From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id E437121F14D for ; Sat, 19 Apr 2014 23:16:48 -0700 (PDT) Received: by mail-wi0-f178.google.com with SMTP id bs8so838856wib.17 for ; Sat, 19 Apr 2014 23:16:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=ce4GFlPlfuu0M/bNJE9Pd5bE+ntND4rFBebpgXK22N0=; b=GKzC1j58VHsMHlrTE7EEY/Dn3hFCLmmLDSzluRMNvWZdWIbOcyiJeqCi94aNaUcTg1 ukShyksY8UHNb+N4zNbS/j2VNBBKtkZ1dMxkowY7Re6+t+iBLpjuDdkF7Lt87+9I2uc/ ObemFELMuRyK1u25qq7bdsy7R/ZevnUGIhpgC3aN4FSk5PQhftAkgFwhqOi4xbLO+deB CIFvCvd6GY3pa0I4SMfSJBZnTmNPYND9WuQt4uYCXm13fgQ5MQSueIkbPzV9WotmFj7m rlILfNwz4PrDNJ3ivXueYjNa4JlxG8kPGRZK9if7wTz7Ef9WXMhL+tx92ZVlXpkLqIu4 ir+w== X-Received: by 10.181.11.229 with SMTP id el5mr6119916wid.43.1397974606697; Sat, 19 Apr 2014 23:16:46 -0700 (PDT) Received: from [172.30.42.84] (gut75-7-78-225-42-24.fbx.proxad.net. [78.225.42.24]) by mx.google.com with ESMTPSA id gi8sm7940250wib.8.2014.04.19.23.16.44 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 19 Apr 2014 23:16:45 -0700 (PDT) References: Mime-Version: 1.0 (1.0) In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-Id: <36E6AFE7-AE5F-4DA6-927A-71084D3E4458@gmail.com> X-Mailer: iPhone Mail (11D169) From: Aaron Wood Date: Sun, 20 Apr 2014 08:16:42 +0200 To: Dave Taht Cc: cerowrt-devel Subject: Re: [Cerowrt-devel] First DNSSEC failure with CeroWRT X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2014 06:16:50 -0000 It was an interesting find, which btw, silently breaks portions of online ba= nking, as it redirects through the sso gateways. -Aaron Sent from my iPhone > On Apr 19, 2014, at 21:20, Dave Taht wrote: >=20 > you should report it to bank of america and see what happens. >=20 > root@lorna-gw:/etc/config# nslookup www.bankofamerica.com > Server: 127.0.0.1 > Address 1: 127.0.0.1 localhost >=20 > Name: www.bankofamerica.com > Address 1: 171.161.207.100 > root@lorna-gw:/etc/config# nslookup sso-fi.bankofamerica.com > Server: 127.0.0.1 > Address 1: 127.0.0.1 localhost >=20 > nslookup: can't resolve 'sso-fi.bankofamerica.com': Name or service not kn= own >=20 >> On Sat, Apr 19, 2014 at 12:19 PM, Dave Taht wrote: >> I'm not sure if what you are actually seeing here is a failure or a >> success! It does appear that this is >> indeed a bogus DS. >>=20 >> http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com >>=20 >>> On Sat, Apr 19, 2014 at 2:43 AM, Aaron Wood wrote: >>> One of the many servers involved with BofA's online banking: >>>=20 >>> Sat Apr 19 09:37:37 2014 daemon.info dnsmasq[29719]: using nameserver >>> 8.8.4.4#53 >>> Sat Apr 19 09:37:37 2014 daemon.info dnsmasq[29719]: using nameserver >>> 8.8.8.8#53 >>> Sat Apr 19 09:37:37 2014 daemon.info dnsmasq[29719]: using local address= es >>> only for domain home.lan >>> Sat Apr 19 09:37:37 2014 daemon.info dnsmasq[29719]: read /etc/hosts - 1= >>> addresses >>> Sat Apr 19 09:37:37 2014 daemon.info dnsmasq-dhcp[29719]: read /etc/ethe= rs - >>> 0 addresses >>> Sat Apr 19 09:37:39 2014 daemon.info dnsmasq[29719]: query[A] >>> saml-bac.onefiserv.com from 172.30.42.99 >>> Sat Apr 19 09:37:39 2014 daemon.info dnsmasq[29719]: forwarded >>> saml-bac.onefiserv.com to 8.8.4.4 >>> Sat Apr 19 09:37:39 2014 daemon.info dnsmasq[29719]: forwarded >>> saml-bac.onefiserv.com to 8.8.8.8 >>> Sat Apr 19 09:37:39 2014 daemon.info dnsmasq[29719]: dnssec-query[DS] >>> saml-bac.onefiserv.com to 8.8.4.4 >>> Sat Apr 19 09:37:41 2014 daemon.info dnsmasq[29719]: reply >>> saml-bac.onefiserv.com is BOGUS DS >>> Sat Apr 19 09:37:41 2014 daemon.info dnsmasq[29719]: validation result i= s >>> BOGUS >>> Sat Apr 19 09:37:41 2014 daemon.info dnsmasq[29719]: reply >>> saml-bac.onefiserv.com is >>> Sat Apr 19 09:37:41 2014 daemon.info dnsmasq[29719]: reply >>> saml-bac.gslb.onefiserv.com is 64.128.98.58 >>>=20 >>>=20 >>> Sat Apr 19 09:38:04 2014 daemon.info dnsmasq[29719]: query[A] >>> sso-fi.bankofamerica.com from 172.30.42.99 >>> Sat Apr 19 09:38:04 2014 daemon.info dnsmasq[29719]: forwarded >>> sso-fi.bankofamerica.com to 8.8.4.4 >>> Sat Apr 19 09:38:04 2014 daemon.info dnsmasq[29719]: forwarded >>> sso-fi.bankofamerica.com to 8.8.8.8 >>> Sat Apr 19 09:38:04 2014 daemon.info dnsmasq[29719]: dnssec-query[DS] >>> sso-fi.bankofamerica.com to 8.8.8.8 >>> Sat Apr 19 09:38:05 2014 daemon.info dnsmasq[29719]: query[A] >>> sso-fi.bankofamerica.com from 172.30.42.99 >>> Sat Apr 19 09:38:05 2014 daemon.info dnsmasq[29719]: dnssec retry to 8.8= .8.8 >>> Sat Apr 19 09:38:06 2014 daemon.info dnsmasq[29719]: reply >>> sso-fi.bankofamerica.com is BOGUS DS >>> Sat Apr 19 09:38:06 2014 daemon.info dnsmasq[29719]: validation result i= s >>> BOGUS >>> Sat Apr 19 09:38:06 2014 daemon.info dnsmasq[29719]: reply >>> sso-fi.bankofamerica.com is >>> Sat Apr 19 09:38:06 2014 daemon.info dnsmasq[29719]: reply >>> saml-bac.onefiserv.com is 64.128.98.58 >>>=20 >>> _______________________________________________ >>> Cerowrt-devel mailing list >>> Cerowrt-devel@lists.bufferbloat.net >>> https://lists.bufferbloat.net/listinfo/cerowrt-devel >>=20 >>=20 >>=20 >> -- >> Dave T=C3=A4ht >>=20 >> NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_029= 6_indecent.article >=20 >=20 >=20 > --=20 > Dave T=C3=A4ht >=20 > NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296= _indecent.article