Den 08-12-2021 kl. 16:23 skrev Masataka Ohta:
Arne Jensen wrote:
It is my understanding that the CNAME should never have been followed,
Wrong.
Hmm, okay.
-> https://www.rfc-editor.org/rfc/rfc4034.txt
Section 3, "The RRSIG Resource Record", at the third phrase:
Because every authoritative RRset in a zone must be protected by a
digital signature, RRSIG RRs must be present for names containing a
CNAME RR. This is a change to the traditional DNS specification
[RFC1034], which stated that if a CNAME is present for a name, it is
the only type allowed at that name. A RRSIG and NSEC (see Section 4)
MUST exist for the same name as a CNAME resource record in a signed
zone.
Can you tell me what exactly this means?
I fail to see that RRSIG in the following output:
$ dig +dnssec AAAA european-union.europa.eu @1.1.1.1
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> +dnssec AAAA
european-union.europa.eu @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16457
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; OPT=15: 00 00 72 65 73 65 72 76 65 64 20 44 53 20 61 6c 67 6f 72 69
74 68 6d ("..reserved DS algorithm")
;; QUESTION SECTION:
;european-union.europa.eu. IN AAAA
;; ANSWER SECTION:
european-union.europa.eu. 1800 IN CNAME
d1d395kgk3q1uk.cloudfront.net.
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:ea00:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:8200:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:4c00:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:1c00:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:e600:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:3a00:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:f600:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:2000:13:6ecf:b700:93a1
;; Query time: 68 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Dec 08 14:53:06 CET 2021
;; MSG SIZE rcvd: 347
$
So maybe you would care to elaborate why I am wrong, and why Google and
Quad9 is wrong too, while CloudFlare is actually doing the "right" thing
here?
I would still, with the above output, say that CloudFlare shouldn't have
followed the CNAME at that time.
since there isn't any covering RRSIG for the actual CNAME, exactly as
the elaborative message on dnsviz.net claims.
That CNAME RR is authenticated means it securely points to some
other domain name, which may or may not be covered by RRSIG
signature, which is no different from domain names pointed by
signed MX RRs.
Both the CNAME RR (european-union.europa.eu) and MX RR's (your mention)
must have a valid RRSIG when they are within a DNSSEC signed zone, but
the CNAME RR didn't, as you can see above.
With the timestamp above showing 14:53 CET, and my message appearing
here at 15:22 CET, the DNSSEC issue was actually fixed within that time,
so if you're first checking around your own message at 16:23, an hour
after it had already been resolved, then you will of course see no
issues, at all, which I am not either.
Seems like it was fixed ~4 minutes after my output above:
$ dig +dnssec AAAA european-union.europa.eu @1.1.1.1
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> +dnssec AAAA
european-union.europa.eu @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19554
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;european-union.europa.eu. IN AAAA
;; ANSWER SECTION:
european-union.europa.eu. 1800 IN CNAME
d1d395kgk3q1uk.cloudfront.net.
european-union.europa.eu. 1800 IN RRSIG CNAME 8 3 1800
20220107135603 20211208125711 6276 europa.eu.
Gu/Zmxulc0RhNnCE55ATi/yCIUxP4NK9/msFIqPJuBhGrZiGT9+KomfL
XcgBGXlzNt24uE9cQo59/r6liN0BV4IA8k4DCwRKDp2dDJUSLYK6AvMa
Og+VVAKZvvHJZI6C41vBnD/PJahf9660CvXazzBX5a/W8FGhhVXsUUKx
6780SgvqiXPn0RRNdJ2ZUFzGfY6/kTXsfAkT0TN7ZgGHq6whp/TVoZYb
vihl1NoiY4Ou/LFCtAmCJGWaT/h49kTCwIcq/5IgaBLn/CvcSz6YNXi0
RAV4jx+IVlTMzxIgBUsnOrOIoVH3j6LhtUrymfspWESoWBD7mFOjreyh wG+icw==
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:d400:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:c800:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:9200:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:d200:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:c200:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:be00:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:b800:13:6ecf:b700:93a1
d1d395kgk3q1uk.cloudfront.net. 60 IN AAAA
2600:9000:2021:600:13:6ecf:b700:93a1
;; Query time: 48 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Dec 09 09:34:59 CET 2021
;; MSG SIZE rcvd: 617
$
And now, CloudFlare should indeed follow the CNAME, as the RRSIG for
european-union.europa.eu is there.
--
Med venlig hilsen / Kind regards,
Arne Jensen
