Handling of expired RRSIG records - ise.gov
Simon Waters
simon.waters at surevine.com
Wed May 21 11:56:32 UTC 2014
Dear Bind Users,
BIND 9 logs report: RRSIG has expired for "www.ise.gov"
And "no valid signature found" for "ise.gov A".
Yet I can still resolve and visit the website http://ise.gov/
DNS recursive server has:
dnssec-validation yes;
dnssec-enable yes;
dnssec-accept-expired no;
Inspection:
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1 <<>> +norec +dnssec @ns1.p11.dynect.net ise.gov a
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61417
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ise.gov. IN A
;; ANSWER SECTION:
ise.gov. 60 IN A 50.19.98.143
ise.gov. 60 IN RRSIG A 5 2 60 20140513120652 20140413120652 45468 ise.gov. VZpvQNUKY6Vt0yxytk7JzK4FGh54SImorcnbvIRKwhGp2nrrHZWgSRfM RiYtgbD2KSUoIOoaws5uDL1FAmMbbbFbdQBioEmJeCJMLzD1FJKPDBu3 PTtmTqgj7tdEM12evpM1v8JwDoN/ZYGwgMxkkOebqqrMQ0ZuprfmZqrf 6Zg=
;; AUTHORITY SECTION:
ise.gov. 86400 IN NS ns1.p11.dynect.net.
ise.gov. 86400 IN NS ns4.p11.dynect.net.
ise.gov. 86400 IN NS ns2.p11.dynect.net.
ise.gov. 86400 IN NS ns3.p11.dynect.net.
ise.gov. 86400 IN RRSIG NS 5 2 86400 20140513120652 20140413120652 45468 ise.gov. OJ6es8al+vr2hCU9IrEkIJ+Ly/XK79g/Hlp8vDCYR6qt5VrOA5dzC4Nq a0IOOn9Ryo38O021tlcTp9bHhC+sf02SmmbG1oBiRSbL2JaYPD0Cm5bg rLiGB9iE3lDrgIz++RytufcKjnloYyCYhfAUvTe5/tmSU5tP0rdes8yw 0rA=
;; Query time: 22 msec
;; SERVER: 208.78.70.11#53(208.78.70.11)
;; WHEN: Wed May 21 11:40:16 2014
;; MSG SIZE rcvd: 472
All name servers have the same expiry time for the RRSIG A record, which unless I'm more confused than I realise, is about a week ago. Clocks on all machines under our control are correct to the precision required (they know what day and year it is).
DNSviz suggests that SOA record is secure, but not A or MX for ise.gov and the date on the SOA RRSIG record is indeed in the future.
How is BIND deciding it is okay to return the A and MX records, and that this is not some sort of DNS replay attack?
More information about the bind-users
mailing list