On Thu, May 14, 2020 at 10:25 AM Mukund Sivaraman <m...@mukund.org> wrote:
> Hi Bob > > On Thu, May 14, 2020 at 10:02:45AM -0400, Bob Harold wrote: > > I am preparing to enable DNSSEC validation, so I am working on alerts for > > failed validations, so I can see whether they are user errors (that might > > need negative trust anchors or other exceptions) or actual attacks. > > > > I stumbled on "mff.cuni.cz" which has RRSIG records that expired 3 > months > > ago, but my validating server still gives an answer and says that it is > > valid. > > Is that expected? > > > > BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 (Extended Support Version) > > <id:7107deb> > > > > [hostmast@ns-umd-nsbs-1 named]$ delv mff.cuni.cz @127.0.0.1 > > ;; validating mff.cuni.cz/DNSKEY: verify failed due to bad signature > > (keyid=47500): RRSIG has expired > > ; fully validated > > mff.cuni.cz. 28546 IN A 195.113.27.221 > > mff.cuni.cz. 28546 IN RRSIG A 13 3 28800 > 20200611045052 > > 20200512043705 47500 mff.cuni.cz. > > ZbW+RXOvA24E+Fb0Z/M3OfMJdFD9vdRKD8nhylZSfB0fkq236lohWHGu > > 4A54HrqasAPkUHJd/LcoN1+k6bkAqw== > > delv is complaining a signature for the DNSKEY set has expired. There is > a signature that has not expired though: > > [muks@jurassic ~]$ dig +rrcomments +dnssec mff.cuni.cz dnskey > > ; <<>> DiG 1.1.1.20200413085522.7eb91c6988 <<>> +rrcomments +dnssec > mff.cuni.cz dnskey > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55595 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;mff.cuni.cz. IN DNSKEY > > ;; ANSWER SECTION: > mff.cuni.cz. 28291 IN DNSKEY 257 3 13 > 1PMTgkDSUJEO8PbtFEtJ6sqtBUwlqv5yWMAQpedPoJtvJ9Oxoen3OJoF > xEnZCFBCouNsR58PYdzYDowWEQAJVw== ; KSK; alg = ECDSAP256SHA256 ; key id = > 47500 > mff.cuni.cz. 28291 IN RRSIG DNSKEY 13 3 28800 > 20200206004306 20200107001237 47500 mff.cuni.cz. > j9FdwbEIhxtLXPnTWNhTIuRDXEeF/1NDLoCT6obI+2LbjAEea9cfu3kr > 1LKRJZRKmNlJIh4siJ+jQPXj7p+Kcw== > mff.cuni.cz. 28291 IN RRSIG DNSKEY 13 3 28800 > 20200611043903 20200512034907 47500 mff.cuni.cz. > +aAX+S8d8GpGLzytpqCAH0vLui8P2Pij9Y9TyiDIA4SsN1s02xSDz0ON > iK6g8fwegqdiFv2yUqr/7XUZD0XSUw== > > ;; Query time: 1 msec > ;; SERVER: 10.98.0.1#53(10.98.0.1) > ;; WHEN: Thu May 14 19:53:56 IST 2020 > ;; MSG SIZE rcvd: 334 > > The second signature in the set above has not expired and is a valid > path in the trust chain. > > Mukund > Thanks for explaining! That was not clear, even when looking at places like: https://dnssec-analyzer.verisignlabs.com/mff.cuni.cz https://dnsviz.net/d/mff.cuni.cz/dnssec/ -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
