Re: [Cerowrt-devel] [Dnsmasq-discuss] Had to disable dnssec today

[Dave Taht <dave.taht@gmail.com>]

On Sat, Apr 26, 2014 at 12:44 PM, Simon Kelley <simon@thekelleys.org.uk> wrote:
> On 26/04/14 17:20, Aaron Wood wrote:
>> David,
>>
>> With two of them (akamai and cloudflare), I _think_ it's a dnsmasq
>> issue with the DS records for proving insecure domains are insecure.
>> But Simon Kelley would know that better than I.
>>
>
>
> The result of the analysis of the akamai domain was that there's a
> problem with the domain (ie it's an akamai problem) See the post in the
> Cerowrt list by Evan Hunt for the origin of this conclusion.
>
> There's a dnsmasq issue to the extent that dnsmasq uses a different
> strategy for proving that a name should not be signed than other
> nameservers (dnsmasq works bottom-up, the others can work top-down,
> since they are recursive servers, not forwarders.) This means that
> dnsmasq sees the akamai problem, whilst eg unbound happens not to. I
> plan to see if dnsmasq can be modified to improve this.

If it's not a violation of the specification, the bottom-up method might
be good to add to a dnssec validation tool.

>
> I'm not sure of cloudflare has been looked at in detail, but my
> impression was that it's the same as akamai.
>
>> With BofA, I'm nearly certain it's them, or an issue with one of
>> their partners (since the domain that fails isn't BofA, but
>> something else):
>>
>> (with dnssec turned off):
>>
>> ;; QUESTION SECTION: ;sso-fi.bankofamerica.com. IN A
>>
>> ;; ANSWER SECTION: sso-fi.bankofamerica.com. 3599 IN CNAME
>> saml-bac.onefiserv.com. saml-bac.onefiserv.com. 299 IN CNAME
>> saml-bac.gslb.onefiserv.com. saml-bac.gslb.onefiserv.com. 119 IN A
>> 208.235.248.157
>>
>> And it's the saml-bac.gslb.onefiserv.com host that's failing (see
>> here for debug info):
>>
>> http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com
>>
>> -Aaron
>>
>>
>> On Sat, Apr 26, 2014 at 6:00 PM, <dpreed@reed.com> wrote:
>>
>>> Is this just a dnsmasq issue or is the DNSSEC mechanism broken at
>>> these sites?   If it is the latter, I can get attention from
>>> executives at some of these companies (Heartbleed has sensitized
>>> all kinds of companies to the need to strengthen security
>>> infrastructure).
>>>
>>>
>>>
>>> If the former, the change process is going to be more tricky,
>>> because dnsmasq is easily dismissed as too small a proportion of
>>> the market to care.  (wish it were not so).
>>>
>
>
> Given it's less than a month since the first DNSSEC-capable dnsmasq
> release, anything other than small market share would be fairly miraculous!
>
> Cheers,
>
> Simon.
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel



-- 
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article