[nsp-sec] DNSSEC for epa.gov

Michael Sinatra michael at rancid.berkeley.edu
Tue Aug 16 19:58:16 EDT 2011 

On 08/16/11 15:48, Jason Gardiner wrote:

> It appears that certain programs may default to performing an A query
> and DNSSEC is returning a SERVFAIL if there is no record instead of an
> NXDOMAIN.  So I'm guessing that fallback to other query types is
> problematic in DNSSEC and the type should be set to ANY?
>
> At any rate, I'd love comments, questions and suggestions off-list.

You're correct that this is a bit off-topic for nsp-sec.  Next time, I'd 
send it to dns-operations@, unless you think there's something sensitive 
here.

I will respond on-list one more time to point out that this appears to 
be a case where there are no proper delegation records in the parent 
zone.  In this case, epa.gov delegates ad.epa.gov and then ad.epa.gov 
delegates aa.ad.epa.gov, all to the same set of nameservers as epa.gov. 
  However, it does not properly include NS records in the parent zone. 
This is evidenced by doing the following query for DS records:


[sonicyouth] ~> dig +dnssec +norecurse ds aa.ad.epa.gov @ying.epa.gov

; <<>> DiG 9.8.1rc1 <<>> +dnssec +norecurse ds aa.ad.epa.gov @ying.epa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8703
;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;aa.ad.epa.gov.                 IN      DS

;; AUTHORITY SECTION:
ad.epa.gov.             600     IN      SOA     ying.epa.gov. 
dnsadmin.epa.gov. 1313472053 3600 900 1209600 600
ad.epa.gov.             600     IN      RRSIG   SOA 7 3 600 
20110915042101 20110816042101 18332 ad.epa.gov. 
WKkk93kEPiA743KMlvnRE8EVgaVl1+4SjdTMqtQMMUjN+SDR9qQ/XEU2 
8ydkiz6EsjQ86uKoFLTNwHdB+7uXmSkJf4sM0hatsEBrQSMseNgBPUgr 
gs7DdZZmT4or3HV0g5hFzgVNGEnn5GqXe/2E3AdtPTsv04wvxn7XtQEA 7Ok=
EOFJ29BPPBKA5VQTVEAOOTC58784SJ16.ad.epa.gov. 600 IN NSEC3 1 1 100 
CA4512D22DB22E73 EOFJ29BPPBKA5VQTVEAOOTC58784SJ16 NS SOA RRSIG DNSKEY 
NSEC3PARAM
EOFJ29BPPBKA5VQTVEAOOTC58784SJ16.ad.epa.gov. 600 IN RRSIG NSEC3 7 4 600 
20110915042101 20110816042101 18332 ad.epa.gov. 
ic5Gc22kwudwc1HOV3bMiVVPz5d8PyNUj+CA4UDHfUU7usntoJHWAIDO 
CfoOH0xyHgYSd+xH3TPmTTRaV28UvebcY3VFgPX7hIY26tKg2k5hJ93U 
W32KnYaFdoLMTaRMQj28gKIRqrafH3Yd31HMRV9JLtCwYmS15sSB4Ac/ jUE=

Note that the status is NXDOMAIN, but it should be NOERROR with an empty 
answer, to indicate that the domain exists, but the specific RRTYPE (DS) 
doesn't.  Non-existence of the *entire* domain is proven by the signed 
NSEC3 record.  This wouldn't happen if the NS records were placed 
properly in both the parent and child zones, instead of just the child.

You could get away with this in the past if the child DNS server was the 
same as the parent, but you can't get away with it in the world of 
DNSSEC-signed zones.  epa.gov needs to fix this subzone.

michael

More information about the nsp-security mailing list