dnssec question. confused.

Marc Lampo marc.lampo at eurid.eu
Wed Sep 28 05:56:57 UTC 2011


Hello,

1) the dig command, as shown, does not ask an authoritative name server
for eeoc.gov.
   but rather addresses a locally configured caching name server
(10.120.11.107).
   (which may explain the difference in size - 1726 bytes -
    as opposed to the 3918 bytes of Doug Barton)
   ((some data may already have timed out of the local cache, observe the
TTL values))

2) I'd say : yes, you receive DNSSEC responses.
   But your caching name server is not validating them : the AD bit is not
set in the answer.

3) The OPT RR, with length 4096, is in the *reply*.
   The server indicates that itself is willing to accept DNS over UDP
packets
    up till that size (eg. for dynamic updates).
   (while EDNS0 RFC does not explicitly state replying with EDNS0 is
mandatory,
    if a query came in with EDNS0,
    there is also a statement that claims this (sending EDNS0 and looking
in the reply)
    is a way, for a (dynamic update) client, to find out what the server
is willing to
    accept.  This statement seems to imply that EDNS0 in a reply, should
be there if
    the client sent EDNS0.
    Any other opinions in the list ?)
   In order to see the packet size in the outgoing query packet,
    use something like wireshark.

4) "DNSSEC query" is not precise enough !
   For one thing, DNSSEC requires EDNS0, EDNSO announces a buffersize,
which can vary.
   As long as (!) the buffersize is sufficient, UDP will be used,
    but DNS queries can also be sent over TCP (and is your firewall
allowing that ?).

   My suggestion (from a device that is allowed to send DNS queries to the
Internet), try :

dig @dnssec9.datamtn.com. eeoc.gov. +dnssec
dig @dnssec9.datamtn.com. eeoc.gov. +dnssec +bufsize=512
and
dig @dnssec9.datamtn.com. eeoc.gov. +dnssec +vc

 (and don't forget to have your caching NS validate DNSSEC answers,
  because providing signatures that are ignored by clients
  makes the Internet *less* safe)

Kind regards,

Marc Lampo
Security Officer
EURid



-----Original Message-----
From: Brad Bendily [mailto:Brad.Bendily at LA.GOV] 
Sent: 27 September 2011 10:45 PM
To: bind-users at lists.isc.org
Subject: dnssec question. confused.


When trying the DNSSEC check command from:
https://www.dns-oarc.net/oarc/services/replysizetest

behind our corporate firewall, I get:
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"Tested at 2011-09-27 20:32:34 UTC"
"205.172.49.177 sent EDNS buffer size 4096"
"205.172.49.177 DNS reply size limit is at least 490"


Which, based on the website tells me our firewall is blocking 
or filtering EDNS/DNSSEC packets.



However, what I'm confused about is when I run this command:
dig +dnssec eeoc.gov

I get:

; <<>> DiG 9.7.3-P1 <<>> +dnssec eeoc.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40572
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;eeoc.gov.                      IN      A

;; ANSWER SECTION:
eeoc.gov.               19499   IN      A       64.94.64.52
eeoc.gov.               19499   IN      RRSIG   A 7 2 21600 20111208014816
20110909014816 52909 eeoc.gov.
AW5Ny32xDP7+m4XxCSS7q/zuK8RBc+la70Zmg0A/Pe1+p0agkrzbxaHM
GgvKldSKCzVgo7XPGR3LqcGIFDl0CPaaSTxTntlZkdh6x2qS4mM/49+B
9podxzbV3V4LcNpR4c4jyteAa5Uxaz3WSRr1T69PpJyIZZ53JmexkMPi
yOjMcp1IqeSJ0P/06CuZccemo+f/fjGW8xfG/slOp2XJlmbPo1EfJnlw
i07YstZVszHxsgmRUXssEUmkWi3eqAw4Ug2QiRa+zz3JpmgBnC0G7Kxd
SXUJLuvfNdDrtJ9T5anNVRVxCVq499gaJQnWBXKKVVaC9w/BcPnGuSRy OZTyPg==

;; AUTHORITY SECTION:
eeoc.gov.               66519   IN      NS      dnssec10.datamtn.com.
eeoc.gov.               66519   IN      NS      dnssec14.datamtn.com.
eeoc.gov.               66519   IN      NS      dnssec11.datamtn.com.
eeoc.gov.               66519   IN      NS      dnssec12.datamtn.com.
eeoc.gov.               66519   IN      NS      dnssec9.datamtn.com.

;; ADDITIONAL SECTION:
dnssec9.datamtn.com.    3114    IN      AAAA    2001:49f0:a02a:1000::238
dnssec11.datamtn.com.   3114    IN      AAAA    2001:470:1:7a::147
dnssec9.datamtn.com.    3114    IN      RRSIG   AAAA 7 3 10800
20111125185428 20110827185428 21352 datamtn.com.
Ngz7Bl2VWqhIY5Uh8bHJjwyAWQXcEM7qaAH8JSJ5VM5qMelfVA1pV+Y6
RltfXpACQxRpHsayiArGZulzp1XX4yW6+qsHiKLJOcRiS5kmjexBPUlK
zyU3cp7BC5dprHyPBpXKbHExuGlvqrg1aqRJtAmH6Q7tkp2wWqEuO3Ku
LBvvGXN46U+sYPsd98YixlLLTtj2qFo7/vhPN8ao2g6HuFBVIUTU4LuV
d7Wjz+r4Xj722w6RFgZFu9qFwYsOQwTGlon4zqDvflzESSWSjFdzHCZ0
prkagjXwcZYMlQGRMgnmHlEEvvg+lKMdl4imHLx/LKLD+feCzp2d4PFj 9byoYA==
dnssec9.datamtn.com.    3114    IN      RRSIG   AAAA 8 3 10800
20111125185428 20110827185428 61898 datamtn.com.
NtPfKvEs6DF0Bac9ZbCfi0b0QdeVMSlaNXAyDFSjo4J8uQUYllDwt101
C78VAiXplumZRM/9Vv7fg1/Ds/qCd6wC6wdTR3S8mtDOpLHVhuZTSGI1
jBVBXYjzBdqIBitydwD6vs+VaPsfd352NBqE8teFQJhbVAI98+d9BO4x
/Qx+i2HJOPdQyVRq6dj2NYg1GT4ODDb6VmQUOb01XgIyX/pLt+7AdtId
1FFbA9LfO4xvYTCKAO3LbPvdU7nJ2+mCMu5CNQFNiwAbSHT3letupzpH
yLUNrjhcO0cj/vVf1YrrIzZXF69zKGYfsCP876zKoVtlrUe1dZ0bersP 4I9klg==
dnssec11.datamtn.com.   3114    IN      RRSIG   AAAA 7 3 10800
20111125185428 20110827185428 21352 datamtn.com.
Lgt6Wq5JvvAF6BKUUoPSiv6lx0yqQ3HAFoClEcg11V7XhIngeaTperu7
7lytmKl53yZUxarFbQdJ/NxwwNVl/F2Os5RkNHkAjVTkku1mjoMeqEhF
NDe+cvYOOo0EASc9LhmHo2qgkyhjGAt1FtbmrOG9Gwr5OdUM5l2EgcGj
bRvH1Sfv5le68ST1+74sQPKmp+3n0gopfKUlcYuDDw/mUKXR8lo3MCTv
xe6q6NbwHNHWBCgUw4rqX4ZdVArL4WumKvkufeieDJpMhKwHlWHyPvu9
pX1IsZRyQPo9RqnmSpG+yjR59ixbb23LyO6alrEDJTyaJZL8uHfwiTQ8 4V29tQ==
dnssec11.datamtn.com.   3114    IN      RRSIG   AAAA 8 3 10800
20111125185428 20110827185428 61898 datamtn.com.
vtFFEZbruIfnwSGAdlXukUn40SOEIZY9QXrHh6CfOl3WkQduSnbvgS5T
+e2QN6GDcZgigGON8yHHTS8DI8ld/tCxxVkwB3ISkqkQHrjyyRD6+8IR
J2BWsdMTyAhe9PygLR1FkfCt1JDaDnAbOKOniMT+6DRlnE7ZW7KfvZT/
7j5qG+xDixCXUHyhnstbv9vmMPTxnK1ASy6nz7ErnA/DUMleO484xIgM
6Pc8uqy3Onw4Yfn4l5R66tQwC0yoSVwqmEyIWNWyx1SNQLFzUc1hySaF
aQs1L/Zyu9e/wSHdZUeGiOwx5cz3yWE2NsF3tagxukkL9vNu2s/nyjzR 3igT3g==

;; Query time: 1 msec
;; SERVER: 10.120.11.107#53(10.120.11.107)
;; WHEN: Tue Sep 27 15:34:07 2011
;; MSG SIZE  rcvd: 1726


Which tells me my DNSSEC queries are working, right?
I noticed in the "OPT PSEUDOSECTION" udp=4096.

This started because, as the DNS admin, I was informed today that we could
not resolve
this domain, eeoc.gov. Which was true. As I started digging into it, and
performing a
dig from an offsite server which was working, I found that the domain
"eeoc.gov" is 
running DNSSEC. So, I assumed the problem was with our firewall blocking
or filtering
the DNSSEC traffic. But then after researching for a few hours, I found we
were able
to resolve the domain, through no changes of DNS. 
It could be that "datamtn.com", their authoritative NS are performing
maintenance or something. So, all this research led me to the information
above.

Are we getting EDNS/DNSSEC responses or no?
thanks
bb




More information about the bind-users mailing list