DNSSEC, OpenDNS and www.cdc.gov - DNS Compliance checker?
Joseph Zik
josephzik at gmail.com
Tue Nov 5 11:08:02 UTC 2024
I highly recommend the following checker: https://zonemaster.se/en/run-test
On Mon, Nov 4, 2024, 3:25 PM Julian Panke via bind-users <
bind-users at lists.isc.org> wrote:
> Maybe https://dnsviz.net/ ?
>
> Mit freundlichen Grüßen
>
> Julian Panke
>
> -------- Ursprüngliche Nachricht --------
> Am 04.11.24 12:58 um Robert Wagner schrieb :
> Any chance someone from the bind group knows of an open-source DNS
> compliance validation tool that can analyze and check configuration
> settings?
> I hate to say it, but there are a lot of people managing DNS servers as
> part of other responsibilities. If it responds with an IP, then they
> consider it working/functional and nothing needs to be done. Having a tool
> that reviews your configuration and points out issues would help us
> advocate for proper configuration. Kind of a SSL checker for DNS...
>
> Thanks in advance for any thoughts you can provide.
>
> Robert Wagner
> From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Robert
> Edmonds <edmonds at mycre.ws>
> Sent: Friday, November 1, 2024 4:16 PM
> To: Robert Mankowski <robert.mankowski at hotmail.com>
> Cc: bind-users at lists.isc.org <bind-users at lists.isc.org>
> Subject: Re: DNSSEC, OpenDNS and www.cdc.gov
>
> This email originated from outside of TESLA
>
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe.
>
> This is a problem with the operational configuration of the cdc.gov
> nameservers.
>
> The gov nameservers publish the following NS records for cdc.gov:
>
> cdc.gov. 10800 IN NS auth00.ns.uu.net.
> cdc.gov. 10800 IN NS auth100.ns.uu.net.
> cdc.gov. 10800 IN NS ns1.cdc.gov.
> cdc.gov. 10800 IN NS ns2.cdc.gov.
> cdc.gov. 10800 IN NS ns3.cdc.gov.
>
> The cdc.gov nameservers publish the following NS records for cdc.gov:
>
> cdc.gov. 3600 IN NS ns1.cdc.gov.
> cdc.gov. 3600 IN NS ns2.cdc.gov.
> cdc.gov. 3600 IN NS ns3.cdc.gov.
>
> This NS RRset from the cdc.gov nameservers (the NS RRset directly above
> which has three .cdc.gov NS records) is the authoritative NS RRset for
> cdc.gov and is used by standards conforming resolver implementation in
> preference to the non-authoritative NS RRset in the referral response
> from the .gov nameservers (the NS RRset at the top of this email with
> five NS records). See RFC 2181, section 5.4.1.
>
> The domain name www.cdc.gov is a CNAME to www.akam.cdc.gov:
>
> www.cdc.gov. 300 IN CNAME www.akam.cdc.gov.
>
> The ".cdc.gov" nameservers all generate RCODE "REFUSED" answers for
> queries for www.akam.cdc.gov (as well as akam.cdc.gov):
>
> ; <<>> DiG 9.20.2-1-Debian <<>> +norec @ns1.cdc.gov www.akam.cdc.gov
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27267
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;www.akam.cdc.gov. IN A
>
> ;; Query time: 4 msec
> ;; SERVER: 198.246.96.61#53(ns1.cdc.gov) (UDP)
> ;; WHEN: Fri Nov 01 15:40:44 EDT 2024
> ;; MSG SIZE rcvd: 45
>
> This is a standards conformance problem with the .cdc.gov nameservers.
> The .cdc.gov nameservers should either return a response containing
> records that answer the query, or a referral response to the nameservers
> that do. See RFC 1034, section 4.3.2(3)(b).
>
> The reason that some DNS resolver services are able to resolve this
> name is because they are probably also querying the .uu.net nameservers
> included in the delegation NS RRset for cdc.gov, and those nameservers
> are able to return a delegation for the akam.cdc.gov zone:
>
> ; <<>> DiG 9.20.2-1-Debian <<>> +norec @auth00.ns.uu.net
> www.akam.cdc.gov
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51056
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; NSID: 56 65 72 69 7a 6f 6e ("Verizon")
> ;; QUESTION SECTION:
> ;www.akam.cdc.gov. IN A
>
> ;; AUTHORITY SECTION:
> akam.cdc.gov. 86400 IN NS a1-43.akam.net.
> akam.cdc.gov. 86400 IN NS a5-66.akam.net.
> akam.cdc.gov. 86400 IN NS a2-64.akam.net.
> akam.cdc.gov. 86400 IN NS a8-67.akam.net.
> akam.cdc.gov. 86400 IN NS a9-64.akam.net.
> akam.cdc.gov. 86400 IN NS a28-65.akam.net.
>
> ;; Query time: 16 msec
> ;; SERVER: 198.6.1.65#53(auth00.ns.uu.net) (UDP)
> ;; WHEN: Fri Nov 01 15:44:13 EDT 2024
> ;; MSG SIZE rcvd: 185
>
> To be clear, though, this is unambiguously a problem with the cdc.gov
> nameservers and not a fault in resolver implementations that utilize the
> authoritative NS RRset for cdc.gov which does not include the .uu.net
> nameservers.
>
> Various issues with the operation of the cdc.gov zone have been reported
> to DNS-OARC's dns-operations mailing list over the years (as well as
> other forums). The most recent thread is archived here:
>
> https://lists.dns-oarc.net/pipermail/dns-operations/2024-July/022642.html
>
> Robert Mankowski wrote:
> > I recently implemented a forward only BIND server for home. I was
> forwarding to
> > OpenDNS FamilyShield using TLS and DNSSEC at first, but I was getting a
> > noticeable amount of SERVFAIL responses. I believe it is related to
> DNSSEC (see
> > delv tests below), but I don’t believe it is my configuration because
> when I
> > forward to Cloudflare’s Family service, or to Google DNS, I don’t have
> any
> > problems with the same domains (e.g. www.cdc.gov).
> >
> >
> >
> > I contacted Cisco Umbrella support because I was thinking it’s an issue
> with
> > their servers, but they didn’t really help, so I thought I would try
> this list
> > for advice.
> >
> >
> >
> > Would appreciate it if someone could review my configuration and/or
> reproduce
> > my results to see if I’m doing something wrong.
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Bob
> >
> >
> >
> > Here are some tests I ran:
> >
> >
> >
> > admin at router1:~$ apt-cache policy bind9
> >
> > bind9:
> >
> > Installed: 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7
> >
> > Candidate: 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7
> >
> > Version table:
> >
> > *** 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7 500
> >
> > 500 https://packages.sury.org/bind-dev bookworm/main amd64
> Packages
> >
> > 100 /var/lib/dpkg/status
> >
> > 1:9.18.28-1~deb12u2 500
> >
> > 500 http://deb.debian.org/debian bookworm/main amd64 Packages
> >
> > 500 http://security.debian.org/debian-security
> bookworm-security/main
> > amd64 Packages
> >
> >
> >
> >
> >
> > admin at router1:~$ delv -v
> >
> > delv 9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7-Debian
> >
> >
> >
> > admin at router1:~$ delv -4 @208.67.220.123 www.cdc.gov. A
> >
> > ;; insecurity proof failed resolving 'cdc.gov/DNSKEY/IN':
> 208.67.220.123#53
> >
> > ;; broken trust chain resolving 'www.cdc.gov/A/IN': 208.67.220.123#53
> >
> > ;; resolution failed: broken trust chain
> >
> >
> >
> > admin at router1:~$ delv -4 @208.67.222.123 www.cdc.gov. A
> >
> > ;; insecurity proof failed resolving 'cdc.gov/DNSKEY/IN':
> 208.67.222.123#53
> >
> > ;; broken trust chain resolving 'www.cdc.gov/A/IN': 208.67.222.123#53
> >
> > ;; resolution failed: broken trust chain
> >
> >
> >
> > admin at router1:~$ delv -4 @1.1.1.3 www.cdc.gov. A
> >
> > ; fully validated
> >
> > www.cdc.gov. 248 IN CNAME www.akam.cdc.gov.
> >
> > www.cdc.gov. 248 IN RRSIG CNAME 8 3 300
> 20241019153420
> > 20241009150230 1503 cdc.gov.
> > b99UIGmCOTJj+C7JFXORmtUXQEIIGdF0q3Z5u6HfAbKcJhjfFjJrkRE6
> > yntzr0pSksCp1Uwi146xvKz7ImCqkYK67/WlOujyquOGSfgOwO1DvUyj
> > TfvXJWvjSRLTx30lwU6RV80RrC596A16anTpLc7Zi4VEAVncRHeUl1y1 /MG/CSCtE/
> > Ef6tPD1FtGZjhXszVAgrk3fhISCsImRHuGAoIBnIKCKx2M
> > YMhxirfV0z9Qq46PnW9zTzh+EbVKZkN0C+Xl3j2+4sqyHlubhrtgklG/ g0u+99/g/
> > jdfex+Vh7dtcAXFcTZ1XGuPQXgsn6GrznecB8PaXmCxXfft GaDOdQ==
> >
> > www.akam.cdc.gov. 20 IN A 23.51.224.222
> >
> > www.akam.cdc.gov. 20 IN RRSIG A 10 4 20
> 20241018102927
> > 20241015092927 16701 akam.cdc.gov.
> > Lcd7WthqqU+A7UwQkBHZsT0nqxztJkn9cx57wXr4eHHCvJR0cCxZFkwl
> > eIbSffPIu364terXJlcEvuWbWTLrCX7bo0c6B9bA5EPi2DsbegTfkG5u
> > cqrZP9RTzXbfbs5l5w6CQ9DfSPcYx9BIYkusErQu5qQnGhoQ5bXI1VxT Otc=
> >
> >
> >
> > The relevant portion of my named configuration is:
> >
> >
> >
> > tls opendns-tls {
> >
> > remote-hostname "dns.opendns.com";
> >
> > };
> >
> >
> >
> > tls cloudflare_family-tls {
> >
> > remote-hostname "one.one.one.one";
> >
> > };
> >
> >
> >
> > tls google-tls {
> >
> > };
> >
> >
> >
> > tls router1-tls {
> >
> > key-file "/var/cache/bind/privkey.pem";
> >
> > cert-file "/var/cache/bind/fullchain.pem";
> >
> > dhparam-file "/var/cache/bind/dhparam.pem";
> >
> > ciphers
> "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!
> > SHA1:!SHA256:!SHA384";
> >
> > prefer-server-ciphers yes;
> >
> > session-tickets no;
> >
> > };
> >
> >
> >
> > options {
> >
> > directory "/var/cache/bind";
> >
> > recursion yes;
> >
> > allow-query { trusted_nets; };
> >
> > version "none";
> >
> >
> >
> > forwarders {
> >
> > # 1.1.1.3 port 853 tls cloudflare_family-tls;
> >
> > # 1.0.0.3 port 853 tls cloudflare_family-tls;
> >
> > 208.67.222.123 port 853 tls opendns-tls;
> >
> > 208.67.220.123 port 853 tls opendns-tls;
> >
> > # 8.8.8.8 port 853 tls google-tls;
> >
> > # 8.8.4.4 port 853 tls google-tls;
> >
> > };
> >
> >
> >
> > forward only;
> >
> >
> >
> > allow-transfer { none; };
> >
> >
> >
> > dnssec-validation auto;
> >
> >
> >
> > listen-on port 443 tls router1-tls http default {
> trusted_interfaces; };
> >
> > listen-on port 853 tls router1-tls { trusted_interfaces; };
> >
> > listen-on { trusted_interfaces; };
> >
> > listen-on-v6 { none; };
> >
> >
> >
> > zone-statistics yes ;
> >
> > };
> >
> >
> >
> >
> >
>
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Robert Edmonds
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241105/ded58b5f/attachment-0001.htm>
More information about the bind-users
mailing list