date:20220901

Re: Mailing list questions (DMARC, ARC, more?)

2022-09-01 Thread Alessandro Vesely


On Mon 29/Aug/2022 12:09:10 +0200 Matus UHLAR - fantomas wrote:

On 25.08.22 18:10, Alessandro Vesely wrote:


The lack of interest by others proves that From: munging is not so much of a 
nuisance as they say...


This will come sooner or later, however:

earlier this year I've done small dmarc research for our client:

- microsoft software (on-premise exchange and 365) does not DKIM-sign DSN   
e-mail (delivery and non-delivery notifications) although those have   sending 
domain in From: (I guess domain is added after sig generated)



So do I, relying on SPF for DNSs.



- only a few % of domains has other DMARC policy than none
- mailman 2 (used here) only munges From: when domain DMARC policy for the   
sending domain is other than none.



Which is insecure.  While I keep p=none, anyone can post a spoof using my email 
address as From: and pretend to be me.  It never happens, but some people 
believe it /cannot/ happen.



I see the list operates both From: munging and ARC sealing.  While I'm 
clear about the former, I'm curious about how ARC works:


Do any subscribers trust the seal by isc.org?


I guess most of recipients use predefined configurations, e.g. no whitelisting.

out of curiousity, I set my opendmarc.conf:

DomainWhitelist lists.isc.org

so we'll see next time mail comes.



Please tell us.

Mailman should know about your setting in order to skip From: munging in the 
copies sent to you.  Currently, the copies sent to pipermail for archiving seem 
to be non-munged, so this functionality exists.



Best
Ale
--









--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.18.6 disables RSASHA1 at runtime?

2022-09-01 Thread Anand Buddhdev


Hi BIND developers,

The release notes for 9.18.6 say:

"The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically 
disabled on systems where they are disallowed by the security policy 
(e.g. Red Hat Enterprise Linux 9)."


Does this happen at runtime when BIND starts?

If an administrator updates the security policy on an EL9 system and 
allows SHA1, will BIND 9.18.6 then be able to validate zones signed with 
RSASHA1?


Regards,
Anand
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bhangui, Sandeep - BLS CTR via bind-users

Hi

We are running Bind Version 9.16.31 on RHEL 7.X Server and things are working 
fine in general.

Having issue with DNS resolution for www.ssa.gov no other 
DNS issues reported at this time.

Our DNS server cannot seem to resolve www.ssa.gov using 
nslookup ( know this is an old utility and cannot be used much for 
troubleshooting), dig seems to respond properly.

Just curious what could be the issue is this on our DNS server as nslookup 
seems to work fine for lot of other sites that I used just to check if it 
responds correctly.

The VZ public NS which is listed as one of the NS under /etc/resolv.conf seems 
to respond to nslookup just fine.

I am not sure what more information I could include which could be helpful if 
anything else is needed please let me know and I will post it.

Thanks in advance.

Sandeep


# nslookup www.ssa.gov

;; Got SERVFAIL reply from 127.0.0.1, trying next server

Server: 198.6.1.1
Address:198.6.1.1#53

Non-authoritative answer:
www.ssa.gov canonical name = www.ssa.gov.edgekey.net.
www.ssa.gov.edgekey.net canonical name = e82396.dsca.akamaiedge.net.
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.54
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.58
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:293
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:289


Dig output from the same DNS server seems to give a response.

# dig www.ssa.gov

; <<>> DiG 9.16.31 <<>> www.ssa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24578
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov.300 IN  CNAME   www.ssa.gov.edgekey.net.
www.ssa.gov.edgekey.net. 9625   IN  CNAME   e82396.dsca.akamaiedge.net.
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.58
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.51

;; Query time: 171 msec
;; SERVER: 198.6.1.1#53(198.6.1.1)
;; WHEN: Thu Sep 01 16:03:21 EDT 2022
;; MSG SIZE  rcvd: 146


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread John W. Blue via bind-users

Sandeep,

Are you all using CISA's Protective DNS?  If so, there might be a ruleset that 
is causing problems.

If not, and I have not checked, but is DNSSEC for SSA working correctly?

John

Sent from Nine


From: "Bhangui, Sandeep - BLS CTR via bind-users" 
Sent: Thursday, September 1, 2022 3:11 PM
To: bind-users@lists.isc.org
Subject: Issue with dns resolution for www.ssa.gov

Hi

We are running Bind Version 9.16.31 on RHEL 7.X Server and things are working 
fine in general.

Having issue with DNS resolution for www.ssa.gov no other 
DNS issues reported at this time.

Our DNS server cannot seem to resolve www.ssa.gov using 
nslookup ( know this is an old utility and cannot be used much for 
troubleshooting), dig seems to respond properly.

Just curious what could be the issue is this on our DNS server as nslookup 
seems to work fine for lot of other sites that I used just to check if it 
responds correctly.

The VZ public NS which is listed as one of the NS under /etc/resolv.conf seems 
to respond to nslookup just fine.

I am not sure what more information I could include which could be helpful if 
anything else is needed please let me know and I will post it.

Thanks in advance.

Sandeep


# nslookup www.ssa.gov

;; Got SERVFAIL reply from 127.0.0.1, trying next server

Server: 198.6.1.1
Address:198.6.1.1#53

Non-authoritative answer:
www.ssa.gov canonical name = 
www.ssa.gov.edgekey.net.
www.ssa.gov.edgekey.net canonical name = 
e82396.dsca.akamaiedge.net.
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.54
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.58
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:293
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:289


Dig output from the same DNS server seems to give a response.

# dig www.ssa.gov

; <<>> DiG 9.16.31 <<>> www.ssa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24578
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov.300 IN  CNAME   
www.ssa.gov.edgekey.net.
www.ssa.gov.edgekey.net. 9625   IN  CNAME   
e82396.dsca.akamaiedge.net.
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.58
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.51

;; Query time: 171 msec
;; SERVER: 198.6.1.1#53(198.6.1.1)
;; WHEN: Thu Sep 01 16:03:21 EDT 2022
;; MSG SIZE  rcvd: 146


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.18.6 disables RSASHA1 at runtime?

2022-09-01 Thread Mark Andrews

Yes. You will need to restart the server. 

That all said if you are signing zones using RSASHA1 or NSEC3RSASHA1 you should 
transition to a newer algorithm if you want to have your zone validated by as 
many as possible.

-- 
Mark Andrews

> On 1 Sep 2022, at 22:59, Anand Buddhdev  wrote:
> 
> Hi BIND developers,
> 
> The release notes for 9.18.6 say:
> 
> "The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically 
> disabled on systems where they are disallowed by the security policy (e.g. 
> Red Hat Enterprise Linux 9)."
> 
> Does this happen at runtime when BIND starts?
> 
> If an administrator updates the security policy on an EL9 system and allows 
> SHA1, will BIND 9.18.6 then be able to validate zones signed with RSASHA1?
> 
> Regards,
> Anand
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bjørn Mork

www.ssa.gov is a separate zone according to the ssa.gov NS:

bjorn@idefix:~$ dig ns www.ssa.gov @dns1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> ns www.ssa.gov @dns1.ssa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3419fe2b41b19e86fd0d2330631122fd3a26a591e846d4b1 (good)
;; QUESTION SECTION:
;www.ssa.gov.   IN  NS

;; AUTHORITY SECTION:
www.ssa.gov.60  IN  NS  gtms2.ssa.gov.
www.ssa.gov.60  IN  NS  gtms1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu2.ssa.gov.

;; ADDITIONAL SECTION:
GTMS1.ssa.gov.  36000   IN  2001:1930:e03::13
GTMS2.ssa.gov.  36000   IN  2001:1930:e03::14
GTMU1.ssa.gov.  36000   IN  2001:1930:d07:1::10
GTMU2.ssa.gov.  36000   IN  2001:1930:d07:1::11
GTMS1.ssa.gov.  36000   IN  A   137.200.4.203
GTMS2.ssa.gov.  36000   IN  A   137.200.4.204
GTMU1.ssa.gov.  36000   IN  A   137.200.43.16
GTMU2.ssa.gov.  36000   IN  A   137.200.43.17

;; Query time: 107 msec
;; SERVER: 2001:1930:d07:1::8#53(2001:1930:d07:1::8)
;; WHEN: Thu Sep 01 23:24:13 CEST 2022
;; MSG SIZE  rcvd: 348



But it's a CNAME according to the www.ssa.gov NS:


bjorn@idefix:~$ dig a www.ssa.gov @gtms1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> a www.ssa.gov @gtms1.ssa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43620
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov.300 IN  CNAME   www.ssa.gov.edgekey.net.

;; Query time: 127 msec
;; SERVER: 2001:1930:e03::13#53(2001:1930:e03::13)
;; WHEN: Thu Sep 01 23:25:01 CEST 2022
;; MSG SIZE  rcvd: 77



CDNs playing tricks. This won't fly.



Bjørn
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bhangui, Sandeep - BLS CTR via bind-users

John,

We have not moved to PDNS as yet.

I am not sure about DNSSEC for SSA will check on that.

Thanks
Sandeep

From: bind-users  On Behalf Of John W. Blue 
via bind-users
Sent: Thursday, September 1, 2022 5:03 PM
To: bind-users@lists.isc.org
Subject: Re: Issue with dns resolution for www.ssa.gov

CAUTION: This email originated from outside of BLS. DO NOT click links or open 
attachments unless you recognize the sender and know the content is safe. 
Please send suspicious emails as an attachment to 
sec...@bls.gov.

Sandeep,

Are you all using CISA's Protective DNS?  If so, there might be a ruleset that 
is causing problems.

If not, and I have not checked, but is DNSSEC for SSA working correctly?

John

Sent from Nine


From: "Bhangui, Sandeep - BLS CTR via bind-users" 
mailto:bind-users@lists.isc.org>>
Sent: Thursday, September 1, 2022 3:11 PM
To: bind-users@lists.isc.org
Subject: Issue with dns resolution for www.ssa.gov

Hi

We are running Bind Version 9.16.31 on RHEL 7.X Server and things are working 
fine in general.

Having issue with DNS resolution for www.ssa.gov no other 
DNS issues reported at this time.

Our DNS server cannot seem to resolve www.ssa.gov using 
nslookup ( know this is an old utility and cannot be used much for 
troubleshooting), dig seems to respond properly.

Just curious what could be the issue is this on our DNS server as nslookup 
seems to work fine for lot of other sites that I used just to check if it 
responds correctly.

The VZ public NS which is listed as one of the NS under /etc/resolv.conf seems 
to respond to nslookup just fine.

I am not sure what more information I could include which could be helpful if 
anything else is needed please let me know and I will post it.

Thanks in advance.

Sandeep


# nslookup www.ssa.gov

;; Got SERVFAIL reply from 127.0.0.1, trying next server

Server: 198.6.1.1
Address:198.6.1.1#53

Non-authoritative answer:
www.ssa.gov canonical name = 
www.ssa.gov.edgekey.net.
www.ssa.gov.edgekey.net canonical name = 
e82396.dsca.akamaiedge.net.
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.54
Name:   e82396.dsca.akamaiedge.net
Address: 23.222.241.58
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:293
Name:   e82396.dsca.akamaiedge.net
Address: 2600:1404:d400::687d:289


Dig output from the same DNS server seems to give a response.

# dig www.ssa.gov

; <<>> DiG 9.16.31 <<>> www.ssa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24578
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov.300 IN  CNAME   
www.ssa.gov.edgekey.net.
www.ssa.gov.edgekey.net. 9625   IN  CNAME   
e82396.dsca.akamaiedge.net.
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.58
e82396.dsca.akamaiedge.net. 20  IN  A   23.222.241.51

;; Query time: 171 msec
;; SERVER: 198.6.1.1#53(198.6.1.1)
;; WHEN: Thu Sep 01 16:03:21 EDT 2022
;; MSG SIZE  rcvd: 146


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bhangui, Sandeep - BLS CTR via bind-users

Thanks Bjorn.

This indeed looks like a mess up from SSA side.

Sandeep

-Original Message-
From: bind-users  On Behalf Of Bjørn Mork
Sent: Thursday, September 1, 2022 5:26 PM
To: BIND users 
Subject: Re: Issue with dns resolution for www.ssa.gov

CAUTION: This email originated from outside of BLS. DO NOT click links or open 
attachments unless you recognize the sender and know the content is safe. 
Please send suspicious emails as an attachment to sec...@bls.gov.

www.ssa.gov is a separate zone according to the ssa.gov NS:

bjorn@idefix:~$ dig ns www.ssa.gov @dns1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> ns www.ssa.gov @dns1.ssa.gov ;; global options: 
+cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 ;; flags: qr rd; 
QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9 ;; WARNING: recursion 
requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3419fe2b41b19e86fd0d2330631122fd3a26a591e846d4b1 (good) ;; QUESTION 
SECTION:
;www.ssa.gov.   IN  NS

;; AUTHORITY SECTION:
www.ssa.gov.60  IN  NS  gtms2.ssa.gov.
www.ssa.gov.60  IN  NS  gtms1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu2.ssa.gov.

;; ADDITIONAL SECTION:
GTMS1.ssa.gov.  36000   IN  2001:1930:e03::13
GTMS2.ssa.gov.  36000   IN  2001:1930:e03::14
GTMU1.ssa.gov.  36000   IN  2001:1930:d07:1::10
GTMU2.ssa.gov.  36000   IN  2001:1930:d07:1::11
GTMS1.ssa.gov.  36000   IN  A   137.200.4.203
GTMS2.ssa.gov.  36000   IN  A   137.200.4.204
GTMU1.ssa.gov.  36000   IN  A   137.200.43.16
GTMU2.ssa.gov.  36000   IN  A   137.200.43.17

;; Query time: 107 msec
;; SERVER: 2001:1930:d07:1::8#53(2001:1930:d07:1::8)
;; WHEN: Thu Sep 01 23:24:13 CEST 2022
;; MSG SIZE  rcvd: 348



But it's a CNAME according to the www.ssa.gov NS:


bjorn@idefix:~$ dig a www.ssa.gov @gtms1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> a www.ssa.gov @gtms1.ssa.gov ;; global options: 
+cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43620 ;; flags: qr aa rd; 
QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion 
requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov.300 IN  CNAME   www.ssa.gov.edgekey.net.

;; Query time: 127 msec
;; SERVER: 2001:1930:e03::13#53(2001:1930:e03::13)
;; WHEN: Thu Sep 01 23:25:01 CEST 2022
;; MSG SIZE  rcvd: 77



CDNs playing tricks. This won't fly.



Bjørn
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bhangui, Sandeep - BLS CTR via bind-users


If I go to my personal computer or my personal phone ( not on VPN connected to 
BLS network or using BLS resources) I can get to the site www.ssa.gov which I 
would mean to believe that it is able to resolve www.ssa.gov.

Does that mean the dns resolution for www.ssa.gov is not broken globally as 
explained below?

 Or maybe personal computer & my personal phone are querying different DNS 
servers over the internet which are able to resolve www.ssa.gov correctly and 
get to the website?

Thanks
Sandeep



-Original Message-
From: bind-users  On Behalf Of Bjørn Mork
Sent: Thursday, September 1, 2022 5:26 PM
To: BIND users 
Subject: Re: Issue with dns resolution for www.ssa.gov

CAUTION: This email originated from outside of BLS. DO NOT click links or open 
attachments unless you recognize the sender and know the content is safe. 
Please send suspicious emails as an attachment to sec...@bls.gov.

www.ssa.gov is a separate zone according to the ssa.gov NS:

bjorn@idefix:~$ dig ns www.ssa.gov @dns1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> ns www.ssa.gov @dns1.ssa.gov ;; global options: 
+cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 ;; flags: qr rd; 
QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9 ;; WARNING: recursion 
requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3419fe2b41b19e86fd0d2330631122fd3a26a591e846d4b1 (good) ;; QUESTION 
SECTION:
;www.ssa.gov.   IN  NS

;; AUTHORITY SECTION:
www.ssa.gov.60  IN  NS  gtms2.ssa.gov.
www.ssa.gov.60  IN  NS  gtms1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu1.ssa.gov.
www.ssa.gov.60  IN  NS  gtmu2.ssa.gov.

;; ADDITIONAL SECTION:
GTMS1.ssa.gov.  36000   IN  2001:1930:e03::13
GTMS2.ssa.gov.  36000   IN  2001:1930:e03::14
GTMU1.ssa.gov.  36000   IN  2001:1930:d07:1::10
GTMU2.ssa.gov.  36000   IN  2001:1930:d07:1::11
GTMS1.ssa.gov.  36000   IN  A   137.200.4.203
GTMS2.ssa.gov.  36000   IN  A   137.200.4.204
GTMU1.ssa.gov.  36000   IN  A   137.200.43.16
GTMU2.ssa.gov.  36000   IN  A   137.200.43.17

;; Query time: 107 msec
;; SERVER: 2001:1930:d07:1::8#53(2001:1930:d07:1::8)
;; WHEN: Thu Sep 01 23:24:13 CEST 2022
;; MSG SIZE  rcvd: 348



But it's a CNAME according to the www.ssa.gov NS:


bjorn@idefix:~$ dig a www.ssa.gov @gtms1.ssa.gov

; <<>> DiG 9.16.27-Debian <<>> a www.ssa.gov @gtms1.ssa.gov ;; global options: 
+cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43620 ;; flags: qr aa rd; 
QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion 
requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ssa.gov.   IN  A

;; ANSWER SECTION:
www.ssa.gov.300 IN  CNAME   www.ssa.gov.edgekey.net.

;; Query time: 127 msec
;; SERVER: 2001:1930:e03::13#53(2001:1930:e03::13)
;; WHEN: Thu Sep 01 23:25:01 CEST 2022
;; MSG SIZE  rcvd: 77



CDNs playing tricks. This won't fly.



Bjørn
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Mark Andrews

Just because a broken configuration “works” some of the time for some
people, that doesn’t mean that it is not broken.

RFC 1034 says:

"The domain system provides such a feature using the canonical name
(CNAME) RR.  A CNAME RR identifies its owner name as an alias, and
specifies the corresponding canonical name in the RDATA section of the
RR.  If a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases
cannot be different.  This rule also insures that a cached CNAME can be
used without checking with an authoritative server for other RR types."

Now www.ssa.gov has (or should have) NS and SOA records besides the CNAME
as it is (supposedly) a delegated zone.  The nameservers hosting this zone
should be rejecting it according to RFC 1034.

On top of this the parent zone is signed and validating clients need to be
able to retrieve the non-existence proof for the DS RRset from the parent
zone.  If you are validating through a server then when you ask for
www.ssa.gov DS and it finds a CNAME record at www.ssa.gov then that should
be a valid reply because CNAMEs are not supposed to have other records at
the same name.  There is an exception for KEY to allow SIG(0) signed messages
using the private part of that key to update the CNAME record and for NSEC
to prove the non-existence of KEY and names in the zone’s namespace after the
CNAME record.

No RFC says “If the query type is DS and you find a CNAME, ignore that CNAME
and perform a lookup for the DS”.  This text doesn’t exist because RFC 1034
says this is an illegal (broken) configuration.  There is no exception for
DS like there is for KEY and NSEC.

If you investigate further the “servers" for www.ssa.gov are DNSSEC aware
as they don’t return CNAME for a KEY lookup.  What they do return is a
non-existence response using a SOA record with the owner name of ssa.gov
which means the “delegation” is pointing into the middle of a different
instance of “ssa.gov” which has a CNAME rather than NS records at www.ssa.gov
so there isn’t even a proper delegation.  This also means that any sanity
checking in the server for CNAME and other data is defeated by the broken
delegation. 

% dig key www.ssa.gov @gtmu2.ssa.gov

; <<>> DiG 9.19.5-dev <<>> key www.ssa.gov @gtmu2.ssa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47786
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ssa.gov.   IN  KEY

;; AUTHORITY SECTION:
ssa.gov.60  IN  SOA gtmu1.ssa.gov. 1G. 2022082605 
10800 3600 604800 60

;; Query time: 273 msec
;; SERVER: 137.200.43.17#53(gtmu2.ssa.gov) (UDP)
;; WHEN: Fri Sep 02 10:18:46 AEST 2022
;; MSG SIZE  rcvd: 93

%

Mark

> On 2 Sep 2022, at 08:16, Bhangui, Sandeep - BLS CTR via bind-users 
>  wrote:
> 
> 
> If I go to my personal computer or my personal phone ( not on VPN connected 
> to BLS network or using BLS resources) I can get to the site www.ssa.gov 
> which I would mean to believe that it is able to resolve www.ssa.gov.
> 
> Does that mean the dns resolution for www.ssa.gov is not broken globally as 
> explained below?
> 
> Or maybe personal computer & my personal phone are querying different DNS 
> servers over the internet which are able to resolve www.ssa.gov correctly and 
> get to the website?
> 
> Thanks
> Sandeep
> 
> 
> 
> -Original Message-
> From: bind-users  On Behalf Of Bjørn Mork
> Sent: Thursday, September 1, 2022 5:26 PM
> To: BIND users 
> Subject: Re: Issue with dns resolution for www.ssa.gov
> 
> CAUTION: This email originated from outside of BLS. DO NOT click links or 
> open attachments unless you recognize the sender and know the content is 
> safe. Please send suspicious emails as an attachment to sec...@bls.gov.
> 
> www.ssa.gov is a separate zone according to the ssa.gov NS:
> 
> bjorn@idefix:~$ dig ns www.ssa.gov @dns1.ssa.gov
> 
> ; <<>> DiG 9.16.27-Debian <<>> ns www.ssa.gov @dns1.ssa.gov ;; global 
> options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 ;; flags: qr rd; 
> QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9 ;; WARNING: recursion 
> requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 3419fe2b41b19e86fd0d2330631122fd3a26a591e846d4b1 (good) ;; QUESTION 
> SECTION:
> ;www.ssa.gov.   IN  NS
> 
> ;; AUTHORITY SECTION:
> www.ssa.gov.60  IN  NS  gtms2.ssa.gov.
> www.ssa.gov.60  IN  NS  gtms1.ssa.gov.
> www.ssa.gov.60  IN  NS  gtmu1.ssa.gov.
> www.ssa.gov.60  IN  NS  gtmu2.ssa.gov.
> 
> ;; ADDITIONAL SECTION:
> GTMS1.ssa.gov.  36000   IN  2001:1930:e03::13
> GTMS2.ssa.gov.

Re: Mailing list questions (DMARC, ARC, more?)

BIND 9.18.6 disables RSASHA1 at runtime?

Issue with dns resolution for www.ssa.gov

Re: Issue with dns resolution for www.ssa.gov

Re: BIND 9.18.6 disables RSASHA1 at runtime?

Re: Issue with dns resolution for www.ssa.gov

RE: Issue with dns resolution for www.ssa.gov

RE: Issue with dns resolution for www.ssa.gov

RE: Issue with dns resolution for www.ssa.gov

Re: Issue with dns resolution for www.ssa.gov

10 matches

Site Navigation

Mail list logo

Footer information