On Mon, Jan 12, 2015 at 11:49:42PM +0000, Viktor Dukhovni wrote:
> > This validator specifically declares DLV trust rooted sites as DNSSEC
> > insecure. Is this correct?
>
> Correct.
On a somewhat related issue. The testing site also reports errors
for domains whose DNSSEC nameservers responsd to TLSA queries only
over IPv6 and filter out TLSA queries sent over IPv4. Not because
IPv6 is deprecated, but because such IPv4 filtering is breakage we
want to report.
This does mean that bleeding edge domains whose nameservers are
IPv6 only, also fail, but these are going to be missing a lot of
email for some time to come.
Since at present, due to some not entirely uncommon firewall or
other, a small fraction of domains do work only over IPv6 and fail
over IPv4, I've chosen to disable IPv6 DNS queries in the validator.
TLSA record lookup timeouts may result from such filtering. Fix
your firewalls if they block TLSA queries.
Example domain:
$ nss=$(dig +short -t ns medicaljournals.se)
$ mx=$(dig +short -t mx medicaljournals.se | sort -n | head -1 | awk
'{print $NF}')
$ for ns in $nss; do echo "== $ns"; dig -4 +norecur +dnssec +noall +comment
+ans +auth +nocl +nottl +nosplit -t tlsa _25._tcp.$mx @$ns; done | pcregrep -v
'\.\s+RRSIG'
== atdns02.citynetwork.se.
;; connection timed out; no servers could be reached
== atdns01.citynetwork.se.
;; connection timed out; no servers could be reached
== atdns03.citynetwork.se.
;; connection timed out; no servers could be reached
$ for ns in $nss; do echo "== $ns"; dig -6 +norecur +dnssec +noall +comment
+ans +auth +nocl +nottl +nosplit -t tlsa _25._tcp.$mx @$ns; done | pcregrep -v
'\.\s+RRSIG'
== atdns02.citynetwork.se.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4696
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 2800
;; AUTHORITY SECTION:
medicaljournals.se. SOA atdns01.citynetwork.se.
registry.citynetwork.se. 1420675200 1200 180 1209600 1209600
9hp7v3agqdd1n34m5sn4cnjri5oluc50.medicaljournals.se. NSEC3 1 1 1 AB
9HP7V3AGQDD1N34M5SN4CNJRI5OLUC51 A AAAA RRSIG
j5smkk2av8iqv9eg775qcdieftl26ucq.medicaljournals.se. NSEC3 1 1 1 AB
J5SMKK2AV8IQV9EG775QCDIEFTL26UCS
84tk4072dernts08eelfafnar8ecrdc5.medicaljournals.se. NSEC3 1 1 1 AB
84TK4072DERNTS08EELFAFNAR8ECRDC7
== atdns01.citynetwork.se.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53657
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 2800
;; AUTHORITY SECTION:
medicaljournals.se. SOA atdns01.citynetwork.se.
registry.citynetwork.se. 1420675200 1200 180 1209600 1209600
9hp7v3agqdd1n34m5sn4cnjri5oluc50.medicaljournals.se. NSEC3 1 1 1 AB
9HP7V3AGQDD1N34M5SN4CNJRI5OLUC51 A AAAA RRSIG
j5smkk2av8iqv9eg775qcdieftl26ucq.medicaljournals.se. NSEC3 1 1 1 AB
J5SMKK2AV8IQV9EG775QCDIEFTL26UCS
84tk4072dernts08eelfafnar8ecrdc5.medicaljournals.se. NSEC3 1 1 1 AB
84TK4072DERNTS08EELFAFNAR8ECRDC7
== atdns03.citynetwork.se.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 17885
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 2800
;; AUTHORITY SECTION:
medicaljournals.se. SOA atdns01.citynetwork.se.
registry.citynetwork.se. 1420675200 1200 180 1209600 1209600
9hp7v3agqdd1n34m5sn4cnjri5oluc50.medicaljournals.se. NSEC3 1 1 1 AB
9HP7V3AGQDD1N34M5SN4CNJRI5OLUC51 A AAAA RRSIG
j5smkk2av8iqv9eg775qcdieftl26ucq.medicaljournals.se. NSEC3 1 1 1 AB
J5SMKK2AV8IQV9EG775QCDIEFTL26UCS
84tk4072dernts08eelfafnar8ecrdc5.medicaljournals.se. NSEC3 1 1 1 AB
84TK4072DERNTS08EELFAFNAR8ECRDC7
With IPv4, TLSA queries time out. With IPv6, the same queries
return NXDOMAIN, as the TLSA records don't exist. This particular
DNS operator has been notified, and a ticket is open, but resolution
is taking quite some time.
--
Viktor.
