From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-we0-x22a.google.com (mail-we0-x22a.google.com [IPv6:2a00:1450:400c:c03::22a]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 6DD2D21F267 for ; Sat, 26 Apr 2014 16:28:45 -0700 (PDT) Received: by mail-we0-f170.google.com with SMTP id w61so5022545wes.1 for ; Sat, 26 Apr 2014 16:28:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=ZSsoLhNaM5dNXkiOQuEwqKESgAxz4yQVKhkDu1aYD7w=; b=sNC1DCGsWLLPgkM3C0+HecT9wiDsEw/lhGONXPJTcQsbpADvuM9VI6BfhbBllfDtjp 05uGn/At7y45L77gGwTAvhG4rla+3NXRK0j/a+tXw6OeQoaRlQAh4ea4bdI+EGfAJ3sY tPP/AYnLD1BvfEapokRuCsEAV9nOdWrXYj7+PcADZz3gIiXlYH+yC76dbP+KR2eiFy4Z kpQ9G9iT/qDjKmNIsmaxiGMiUHqoguvtl/v/Q4SNTQNI6nBo8jB8N01GCOwF7gbn8jmO sG63RfZ1ZbPLAKChCEYGQeTqgGb+++LrJiUNkRRqRt0QY9h8KgIGyp7NVUoK4t1b9UFZ 6bHQ== MIME-Version: 1.0 X-Received: by 10.180.14.233 with SMTP id s9mr9144163wic.53.1398554923094; Sat, 26 Apr 2014 16:28:43 -0700 (PDT) Received: by 10.216.207.82 with HTTP; Sat, 26 Apr 2014 16:28:42 -0700 (PDT) In-Reply-To: <535C0CB5.7070506@thekelleys.org.uk> References: <1398528012.36628423@apps.rackspace.com> <535C0CB5.7070506@thekelleys.org.uk> Date: Sat, 26 Apr 2014 16:28:42 -0700 Message-ID: From: Dave Taht To: Simon Kelley Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: dnsmasq-discuss , cerowrt-devel Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] Had to disable dnssec today X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2014 23:28:46 -0000 On Sat, Apr 26, 2014 at 12:44 PM, Simon Kelley wr= ote: > On 26/04/14 17:20, Aaron Wood wrote: >> David, >> >> With two of them (akamai and cloudflare), I _think_ it's a dnsmasq >> issue with the DS records for proving insecure domains are insecure. >> But Simon Kelley would know that better than I. >> > > > The result of the analysis of the akamai domain was that there's a > problem with the domain (ie it's an akamai problem) See the post in the > Cerowrt list by Evan Hunt for the origin of this conclusion. > > There's a dnsmasq issue to the extent that dnsmasq uses a different > strategy for proving that a name should not be signed than other > nameservers (dnsmasq works bottom-up, the others can work top-down, > since they are recursive servers, not forwarders.) This means that > dnsmasq sees the akamai problem, whilst eg unbound happens not to. I > plan to see if dnsmasq can be modified to improve this. If it's not a violation of the specification, the bottom-up method might be good to add to a dnssec validation tool. > > I'm not sure of cloudflare has been looked at in detail, but my > impression was that it's the same as akamai. > >> With BofA, I'm nearly certain it's them, or an issue with one of >> their partners (since the domain that fails isn't BofA, but >> something else): >> >> (with dnssec turned off): >> >> ;; QUESTION SECTION: ;sso-fi.bankofamerica.com. IN A >> >> ;; ANSWER SECTION: sso-fi.bankofamerica.com. 3599 IN CNAME >> saml-bac.onefiserv.com. saml-bac.onefiserv.com. 299 IN CNAME >> saml-bac.gslb.onefiserv.com. saml-bac.gslb.onefiserv.com. 119 IN A >> 208.235.248.157 >> >> And it's the saml-bac.gslb.onefiserv.com host that's failing (see >> here for debug info): >> >> http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com >> >> -Aaron >> >> >> On Sat, Apr 26, 2014 at 6:00 PM, wrote: >> >>> Is this just a dnsmasq issue or is the DNSSEC mechanism broken at >>> these sites? If it is the latter, I can get attention from >>> executives at some of these companies (Heartbleed has sensitized >>> all kinds of companies to the need to strengthen security >>> infrastructure). >>> >>> >>> >>> If the former, the change process is going to be more tricky, >>> because dnsmasq is easily dismissed as too small a proportion of >>> the market to care. (wish it were not so). >>> > > > Given it's less than a month since the first DNSSEC-capable dnsmasq > release, anything other than small market share would be fairly miraculou= s! > > Cheers, > > Simon. > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel --=20 Dave T=C3=A4ht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_= indecent.article