Handling of expired RRSIG records - ise.gov
Mark Andrews
marka at isc.org
Wed May 21 14:22:56 UTC 2014
There is no DS record for ise.gov so there is no chain of trust and
the answer is treated as insecure. Note "ad" is *not* set in flags
of your query.
; <<>> DiG 9.11.0pre-alpha <<>> ds ise.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45170
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ise.gov. IN DS
;; AUTHORITY SECTION:
gov. 3463 IN SOA a.usadotgov.net. nstld.verisign-grs.com. 1400670001 3600 900 1814400 3600
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 22 00:21:37 EST 2014
;; MSG SIZE rcvd: 109
Mark
In message <EC464560-51AC-4329-B946-D0F31309CF53 at surevine.com>, Simon Waters wr
ites:
> Dear Bind Users,
>
> BIND 9 logs report: RRSIG has expired for "www.ise.gov"
> And "no valid signature found" for "ise.gov A".
>
> Yet I can still resolve and visit the website http://ise.gov/
>
> DNS recursive server has:
> dnssec-validation yes;
> dnssec-enable yes;
> dnssec-accept-expired no;
>
> Inspection:
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1 <<>> +norec +dnssec @ns1.p
> 11.dynect.net ise.gov a
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61417
> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;ise.gov. IN A
>
> ;; ANSWER SECTION:
> ise.gov. 60 IN A 50.19.98.143
> ise.gov. 60 IN RRSIG A 5 2 60 20140513120652 2014041
> 3120652 45468 ise.gov. VZpvQNUKY6Vt0yxytk7JzK4FGh54SImorcnbvIRKwhGp2nrrHZWgSR
> fM RiYtgbD2KSUoIOoaws5uDL1FAmMbbbFbdQBioEmJeCJMLzD1FJKPDBu3 PTtmTqgj7tdEM12ev
> pM1v8JwDoN/ZYGwgMxkkOebqqrMQ0ZuprfmZqrf 6Zg=
>
> ;; AUTHORITY SECTION:
> ise.gov. 86400 IN NS ns1.p11.dynect.net.
> ise.gov. 86400 IN NS ns4.p11.dynect.net.
> ise.gov. 86400 IN NS ns2.p11.dynect.net.
> ise.gov. 86400 IN NS ns3.p11.dynect.net.
> ise.gov. 86400 IN RRSIG NS 5 2 86400 20140513120652 201
> 40413120652 45468 ise.gov. OJ6es8al+vr2hCU9IrEkIJ+Ly/XK79g/Hlp8vDCYR6qt5VrOA5
> dzC4Nq a0IOOn9Ryo38O021tlcTp9bHhC+sf02SmmbG1oBiRSbL2JaYPD0Cm5bg rLiGB9iE3lDrg
> Iz++RytufcKjnloYyCYhfAUvTe5/tmSU5tP0rdes8yw 0rA=
>
> ;; Query time: 22 msec
> ;; SERVER: 208.78.70.11#53(208.78.70.11)
> ;; WHEN: Wed May 21 11:40:16 2014
> ;; MSG SIZE rcvd: 472
>
> All name servers have the same expiry time for the RRSIG A record, which unle
> ss I'm more confused than I realise, is about a week ago. Clocks on all mach
> ines under our control are correct to the precision required (they know what
> day and year it is).
>
> DNSviz suggests that SOA record is secure, but not A or MX for ise.gov and th
> e date on the SOA RRSIG record is indeed in the future.
>
> How is BIND deciding it is okay to return the A and MX records, and that this
> is not some sort of DNS replay attack?
>
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list