Re: [DNSOP] DNSSEC validates even if expired?

Thu, 14 May 2020 07:26:05 -0700 

Hi Bob

On Thu, May 14, 2020 at 10:02:45AM -0400, Bob Harold wrote:
> I am preparing to enable DNSSEC validation, so I am working on alerts for
> failed validations, so I can see whether they are user errors (that might
> need negative trust anchors or other exceptions) or actual attacks.
> 
> I stumbled on "mff.cuni.cz" which has RRSIG records that expired 3 months
> ago, but my validating server still gives an answer and says that it is
> valid.
> Is that expected?
> 
> BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 (Extended Support Version)
> <id:7107deb>
> 
> [hostmast@ns-umd-nsbs-1 named]$ delv mff.cuni.cz   @127.0.0.1
> ;; validating mff.cuni.cz/DNSKEY: verify failed due to bad signature
> (keyid=47500): RRSIG has expired
> ; fully validated
> mff.cuni.cz.            28546   IN      A       195.113.27.221
> mff.cuni.cz.            28546   IN      RRSIG   A 13 3 28800 20200611045052
> 20200512043705 47500 mff.cuni.cz.
> ZbW+RXOvA24E+Fb0Z/M3OfMJdFD9vdRKD8nhylZSfB0fkq236lohWHGu
> 4A54HrqasAPkUHJd/LcoN1+k6bkAqw==

delv is complaining a signature for the DNSKEY set has expired. There is
a signature that has not expired though:

[muks@jurassic ~]$ dig +rrcomments +dnssec mff.cuni.cz dnskey

; <<>> DiG 1.1.1.20200413085522.7eb91c6988 <<>> +rrcomments +dnssec mff.cuni.cz 
dnskey
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55595
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mff.cuni.cz.                   IN      DNSKEY

;; ANSWER SECTION:
mff.cuni.cz.            28291   IN      DNSKEY  257 3 13 
1PMTgkDSUJEO8PbtFEtJ6sqtBUwlqv5yWMAQpedPoJtvJ9Oxoen3OJoF 
xEnZCFBCouNsR58PYdzYDowWEQAJVw==  ; KSK; alg = ECDSAP256SHA256 ; key id = 47500
mff.cuni.cz.            28291   IN      RRSIG   DNSKEY 13 3 28800 
20200206004306 20200107001237 47500 mff.cuni.cz. 
j9FdwbEIhxtLXPnTWNhTIuRDXEeF/1NDLoCT6obI+2LbjAEea9cfu3kr 
1LKRJZRKmNlJIh4siJ+jQPXj7p+Kcw==
mff.cuni.cz.            28291   IN      RRSIG   DNSKEY 13 3 28800 
20200611043903 20200512034907 47500 mff.cuni.cz. 
+aAX+S8d8GpGLzytpqCAH0vLui8P2Pij9Y9TyiDIA4SsN1s02xSDz0ON 
iK6g8fwegqdiFv2yUqr/7XUZD0XSUw==

;; Query time: 1 msec
;; SERVER: 10.98.0.1#53(10.98.0.1)
;; WHEN: Thu May 14 19:53:56 IST 2020
;; MSG SIZE  rcvd: 334

The second signature in the set above has not expired and is a valid
path in the trust chain.

                Mukund

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to