From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <woody77@gmail.com>
Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com
	[IPv6:2607:f8b0:4001:c03::22c])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 664EF21F27C
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sat, 26 Apr 2014 09:20:06 -0700 (PDT)
Received: by mail-ie0-f172.google.com with SMTP id at1so1606257iec.3
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sat, 26 Apr 2014 09:20:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=Me7kX8Xrh1+Ki0e8MO9DIco4P4YSz+cGgPqgtytc2XA=;
	b=dllbFTkxTV//mpd/lgh6QBvX+vqn1uP66x82qb2c+SKTp60Z/OgIXl4gk6ajCh4wwr
	Y3kqNW03eFQpSw1/sQWJf6VldhXQaXe+Vvzld/aWoMmhMh07Yj1j65xq77V2vcTO3ANh
	R8EUb6+ZW1Anlhj/QIbZ3WXvxQrDI8AA+k67t46pcT0vD1IOax2NbsrpmXdCRGR3+j9h
	H86RvRQp032w1R7RT6oBYMsIo1Q6yricKwJ5q6ZGTjq/TIaYAT5ym192A02QtSOLyF95
	wRUjmb0qzPXpVSP9SrWVjpy7ux33qWvCyJBxX07oemNMUkSml9vxaHP7ZcvdAMdFs7DA
	HbIg==
MIME-Version: 1.0
X-Received: by 10.50.43.225 with SMTP id z1mr12233771igl.29.1398529205681;
	Sat, 26 Apr 2014 09:20:05 -0700 (PDT)
Received: by 10.64.59.165 with HTTP; Sat, 26 Apr 2014 09:20:05 -0700 (PDT)
In-Reply-To: <1398528012.36628423@apps.rackspace.com>
References: <CALQXh-PJ+iP0r15Jewyx1wt3KWSmXNwbUME-41WM3BfXVja81g@mail.gmail.com>
	<1398528012.36628423@apps.rackspace.com>
Date: Sat, 26 Apr 2014 18:20:05 +0200
Message-ID: <CALQXh-Mv_WD+ya3-2awmN6bQ_wV0KeuEe0AsXKXar5KJYaGyMQ@mail.gmail.com>
From: Aaron Wood <woody77@gmail.com>
To: David Reed <dpreed@reed.com>
Content-Type: multipart/alternative; boundary=089e010d8dd683458104f7f4740d
Cc: dnsmasq-discuss <dnsmasq-discuss@lists.thekelleys.org.uk>,
	cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] Had to disable dnssec today
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Sat, 26 Apr 2014 16:20:06 -0000

--089e010d8dd683458104f7f4740d
Content-Type: text/plain; charset=UTF-8

David,

With two of them (akamai and cloudflare), I _think_ it's a dnsmasq issue
with the DS records for proving insecure domains are insecure.  But Simon
Kelley would know that better than I.

With BofA, I'm nearly certain it's them, or an issue with one of their
partners (since the domain that fails isn't BofA, but something else):

(with dnssec turned off):

;; QUESTION SECTION:
;sso-fi.bankofamerica.com. IN A

;; ANSWER SECTION:
sso-fi.bankofamerica.com. 3599 IN CNAME saml-bac.onefiserv.com.
saml-bac.onefiserv.com. 299 IN CNAME saml-bac.gslb.onefiserv.com.
saml-bac.gslb.onefiserv.com. 119 IN A 208.235.248.157

And it's the saml-bac.gslb.onefiserv.com host that's failing (see here for
debug info):

http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com

-Aaron


On Sat, Apr 26, 2014 at 6:00 PM, <dpreed@reed.com> wrote:

> Is this just a dnsmasq issue or is the DNSSEC mechanism broken at these
> sites?   If it is the latter, I can get attention from executives at some
> of these companies (Heartbleed has sensitized all kinds of companies to the
> need to strengthen security infrastructure).
>
>
>
> If the former, the change process is going to be more tricky, because
> dnsmasq is easily dismissed as too small a proportion of the market to
> care.  (wish it were not so).
>
>
>
> On Saturday, April 26, 2014 7:38am, "Aaron Wood" <woody77@gmail.com> said:
>
>  Just too many sites aren't working correctly with dnsmasq and using
> Google's DNS servers.
> - Bank of America (sso-fi.bankofamerica.com)
> - Weather Underground (cdnjs.cloudflare.com)
> - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net)
> And I'm not getting any traction with reporting the errors to those sites,
> so it's frustrating in getting it properly fixed.
> While Akamai and cloudflare appear to be issues with their entries in
> google dns, or with dnsmasq's validation of them being insecure domains,
> the BofA issue appears to be an outright bad key.  And BofA isn't being
> helpful (just a continual "we use ssl" sort of quasi-automated response).
> So I'm disabling it for now, or rather, falling back to using my ISP's dns
> servers, which don't support DNSSEC at this time.  I'll be periodically
> turning it back on, but too much is broken (mainly due to the cdns) to be
> able to rely on it at this time.
> -Aaron
>

--089e010d8dd683458104f7f4740d
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">David,<div><br></div><div>With two of them (akamai and clo=
udflare), I _think_ it&#39;s a dnsmasq issue with the DS records for provin=
g insecure domains are insecure. =C2=A0But Simon Kelley would know that bet=
ter than I.</div>
<div><br></div><div>With BofA, I&#39;m nearly certain it&#39;s them, or an =
issue with one of their partners (since the domain that fails isn&#39;t Bof=
A, but something else):</div><div><br></div><div>(with dnssec turned off):<=
/div>
<div><br></div><div><div>;; QUESTION SECTION:</div><div>;<a href=3D"http://=
sso-fi.bankofamerica.com">sso-fi.bankofamerica.com</a>.<span class=3D"" sty=
le=3D"white-space:pre">	</span>IN<span class=3D"" style=3D"white-space:pre"=
>	</span>A</div>
<div><br></div><div>;; ANSWER SECTION:</div><div><a href=3D"http://sso-fi.b=
ankofamerica.com">sso-fi.bankofamerica.com</a>. 3599<span class=3D"" style=
=3D"white-space:pre">	</span>IN<span class=3D"" style=3D"white-space:pre">	=
</span>CNAME<span class=3D"" style=3D"white-space:pre">	</span><a href=3D"h=
ttp://saml-bac.onefiserv.com">saml-bac.onefiserv.com</a>.</div>
<div><a href=3D"http://saml-bac.onefiserv.com">saml-bac.onefiserv.com</a>.<=
span class=3D"" style=3D"white-space:pre">	</span>299<span class=3D"" style=
=3D"white-space:pre">	</span>IN<span class=3D"" style=3D"white-space:pre">	=
</span>CNAME<span class=3D"" style=3D"white-space:pre">	</span><a href=3D"h=
ttp://saml-bac.gslb.onefiserv.com">saml-bac.gslb.onefiserv.com</a>.</div>
<div><a href=3D"http://saml-bac.gslb.onefiserv.com">saml-bac.gslb.onefiserv=
.com</a>. 119 IN<span class=3D"" style=3D"white-space:pre">	</span>A<span c=
lass=3D"" style=3D"white-space:pre">	</span>208.235.248.157</div></div><div=
><br></div>
<div>And it&#39;s the <a href=3D"http://saml-bac.gslb.onefiserv.com">saml-b=
ac.gslb.onefiserv.com</a> host that&#39;s failing (see here for debug info)=
:</div><div><br></div><div><a href=3D"http://dnssec-debugger.verisignlabs.c=
om/sso-fi.bankofamerica.com">http://dnssec-debugger.verisignlabs.com/sso-fi=
.bankofamerica.com</a><br>
</div><div><br></div><div>-Aaron</div></div><div class=3D"gmail_extra"><br>=
<br><div class=3D"gmail_quote">On Sat, Apr 26, 2014 at 6:00 PM,  <span dir=
=3D"ltr">&lt;<a href=3D"mailto:dpreed@reed.com" target=3D"_blank">dpreed@re=
ed.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><font face=3D"arial"><p style=3D"margin:0;pa=
dding:0">Is this just a dnsmasq issue or is the DNSSEC mechanism broken at =
these sites? =C2=A0 If it is the latter, I can get attention from executive=
s at some of these companies (Heartbleed has sensitized all kinds of compan=
ies to the need to strengthen security infrastructure).</p>

<p style=3D"margin:0;padding:0">=C2=A0</p>
<p style=3D"margin:0;padding:0">If the former, the change process is going =
to be more tricky, because dnsmasq is easily dismissed as too small a propo=
rtion of the market to care. =C2=A0(wish it were not so).</p><div><div clas=
s=3D"h5">


<p style=3D"margin:0;padding:0"><br><br>On Saturday, April 26, 2014 7:38am,=
 &quot;Aaron Wood&quot; &lt;<a href=3D"mailto:woody77@gmail.com" target=3D"=
_blank">woody77@gmail.com</a>&gt; said:<br><br></p>
<div>
<div dir=3D"ltr">Just too many sites aren&#39;t working correctly with dnsm=
asq and using Google&#39;s DNS servers.
<div>- Bank of America (<a href=3D"http://sso-fi.bankofamerica.com" target=
=3D"_blank">sso-fi.bankofamerica.com</a>)</div>
<div>- Weather Underground (<a href=3D"http://cdnjs.cloudflare.com" target=
=3D"_blank">cdnjs.cloudflare.com</a>)</div>
<div>- Akamai (<a href=3D"http://e3191.dscc.akamaiedge.net.0.1.cn.akamaiedg=
e.net" target=3D"_blank">e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net</a=
>)</div>
<div>And I&#39;m not getting any traction with reporting the errors to thos=
e sites, so it&#39;s frustrating in getting it properly fixed.</div>
<div>While Akamai and cloudflare appear to be issues with their entries in =
google dns, or with dnsmasq&#39;s validation of them being insecure domains=
, the BofA issue appears to be an outright bad key. =C2=A0And BofA isn&#39;=
t being helpful (just a continual &quot;we use ssl&quot; sort of quasi-auto=
mated response).</div>

<div>So I&#39;m disabling it for now, or rather, falling back to using my I=
SP&#39;s dns servers, which don&#39;t support DNSSEC at this time. =C2=A0I&=
#39;ll be periodically turning it back on, but too much is broken (mainly d=
ue to the cdns) to be able to rely on it at this time.</div>

<div>-Aaron</div>
</div>
</div></div></div></font></blockquote></div><br></div>

--089e010d8dd683458104f7f4740d--