On Sat, Sep 9, 2017 at 11:50 AM, Andrew Ayer <
ag...@andrewayer.name> wrote:
> On Sat, 9 Sep 2017 08:49:01 -0700
>> On Sat, Sep 9, 2017 at 3:57 AM, Jonathan Rudenberg
>> <
jona...@titanous.com> wrote:
>> >
>> >> On Sep 9, 2017, at 06:19, Peter Bowen via dev-security-policy
>> >> <
dev-secur...@lists.mozilla.org> wrote:
>> >>
>> >> In all three of these cases, the "domain's zone does not have a
>> >> DNSSEC validation chain to the ICANN root" -- I requested SOA,
>> >> DNSKEY, NS, and CAA records types for each zone and in no case did
>> >> I get a response that had a valid DNSSEC chain to the ICANN root.
>> >
>> > This comes down to what exactly ___does not have a valid DNSSEC
>> > chain___ means.
>> >
>> > I had assumed that given the reference to DNSSEC in the BRs that
>> > the relevant DNSSEC RFCs were incorporated by reference via RFC
>> > 6844 and that DNSSEC validation is required. However, this is not
>> > entirely the case, using DNSSEC for CAA lookups is only RECOMMENDED
>> > in section 4.1 and explicitly ___not required.___ Which means this is
>> > all pretty pointless. The existence or non-existence of DNSSEC
> to the ICANN root, the CA should look for the DS record in the parent
> zones.
RFC 4033 refers to 4035 for the details on the protocol. In RFC 4035
section 2.4, it says:
A DS RR SHOULD point to a DNSKEY RR that is present in the child's
apex DNSKEY RRset, and the child's apex DNSKEY RRset SHOULD be signed
by the corresponding private key. DS RRs that fail to meet these
conditions are not useful for validation, but because the DS RR and
its corresponding DNSKEY RR are in different zones, and because the
Additionally both 4033 and 4035 state that there are four possible
statuses for DNSSEC: Secure, Insecure, Bogus, and Indeterminate. 4033
notes the "signaling mechanism does not distinguish between
indeterminate and insecure states". In the examples I listed, the
resulting state is neither Secure nor Bogus.
> All of this is clear from the relevant DNSSEC RFCs, it's how DNSSEC is
> widely understood to work, and is how every DNSSEC implementation
> prevents the otherwise trivial downgrade attack. I do not believe there
> is any ambiguity in the wording of the BRs, but if there were, it would
> have been cleared up by the thread linked above.
Not every DNSSEC implementation gives the result you claim. I usually
use drill (which is part of the unbound/nsd/ldns/getdns family) to
test. Here is the output for one of your cases:
[ec2-user@ip-10-0-0-18 ~]$ drill -v
drill version 1.7.0 (ldns version 1.7.0)
Written by NLnet Labs.
Copyright (c) 2004-2008 NLnet Labs.
Licensed under the revised BSD license.
There is NO warranty; not even for MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.
[ec2-user@ip-10-0-0-18 ~]$ drill -k /usr/local/etc/unbound/root.key -T
-D -V1 -a
refused.caatestsuite-dnssec.com. IN CAA
;; Number of trusted keys: 2
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id = 15768 (zsk), size = 2048b}
. 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
. 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}
[T] com. 86400 IN DS 30909 8 2
e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766
;; Domain: com.
[T] com. 86400 IN DNSKEY 256 3 8 ;{id = 5528 (zsk), size = 1024b}
com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b}
[T]
caatestsuite-dnssec.com. 86400 IN DS 58522 5 2
68bbff4ce6d8bbdbb05882f1474efa60805fc6301d8bf08d59f4ab565329072e
;; Domain:
caatestsuite-dnssec.com.
[T]
caatestsuite-dnssec.com. 60 IN DNSKEY 256 3 5 ;{id = 62745 (zsk),
size = 2048b}
caatestsuite-dnssec.com. 60 IN DNSKEY 257 3 5 ;{id = 58522 (ksk), size = 2048b}
[T]
refused.caatestsuite-dnssec.com. 60 IN DS 63016 5 1
a4e5f6421441e881b69961d1157c1851c579d9bf
refused.caatestsuite-dnssec.com. 60 IN DS 63016 5 2
29b0bf92df990ba71a5ed19ed484ad29cb5df037cc0b11faca2f3a384c0ca4cf
;; Domain:
refused.caatestsuite-dnssec.com.
;; No DNSKEY record found for
refused.caatestsuite-dnssec.com.
[U] No data found for:
refused.caatestsuite-dnssec.com. type CAA
;;[S] self sig OK; [B] bogus; [T] trusted
[ec2-user@ip-10-0-0-18 ~]$ echo $?
0
[U] is UNSIGNED. The exit code is 0 (success).
Compare this to a couple of known bad test cases:
[ec2-user@ip-10-0-0-18 ~]$ drill -k /usr/local/etc/unbound/root.key -T
-D -V1 -a
sigfail.verteiltesysteme.net. IN A
;; Number of trusted keys: 2
;; Domain: .
[T] . 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}
. 172800 IN DNSKEY 256 3 8 ;{id = 15768 (zsk), size = 2048b}
. 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
[T] net. 86400 IN DS 35886 8 2
7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
;; Domain: net.
[T] net. 86400 IN DNSKEY 257 3 8 ;{id = 35886 (ksk), size = 2048b}
net. 86400 IN DNSKEY 256 3 8 ;{id = 57899 (zsk), size = 1024b}
[T]
verteiltesysteme.net. 86400 IN DS 61908 5 1
3497d121f4c91369e95dc73d8032e688e1abb1fe
verteiltesysteme.net. 86400 IN DS 61908 5 2
2f87866a60c3603f447658ac3ea72baec053b7f9f85fa4b531aabe88b06f5aee
;; Domain:
verteiltesysteme.net.
[T]
verteiltesysteme.net. 3600 IN DNSKEY 256 3 5 ;{id = 30665 (zsk),
size = 1024b}
verteiltesysteme.net. 3600 IN DNSKEY 257 3 5 ;{id = 61908 (ksk), size = 1024b}
[T] Existence denied:
sigfail.verteiltesysteme.net. DS
;; Domain:
sigfail.verteiltesysteme.net.
;; No DNSKEY record found for
sigfail.verteiltesysteme.net.
[B]
sigfail.verteiltesysteme.net. 60 IN A 134.91.78.139
;; Error: Bogus DNSSEC signature
;;[S] self sig OK; [B] bogus; [T] trusted
[ec2-user@ip-10-0-0-18 ~]$ echo $?
5
[ec2-user@ip-10-0-0-18 ~]$ drill -k /usr/local/etc/unbound/root.key -T
-D -V1 -a
bogus.d4a16n3.rootcanary.net. IN A
;; Number of trusted keys: 2
;; Domain: .
[T] . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
. 172800 IN DNSKEY 256 3 8 ;{id = 15768 (zsk), size = 2048b}
. 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}
[T] net. 86400 IN DS 35886 8 2
7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
;; Domain: net.
[T] net. 86400 IN DNSKEY 257 3 8 ;{id = 35886 (ksk), size = 2048b}
net. 86400 IN DNSKEY 256 3 8 ;{id = 57899 (zsk), size = 1024b}
[T]
rootcanary.net. 86400 IN DS 64786 8 2
5cd8f125f5487708121a497bd0b1079406add42002b3c195ee0669d2aeb763c9
;; Domain:
rootcanary.net.
[T]
rootcanary.net. 60 IN DNSKEY 257 3 8 ;{id = 64786 (ksk), size = 1024b}
rootcanary.net. 60 IN DNSKEY 256 3 8 ;{id = 25188 (zsk), size = 1024b}
[T]
d4a16n3.rootcanary.net. 60 IN DS 40569 16 4
57c663467f4e3e0b5207da75420de177ce699fa02a50b69551a481ff2d5d655b25f8a955494f5cea84e3e485c3aa5ac0
;; Domain:
d4a16n3.rootcanary.net.
[B]
d4a16n3.rootcanary.net. 60 IN DNSKEY 257 3 16 ;{id = 40569 (ksk), size = 0b}
;; No DS for bogus.d4a16n3.rootcanary.net.;; Domain:
bogus.d4a16n3.rootcanary.net.
;; No DNSKEY record found for
bogus.d4a16n3.rootcanary.net.
[B]
bogus.d4a16n3.rootcanary.net. 60 IN A 145.97.20.17
;; Error: Unknown cryptographic algorithm
;;[S] self sig OK; [B] bogus; [T] trusted
[ec2-user@ip-10-0-0-18 ~]$ echo $?
5
Thanks,
Peter