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion > requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;www.ssa.gov. IN A > > ;; ANSWER SECTION: > www.ssa.gov. 300 IN CNAME www.ssa.gov.edgekey.net. > > ;; Query time: 127 msec > ;; SERVER: 2001:1930:e03::13#53(2001:1930:e03::13) > ;; WHEN: Thu Sep 01 23:25:01 CEST 2022 > ;; MSG SIZE rcvd: 77 > > > > CDNs playing tricks. This won't fly. > > > > Bjørn > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
