RRSIG and TTL

[Scott Nicholas]

I was hoping someone's experience could save me as I've spent too much time
down this rabbit hole.

Primary nameserver is behind a cache/proxy on enterprise network such that
all external traffic hits this. Zone went bogus. I blame policy but on
further inspection 2/3 proxys had differing TTL between the DNSKEY and it's
RRSIG.

I dove into RFC but not yet the code. I believe any security aware system
would throw out the DNSKEY with the RRSIG.

I suspect that the signature hit the absolute time, got a fresh copy, and
the DNSKEY stuck around another 2 days (1 week TTL). Now if the system
wasn't security aware, I'm not sure how the TTL became unmatched but I can
see that it could happen. I guess?

The questions

- is this system broken?
- can I work around it with creative policy / TTL
- can explain other cases these can get unmatched TTL?

A low TTL would minimize it but appliance doesn't allow direct
configuration for DNSKEY TTL.

Thanks for your input
Scott
-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rbldnsd and DNSSEC compatibility issues - any suggestions?

[Rob McEwen]

On 9/11/2020 2:46 AM, Mark Andrews wrote:

validate-except (I typo’d it the second time, unfortunately expect and except 
are both valid words).



I got so far down the rabbit trail with your other points, somehow I 
missed that. Thanks. This should solve my problem!




If you actually used a zone names with a DNAME



Great suggestion! I didn't know about that.

However, since i use CloudFlare' DNS for my authoritative DNS - which is 
critical for prevention of DDOS attacks - and they don't actually 
support DNAME, my hands are tied. (or so it SEEMS - see my question 
about a possible workaround at the end of this email)


My actual direct query service involves my own rbldnsd servers in 42 
cities around the world (all hiding behind secret host names that a 
criminal couldn't easily find) - and those are pointed to by NS records 
in my CloudFlare DNS, so then the actual direct DNS queries, and the 
vast majority of my DNS traffic for direct queries to my own DNSBL, goes 
to those 42 servers around the world, NOT to CloudFlare - but CloudFlare 
is the starting point - the first query goes to CloudFlare, then the DNS 
server doing the asking "knows" for a while to use one of my own 
servers, and not bother CloudFlare with any more traffic for a while. 
(again, this is for my direct query service - for my smaller subscribers 
- my servers can handle THAT traffic)


But since CloudFlare is the authoritative server for invaluement.com, 
that is where the DNAME you're suggesting would need to be setup. Since 
they don't support that, I'm not able to implement that at this time.


SEE: https://community.cloudflare.com/t/dname-records-on-cloudflare/16642/4

...also, them not supporting it - makes me a little nervous about others 
not supporting it. But maybe that fear is unreasonable since it is only 
the "revolvers" that need this feature, not authoritative-only services? 
This is something that DNS caching servers like BIND, have been 
supporting for decades, correct? Please tell don't tell me that _only_ a 
very _recent_ version of BIND does this correctly. ;) That would 
probably kill this idea!


*POSSIBLE WORKAROUND?:* So assuming that DNAME is widely supported by 
many DNS caching servers, old and new... I wonder if I could do 
something similar to what I do for my direct query service, using NS 
records to delegate this to another BIND DNS server that I would run on 
my own server - so for "example.invaluement.com" - I'd create a BIND 
instance on my own server hosting "example.invaluement.com" as the 
authoritative server for that zone, implementing the DNAME records you 
suggested. Then put a NS record on my cloudflare telling the world that 
THIS server is the authoritative server for "example.invaluement.com" 
(with TTL for some hours). Do you think that would work?


--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Help us weed out the old crap in the ISC KB

[Victoria Risk]

BIND-users,

I am doing a review of the older articles in our Knowledgebase, updating those 
I can and unpublishing those I cannot update. I am sure everything in there was 
accurate when it was written, but of course the software, and the overall 
Internet, have evolved. I found articles in there that were last updated in 
2011, yet some of them still seem useful, and articles from much more recently 
that are so out of date as to be misleading to current users.

However, I am really not a BIND-user and I need help from actual users. If you 
have a little time to spare, consider reading an article and rendering your 
opinion on whether to keep or discard it.

I have made a list of articles in a Google sheet, ordered from oldest to 
newest, with a url link to the article. There is a column to pick one of a few 
review comments:

keep - confirmed accurate
keep - looks useful but not verified
keep - with minor updates in the comments
discard - inaccurate
discard - obsolete

The reason I have included several variations on ”Keep" is just in case you 
want to indicate a lower confidence in the ‘keep’ decision.  I realize this is 
a pretty unsophisticated review process, but IMHO it is better than nothing. 
Our current KB implementation isn’t amenable to community editing, so if anyone 
wants to volunteer more extensive edits to an article, email me the diff and I 
will apply it. 

Here is the Google sheet with the list of articles:

https://docs.google.com/spreadsheets/d/1yn1XjbY6SMwfDuON2aCwRBOsHlcFU5W6QmTqWqcicpc/edit?usp=sharing
 


Just look for an article with nothing in the Review column. Please provide an 
email address if you are giving substantive comments I might need to 
subsequently clarify with you.

Thank you for your contributions.

Vicky

Victoria Risk
Product Manager
Internet Systems Consortium
vi...@isc.org





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rbldnsd and DNSSEC compatibility issues - any suggestions?

[Mark Andrews]

> On 11 Sep 2020, at 22:22, Rob McEwen  wrote:
> 
> On 9/11/2020 2:46 AM, Mark Andrews wrote:
>> validate-except (I typo’d it the second time, unfortunately expect and 
>> except are both valid words).
> 
> I got so far down the rabbit trail with your other points, somehow I missed 
> that. Thanks. This should solve my problem!
> 
>> If you actually used a zone names with a DNAME
> 
> Great suggestion! I didn't know about that.
> However, since i use CloudFlare' DNS for my authoritative DNS - which is 
> critical for prevention of DDOS attacks - and they don't actually support 
> DNAME, my hands are tied. (or so it SEEMS - see my question about a possible 
> workaround at the end of this email)

Cloudflare don’t want to deal with the extra database lookup to see if there is 
a DNAME and the CNAME synthesis.  By rejecting zones with DNAMEs they can get 
away with this stance.
 
> My actual direct query service involves my own rbldnsd servers in 42 cities 
> around the world (all hiding behind secret host names that a criminal 
> couldn't easily find) - and those are pointed to by NS records in my 
> CloudFlare DNS, so then the actual direct DNS queries, and the vast majority 
> of my DNS traffic for direct queries to my own DNSBL, goes to those 42 
> servers around the world, NOT to CloudFlare - but CloudFlare is the starting 
> point - the first query goes to CloudFlare, then the DNS server doing the 
> asking "knows" for a while to use one of my own servers, and not bother 
> CloudFlare with any more traffic for a while. (again, this is for my direct 
> query service - for my smaller subscribers - my servers can handle THAT 
> traffic)
> But since CloudFlare is the authoritative server for invaluement.com, that is 
> where the DNAME you're suggesting would need to be setup. Since they don't 
> support that, I'm not able to implement that at this time. 
> SEE: https://community.cloudflare.com/t/dname-records-on-cloudflare/16642/4
> 
> ...also, them not supporting it - makes me a little nervous about others not 
> supporting it. But maybe that fear is unreasonable since it is only the 
> "revolvers" that need this feature, not authoritative-only services? This is 
> something that DNS caching servers like BIND, have been supporting for 
> decades, correct?

DNAME is 2 decades old (August 1999).  It came in between DNSSEC version 2 (RFC 
2535, KEY/SIG/NXT) and DNSSEC version 3 (RFC 4033/4034/4035, 
DNSKEY/RRSIG/NSEC/DS).  DNSSEC version 3 requires validators to support DNAME.  
All versions of BIND 9 have supported DNAME.  I can’t remember if we added 
DNAME support to BIND 8 or not.  DNSSEC version 4 added NSEC3 and is backwards 
compatible with DNSSEC version 3.  DNSSEC version 4 is what almost all 
validators support today.

> Please tell don't tell me that only a very recent version of BIND does this 
> correctly. ;) That would probably kill this idea!
> POSSIBLE WORKAROUND?: So assuming that DNAME is widely supported by many DNS 
> caching servers, old and new... I wonder if I could do something similar to 
> what I do for my direct query service, using NS records to delegate this to 
> another BIND DNS server that I would run on my own server - so for 
> "example.invaluement.com" - I'd create a BIND instance on my own server 
> hosting "example.invaluement.com" as the authoritative server for that zone, 
> implementing the DNAME records you suggested. Then put a NS record on my 
> cloudflare telling the world that THIS server is the authoritative server for 
> "example.invaluement.com" (with TTL for some hours). Do you think that would 
> work?

Delegating to authoritative servers that support DNAME will work.

> -- 
> Rob McEwen
> 
> https://www.invaluement.com
> 
> +1 (478) 475-9032
> 
> 
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users