From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 664EF21F27C for ; Sat, 26 Apr 2014 09:20:06 -0700 (PDT) Received: by mail-ie0-f172.google.com with SMTP id at1so1606257iec.3 for ; Sat, 26 Apr 2014 09:20:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Me7kX8Xrh1+Ki0e8MO9DIco4P4YSz+cGgPqgtytc2XA=; b=dllbFTkxTV//mpd/lgh6QBvX+vqn1uP66x82qb2c+SKTp60Z/OgIXl4gk6ajCh4wwr Y3kqNW03eFQpSw1/sQWJf6VldhXQaXe+Vvzld/aWoMmhMh07Yj1j65xq77V2vcTO3ANh R8EUb6+ZW1Anlhj/QIbZ3WXvxQrDI8AA+k67t46pcT0vD1IOax2NbsrpmXdCRGR3+j9h H86RvRQp032w1R7RT6oBYMsIo1Q6yricKwJ5q6ZGTjq/TIaYAT5ym192A02QtSOLyF95 wRUjmb0qzPXpVSP9SrWVjpy7ux33qWvCyJBxX07oemNMUkSml9vxaHP7ZcvdAMdFs7DA HbIg== MIME-Version: 1.0 X-Received: by 10.50.43.225 with SMTP id z1mr12233771igl.29.1398529205681; Sat, 26 Apr 2014 09:20:05 -0700 (PDT) Received: by 10.64.59.165 with HTTP; Sat, 26 Apr 2014 09:20:05 -0700 (PDT) In-Reply-To: <1398528012.36628423@apps.rackspace.com> References: <1398528012.36628423@apps.rackspace.com> Date: Sat, 26 Apr 2014 18:20:05 +0200 Message-ID: From: Aaron Wood To: David Reed Content-Type: multipart/alternative; boundary=089e010d8dd683458104f7f4740d Cc: dnsmasq-discuss , cerowrt-devel Subject: Re: [Cerowrt-devel] Had to disable dnssec today X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2014 16:20:06 -0000 --089e010d8dd683458104f7f4740d Content-Type: text/plain; charset=UTF-8 David, With two of them (akamai and cloudflare), I _think_ it's a dnsmasq issue with the DS records for proving insecure domains are insecure. But Simon Kelley would know that better than I. With BofA, I'm nearly certain it's them, or an issue with one of their partners (since the domain that fails isn't BofA, but something else): (with dnssec turned off): ;; QUESTION SECTION: ;sso-fi.bankofamerica.com. IN A ;; ANSWER SECTION: sso-fi.bankofamerica.com. 3599 IN CNAME saml-bac.onefiserv.com. saml-bac.onefiserv.com. 299 IN CNAME saml-bac.gslb.onefiserv.com. saml-bac.gslb.onefiserv.com. 119 IN A 208.235.248.157 And it's the saml-bac.gslb.onefiserv.com host that's failing (see here for debug info): http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com -Aaron On Sat, Apr 26, 2014 at 6:00 PM, wrote: > Is this just a dnsmasq issue or is the DNSSEC mechanism broken at these > sites? If it is the latter, I can get attention from executives at some > of these companies (Heartbleed has sensitized all kinds of companies to the > need to strengthen security infrastructure). > > > > If the former, the change process is going to be more tricky, because > dnsmasq is easily dismissed as too small a proportion of the market to > care. (wish it were not so). > > > > On Saturday, April 26, 2014 7:38am, "Aaron Wood" said: > > Just too many sites aren't working correctly with dnsmasq and using > Google's DNS servers. > - Bank of America (sso-fi.bankofamerica.com) > - Weather Underground (cdnjs.cloudflare.com) > - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net) > And I'm not getting any traction with reporting the errors to those sites, > so it's frustrating in getting it properly fixed. > While Akamai and cloudflare appear to be issues with their entries in > google dns, or with dnsmasq's validation of them being insecure domains, > the BofA issue appears to be an outright bad key. And BofA isn't being > helpful (just a continual "we use ssl" sort of quasi-automated response). > So I'm disabling it for now, or rather, falling back to using my ISP's dns > servers, which don't support DNSSEC at this time. I'll be periodically > turning it back on, but too much is broken (mainly due to the cdns) to be > able to rely on it at this time. > -Aaron > --089e010d8dd683458104f7f4740d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
David,

With two of them (akamai and clo= udflare), I _think_ it's a dnsmasq issue with the DS records for provin= g insecure domains are insecure. =C2=A0But Simon Kelley would know that bet= ter than I.

With BofA, I'm nearly certain it's them, or an = issue with one of their partners (since the domain that fails isn't Bof= A, but something else):

(with dnssec turned off):<= /div>

;; QUESTION SECTION:

;; ANSWER SECTION:
saml-bac.onefiserv.com.<= span class=3D"" style=3D"white-space:pre"> 299 IN = CNAME saml-bac.gslb.onefiserv.com.
saml-bac.gslb.onefiserv= .com. 119 IN A 208.235.248.157

And it's the saml-b= ac.gslb.onefiserv.com host that's failing (see here for debug info)= :


-Aaron

=
On Sat, Apr 26, 2014 at 6:00 PM, <dpreed@re= ed.com> wrote:

Is this just a dnsmasq issue or is the DNSSEC mechanism broken at = these sites? =C2=A0 If it is the latter, I can get attention from executive= s at some of these companies (Heartbleed has sensitized all kinds of compan= ies to the need to strengthen security infrastructure).

=C2=A0

If the former, the change process is going = to be more tricky, because dnsmasq is easily dismissed as too small a propo= rtion of the market to care. =C2=A0(wish it were not so).



On Saturday, April 26, 2014 7:38am,= "Aaron Wood" <woody77@gmail.com> said:

Just too many sites aren't working correctly with dnsm= asq and using Google's DNS servers.
- Bank of America (sso-fi.bankofamerica.com)
- Weather Underground (cdnjs.cloudflare.com)
And I'm not getting any traction with reporting the errors to thos= e sites, so it's frustrating in getting it properly fixed.
While Akamai and cloudflare appear to be issues with their entries in = google dns, or with dnsmasq's validation of them being insecure domains= , the BofA issue appears to be an outright bad key. =C2=A0And BofA isn'= t being helpful (just a continual "we use ssl" sort of quasi-auto= mated response).
So I'm disabling it for now, or rather, falling back to using my I= SP's dns servers, which don't support DNSSEC at this time. =C2=A0I&= #39;ll be periodically turning it back on, but too much is broken (mainly d= ue to the cdns) to be able to rely on it at this time.
-Aaron

--089e010d8dd683458104f7f4740d--