Well if you are attacking the resolver by sending invalid RRSIGs ... > On 15 Feb 2024, at 11:15, Matt Nordhoff via bind-users > <bind-users@lists.isc.org> wrote: > > Hello, > > I'm not sure if this is a bug or a feature, but the recent CVE fixes > prevent resolving paste.debian.net with DNSSEC validation on. > > It is a CNAME: > > $ dig +short paste.debian.net > apu.snow-crash.org. > p.snow-crash.org. > 148.251.236.38 > > debian.net is fine, but snow-crash.org is misconfigured: It has an > algorithm 13 DS record, is correctly signed with algorithm 13, but is > also signed using algorithm 8 with signatures that expired a year > ago(!). > > <https://dnsviz.net/d/paste.debian.net/ZczXYw/dnssec/> > > Other resolvers, and older versions of BIND, ignore the bad/irrelevant > signatures and can still resolve the zone. > > With the recent CVE fixes, BIND sees the expired RRSIGs, decides it's > bogus, logs the below, and returns SERVFAIL. I imagine it hits > max-validation-failures-per-fetch or some internal limit. > > named[2540]: validating apu.snow-crash.org/CNAME: verify failed due to > bad signature (keyid=41523): RRSIG has expired > named[2540]: validating apu.snow-crash.org/CNAME: no valid signature found > named[2540]: RRSIG has expired resolving 'apu.snow-crash.org/A/IN': > 37.120.176.165#53 > named[2540]: validating apu.snow-crash.org/CNAME: verify failed due to > bad signature (keyid=41523): RRSIG has expired > named[2540]: validating apu.snow-crash.org/CNAME: no valid signature found > named[2540]: RRSIG has expired resolving 'apu.snow-crash.org/A/IN': > 148.251.236.38#53 > named[2540]: validating apu.snow-crash.org/CNAME: verify failed due to > bad signature (keyid=41523): RRSIG has expired > named[2540]: validating apu.snow-crash.org/CNAME: no valid signature found > named[2540]: RRSIG has expired resolving 'apu.snow-crash.org/A/IN': > 2a01:4f8:201:3437::2#53 > > snow-crash.org is clearly misconfigured, but resolvers usually succeed > when they encounter both valid and invalid DNSSEC signatures. And this > domain has no algorithm 8 DS records at all, so the signatures and > keys can be ignored entirely. > > Regarding DoS attacks, a resolver can ignore signatures that are > expired or use algorithms not included in the DS record without any > expensive cryptography.
But that requires actually having the DS RRset at the time of the verification of the RRset/RRSIG. > I'm not necessarily saying this is a bug, but it might be an > interesting data point regarding the experimental new limits, and you > might want to consider changing the default or the accounting. > > I noticed the issue using Quad9's 9.9.9.11 DNS resolver, and then > reproduced it on an Ubuntu 23.10 (amd64) VM by installing Ubuntu's > bind9 1:9.18.18-0ubuntu2 package with the default configuration and > then upgrading it to 1:9.18.18-0ubuntu2.1. > > Some copy-and-pasted information at > <https://gist.github.com/mnordhoff/9286a264633fc12a262213a8d389f517>. > (Since I couldn't use <https://paste.debian.net/>...) > > (I also did/will tell Quad9 about it for their information.) > > Cheers, > -- > Matt Nordhoff > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
