Handling of expired RRSIG records - ise.gov

Mark Andrews marka at isc.org
Wed May 21 14:22:56 UTC 2014


There is no DS record for ise.gov so there is no chain of trust and
the answer is treated as insecure.  Note "ad" is *not* set in flags
of your query.

; <<>> DiG 9.11.0pre-alpha <<>> ds ise.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45170
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ise.gov.			IN	DS

;; AUTHORITY SECTION:
gov.			3463	IN	SOA	a.usadotgov.net. nstld.verisign-grs.com. 1400670001 3600 900 1814400 3600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 22 00:21:37 EST 2014
;; MSG SIZE  rcvd: 109

Mark

In message <EC464560-51AC-4329-B946-D0F31309CF53 at surevine.com>, Simon Waters wr
ites:
> Dear Bind Users,
> 
> BIND 9 logs report: RRSIG has expired for "www.ise.gov"
> And "no valid signature found" for "ise.gov A".
> 
> Yet I can still resolve and visit the website http://ise.gov/
> 
> DNS recursive server has:
>         dnssec-validation yes;
>         dnssec-enable yes;
>         dnssec-accept-expired no;
> 
> Inspection: 
> 
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1 <<>> +norec +dnssec @ns1.p
> 11.dynect.net ise.gov a
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61417
> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;ise.gov.			IN	A
> 
> ;; ANSWER SECTION:
> ise.gov.		60	IN	A	50.19.98.143
> ise.gov.		60	IN	RRSIG	A 5 2 60 20140513120652 2014041
> 3120652 45468 ise.gov. VZpvQNUKY6Vt0yxytk7JzK4FGh54SImorcnbvIRKwhGp2nrrHZWgSR
> fM RiYtgbD2KSUoIOoaws5uDL1FAmMbbbFbdQBioEmJeCJMLzD1FJKPDBu3 PTtmTqgj7tdEM12ev
> pM1v8JwDoN/ZYGwgMxkkOebqqrMQ0ZuprfmZqrf 6Zg=
> 
> ;; AUTHORITY SECTION:
> ise.gov.		86400	IN	NS	ns1.p11.dynect.net.
> ise.gov.		86400	IN	NS	ns4.p11.dynect.net.
> ise.gov.		86400	IN	NS	ns2.p11.dynect.net.
> ise.gov.		86400	IN	NS	ns3.p11.dynect.net.
> ise.gov.		86400	IN	RRSIG	NS 5 2 86400 20140513120652 201
> 40413120652 45468 ise.gov. OJ6es8al+vr2hCU9IrEkIJ+Ly/XK79g/Hlp8vDCYR6qt5VrOA5
> dzC4Nq a0IOOn9Ryo38O021tlcTp9bHhC+sf02SmmbG1oBiRSbL2JaYPD0Cm5bg rLiGB9iE3lDrg
> Iz++RytufcKjnloYyCYhfAUvTe5/tmSU5tP0rdes8yw 0rA=
> 
> ;; Query time: 22 msec
> ;; SERVER: 208.78.70.11#53(208.78.70.11)
> ;; WHEN: Wed May 21 11:40:16 2014
> ;; MSG SIZE  rcvd: 472
> 
> All name servers have the same expiry time for the RRSIG A record, which unle
> ss I'm more confused than I realise,  is about a week ago. Clocks on all mach
> ines under our control are correct to the precision required (they know what 
> day and year it is).
> 
> DNSviz suggests that SOA record is secure, but not A or MX for ise.gov and th
> e date on the SOA RRSIG record is indeed in the future.
> 
> How is BIND deciding it is okay to return the A and MX records, and that this
>  is not some sort of DNS replay attack?
> 
> 
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list