From: Simon Kelley <simon@thekelleys.org.uk>
To: Aaron Wood <woody77@gmail.com>, David Reed <dpreed@reed.com>
Cc: dnsmasq-discuss <dnsmasq-discuss@lists.thekelleys.org.uk>,
cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] Had to disable dnssec today
Date: Sat, 26 Apr 2014 20:44:53 +0100 [thread overview]
Message-ID: <535C0CB5.7070506@thekelleys.org.uk> (raw)
In-Reply-To: <CALQXh-Mv_WD+ya3-2awmN6bQ_wV0KeuEe0AsXKXar5KJYaGyMQ@mail.gmail.com>
On 26/04/14 17:20, Aaron Wood wrote:
> David,
>
> With two of them (akamai and cloudflare), I _think_ it's a dnsmasq
> issue with the DS records for proving insecure domains are insecure.
> But Simon Kelley would know that better than I.
>
The result of the analysis of the akamai domain was that there's a
problem with the domain (ie it's an akamai problem) See the post in the
Cerowrt list by Evan Hunt for the origin of this conclusion.
There's a dnsmasq issue to the extent that dnsmasq uses a different
strategy for proving that a name should not be signed than other
nameservers (dnsmasq works bottom-up, the others can work top-down,
since they are recursive servers, not forwarders.) This means that
dnsmasq sees the akamai problem, whilst eg unbound happens not to. I
plan to see if dnsmasq can be modified to improve this.
I'm not sure of cloudflare has been looked at in detail, but my
impression was that it's the same as akamai.
> With BofA, I'm nearly certain it's them, or an issue with one of
> their partners (since the domain that fails isn't BofA, but
> something else):
>
> (with dnssec turned off):
>
> ;; QUESTION SECTION: ;sso-fi.bankofamerica.com. IN A
>
> ;; ANSWER SECTION: sso-fi.bankofamerica.com. 3599 IN CNAME
> saml-bac.onefiserv.com. saml-bac.onefiserv.com. 299 IN CNAME
> saml-bac.gslb.onefiserv.com. saml-bac.gslb.onefiserv.com. 119 IN A
> 208.235.248.157
>
> And it's the saml-bac.gslb.onefiserv.com host that's failing (see
> here for debug info):
>
> http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com
>
> -Aaron
>
>
> On Sat, Apr 26, 2014 at 6:00 PM, <dpreed@reed.com> wrote:
>
>> Is this just a dnsmasq issue or is the DNSSEC mechanism broken at
>> these sites? If it is the latter, I can get attention from
>> executives at some of these companies (Heartbleed has sensitized
>> all kinds of companies to the need to strengthen security
>> infrastructure).
>>
>>
>>
>> If the former, the change process is going to be more tricky,
>> because dnsmasq is easily dismissed as too small a proportion of
>> the market to care. (wish it were not so).
>>
Given it's less than a month since the first DNSSEC-capable dnsmasq
release, anything other than small market share would be fairly miraculous!
Cheers,
Simon.
next prev parent reply other threads:[~2014-04-26 19:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-26 11:38 [Cerowrt-devel] " Aaron Wood
2014-04-26 16:00 ` dpreed
2014-04-26 16:20 ` Aaron Wood
2014-04-26 19:44 ` Simon Kelley [this message]
2014-04-26 21:17 ` [Cerowrt-devel] [Dnsmasq-discuss] " Simon Kelley
2014-04-26 23:28 ` Dave Taht
2014-04-27 2:46 ` [Cerowrt-devel] " Dave Taht
2014-05-17 3:25 ` Stephen Hemminger
2014-05-17 3:58 ` Aaron Wood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=535C0CB5.7070506@thekelleys.org.uk \
--to=simon@thekelleys.org.uk \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=dnsmasq-discuss@lists.thekelleys.org.uk \
--cc=dpreed@reed.com \
--cc=woody77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox