From: Aaron Wood <woody77@gmail.com>
To: Dave Taht <dave.taht@gmail.com>
Cc: cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] First DNSSEC failure with CeroWRT
Date: Sun, 20 Apr 2014 08:16:42 +0200 [thread overview]
Message-ID: <36E6AFE7-AE5F-4DA6-927A-71084D3E4458@gmail.com> (raw)
In-Reply-To: <CAA93jw7tYyVpaB1qCqcsz_XJLmRe_s=N5Wpy6d234n1sp+gAkg@mail.gmail.com>
It was an interesting find, which btw, silently breaks portions of online banking, as it redirects through the sso gateways.
-Aaron
Sent from my iPhone
> On Apr 19, 2014, at 21:20, Dave Taht <dave.taht@gmail.com> wrote:
>
> you should report it to bank of america and see what happens.
>
> root@lorna-gw:/etc/config# nslookup www.bankofamerica.com
> Server: 127.0.0.1
> Address 1: 127.0.0.1 localhost
>
> Name: www.bankofamerica.com
> Address 1: 171.161.207.100
> root@lorna-gw:/etc/config# nslookup sso-fi.bankofamerica.com
> Server: 127.0.0.1
> Address 1: 127.0.0.1 localhost
>
> nslookup: can't resolve 'sso-fi.bankofamerica.com': Name or service not known
>
>> On Sat, Apr 19, 2014 at 12:19 PM, Dave Taht <dave.taht@gmail.com> wrote:
>> I'm not sure if what you are actually seeing here is a failure or a
>> success! It does appear that this is
>> indeed a bogus DS.
>>
>> http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com
>>
>>> On Sat, Apr 19, 2014 at 2:43 AM, Aaron Wood <woody77@gmail.com> wrote:
>>> One of the many servers involved with BofA's online banking:
>>>
>>> Sat Apr 19 09:37:37 2014 daemon.info dnsmasq[29719]: using nameserver
>>> 8.8.4.4#53
>>> Sat Apr 19 09:37:37 2014 daemon.info dnsmasq[29719]: using nameserver
>>> 8.8.8.8#53
>>> Sat Apr 19 09:37:37 2014 daemon.info dnsmasq[29719]: using local addresses
>>> only for domain home.lan
>>> Sat Apr 19 09:37:37 2014 daemon.info dnsmasq[29719]: read /etc/hosts - 1
>>> addresses
>>> Sat Apr 19 09:37:37 2014 daemon.info dnsmasq-dhcp[29719]: read /etc/ethers -
>>> 0 addresses
>>> Sat Apr 19 09:37:39 2014 daemon.info dnsmasq[29719]: query[A]
>>> saml-bac.onefiserv.com from 172.30.42.99
>>> Sat Apr 19 09:37:39 2014 daemon.info dnsmasq[29719]: forwarded
>>> saml-bac.onefiserv.com to 8.8.4.4
>>> Sat Apr 19 09:37:39 2014 daemon.info dnsmasq[29719]: forwarded
>>> saml-bac.onefiserv.com to 8.8.8.8
>>> Sat Apr 19 09:37:39 2014 daemon.info dnsmasq[29719]: dnssec-query[DS]
>>> saml-bac.onefiserv.com to 8.8.4.4
>>> Sat Apr 19 09:37:41 2014 daemon.info dnsmasq[29719]: reply
>>> saml-bac.onefiserv.com is BOGUS DS
>>> Sat Apr 19 09:37:41 2014 daemon.info dnsmasq[29719]: validation result is
>>> BOGUS
>>> Sat Apr 19 09:37:41 2014 daemon.info dnsmasq[29719]: reply
>>> saml-bac.onefiserv.com is <CNAME>
>>> Sat Apr 19 09:37:41 2014 daemon.info dnsmasq[29719]: reply
>>> saml-bac.gslb.onefiserv.com is 64.128.98.58
>>>
>>>
>>> Sat Apr 19 09:38:04 2014 daemon.info dnsmasq[29719]: query[A]
>>> sso-fi.bankofamerica.com from 172.30.42.99
>>> Sat Apr 19 09:38:04 2014 daemon.info dnsmasq[29719]: forwarded
>>> sso-fi.bankofamerica.com to 8.8.4.4
>>> Sat Apr 19 09:38:04 2014 daemon.info dnsmasq[29719]: forwarded
>>> sso-fi.bankofamerica.com to 8.8.8.8
>>> Sat Apr 19 09:38:04 2014 daemon.info dnsmasq[29719]: dnssec-query[DS]
>>> sso-fi.bankofamerica.com to 8.8.8.8
>>> Sat Apr 19 09:38:05 2014 daemon.info dnsmasq[29719]: query[A]
>>> sso-fi.bankofamerica.com from 172.30.42.99
>>> Sat Apr 19 09:38:05 2014 daemon.info dnsmasq[29719]: dnssec retry to 8.8.8.8
>>> Sat Apr 19 09:38:06 2014 daemon.info dnsmasq[29719]: reply
>>> sso-fi.bankofamerica.com is BOGUS DS
>>> Sat Apr 19 09:38:06 2014 daemon.info dnsmasq[29719]: validation result is
>>> BOGUS
>>> Sat Apr 19 09:38:06 2014 daemon.info dnsmasq[29719]: reply
>>> sso-fi.bankofamerica.com is <CNAME>
>>> Sat Apr 19 09:38:06 2014 daemon.info dnsmasq[29719]: reply
>>> saml-bac.onefiserv.com is 64.128.98.58
>>>
>>> _______________________________________________
>>> Cerowrt-devel mailing list
>>> Cerowrt-devel@lists.bufferbloat.net
>>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>
>>
>>
>> --
>> Dave Täht
>>
>> NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
>
>
>
> --
> Dave Täht
>
> NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
prev parent reply other threads:[~2014-04-20 6:16 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-19 9:43 Aaron Wood
2014-04-19 19:19 ` Dave Taht
2014-04-19 19:20 ` Dave Taht
2014-04-20 6:16 ` Aaron Wood [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=36E6AFE7-AE5F-4DA6-927A-71084D3E4458@gmail.com \
--to=woody77@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=dave.taht@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox