[Dnsmasq-discuss] Insecure CNAME pointing to Secure name incorrectly validates as Bogus

Tore Anderson tore at fud.no
Tue Sep 3 17:26:03 BST 2019 

Hi Simon,

> A quick bit of differential analysis of the first query reveals that the
> problem is the mythic-beasts.com DNSKEY RRset.
> 
> 8.8.8.8, and the mythic-beasts authoritative server I tried gives the
> following answer for that RRset.
> 
> ;; ANSWER SECTION:
> mythic-beasts.com.	86400	IN	DNSKEY	257 3 10
> AwEAAaXuiwGP7BTBwrhYj8V+J7VQ+nalXaK3Mo5pXI4x//xD4O8ZN9ZF
> CMuvKYhPW+VjsDWYO/QT6KqcqHEErWgYjv/c5vdxJAkM5zfa8UJiOp0q
> X2S7RJinMkGqXz05YNp7o+ZE5W/Yykzwfn3k036Mrf4NY9FYKU5uznrc
> fzW4vP8vQzXLNBEn+/ErWfbG3mYFjmhYxVsvw0yoIAmhL6xzagdQHJId
> vc1G00tqjIFWXwqm3med63G/SX0ggiT/QPwe/D618wibbXu7cUpSjSpP
> NxSZg+pX+hejg1DTU6x3UJ6EwMIZWzCccAg0S4KJIy8uOZrifACD4okB OM6yRjFq+TM=
> mythic-beasts.com.	86400	IN	DNSKEY	256 3 10
> AwEAAc5oGCn44Da0km1yuWnqDWJV41f/ieZFaxZxdeRTwsTllcnw3H6a
> IHsgYwArtkWqVe9CatuXjBpVmdbS9xJ1V4KrSsGdasCnZpXbtoKKy7Be
> tCDUES89uhMG3noqi55rEU5OS3htgmx8fNIuVLuUto5KCbp3O9Rp3+9C
> 5yQbW3eZuuDwBDEJ2DgbikiTU80MexCzkhEB3ihXhYYOnEuk4n71cSYB
> IM1YcEFaECkLN/meQ077fiAgyF+hkMIzs/VFlA/mOtkNhJeP81lUVT37
> Gjo1w46qWilFtRq1TJTfB47XXDxoLHZZcFmtW9fk6BR/a+4NlxL7X8xI dII0Z9B3I40=
> mythic-beasts.com.	86400	IN	DNSKEY	256 3 10
> AwEAAbiUu+uoyM7HirzFV/VsIO+j0vLNBMcursO6mgjX8cZPrEHKZV0O
> NENhRZKrNL0hFVvpjW5I60qxGaBQ+VbcJyK8XMPPnYRnsRDRez9f5I92
> yOJDqjXNca0fj8iqqx9PztolU8SPUebhJgW22GQd2PHkKPDZaUa1Oag2
> OUq6JJRUPwmeZO9dMMtXa3kY/11nj5YoD8FpJPwCZv8VMbVFrORt0kMc
> HlpB/hLYpaxzPWKIs95V1o2rL0zxlIkKSwxuZCli7W5ipORB5NM2Vawq
> c6m6UfoOabP2SJUm/aTKlom/ZtS4kDaO/9DIeN0F3bG1nLFRRUwRaC4M UjNs4eHCapE=
> mythic-beasts.com.	86400	IN	RRSIG	DNSKEY 10 2 86400 20191002000509
> 20190901230509 42918 mythic-beasts.com.
> UltVyLHHD+qVowOQIqZLtTc9cA5T/O4t72EiLsgiH9oRjLz7D0MgB+F2
> 0TXv8OoufV3mzf2bjaou1ziIi6FBb5j1RQSqGT44O1zJyQmX40z3LQ3L
> UUB6hQU5eh9Q4JTgChHNDpvlvWBTnObTy6NuJn5hdtQKtGN8yZ4gGHM7
> gGB+Y2N595abpWcz9xq2mtXQgGbVJUshe+JfQ3JgU034eDTlvLBTdM73
> HVjpfbxCoMboXOCtjndEB0200gloJSumqdEnlFufWfISqXhruSIB6IKP
> 5o2yUSv4mtQUOtVm+RPwcIoprm6ON5Ln2tFHJlgquuJA5vhrIIl+/e99 qarI4Q==
> 
> 
> Note, three DNSKEY records and the signature that signs the RRset. Note
> that this is a self-signature: the signature, along with key 41918 signs
> the digest of the set of three records. key 41918 is proved to be valid
> by a separate DS record that propagates the chain of trust down from the
> .com zone.
> 
> The answer to the same query in your pcap has only two DNSKEY RRs. The
> value of the signature is different, so it's possible that this still a
> valid, but different, RRset. However dnsmasq thinks it is not valid, and
> my feeling is that we should try and answer the question "where has this
> RRset come from" before we assume it's valid and dnsmasq is mistaken.
> 
> So, what happens when you ask your upstream server the query
> 
> dig +dnssec DNSKEY mythic-beasts.com
> 
> ?

; <<>> DiG 9.11.10-RedHat-9.11.10-1.fc30 <<>> @87.238.33.1 +dnssec DNSKEY mythic-beasts.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50476
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mythic-beasts.com.             IN      DNSKEY

;; ANSWER SECTION:
mythic-beasts.com.      86397   IN      DNSKEY  256 3 10 AwEAAbiUu+uoyM7HirzFV/VsIO+j0vLNBMcursO6mgjX8cZPrEHKZV0O NENhRZKrNL0hFVvpjW5I60qxGaBQ+VbcJyK8XMPPnYRnsRDRez9f5I92 yOJDqjXNca0fj8iqqx9PztolU8SPUebhJgW22GQd2PHkKPDZaUa1Oag2 OUq6JJRUPwmeZO9dMMtXa3kY/11nj5YoD8FpJPwCZv8VMbVFrORt0kMc HlpB/hLYpaxzPWKIs95V1o2rL0zxlIkKSwxuZCli7W5ipORB5NM2Vawq c6m6UfoOabP2SJUm/aTKlom/ZtS4kDaO/9DIeN0F3bG1nLFRRUwRaC4M UjNs4eHCapE=
mythic-beasts.com.      86397   IN      DNSKEY  256 3 10 AwEAAc5oGCn44Da0km1yuWnqDWJV41f/ieZFaxZxdeRTwsTllcnw3H6a IHsgYwArtkWqVe9CatuXjBpVmdbS9xJ1V4KrSsGdasCnZpXbtoKKy7Be tCDUES89uhMG3noqi55rEU5OS3htgmx8fNIuVLuUto5KCbp3O9Rp3+9C 5yQbW3eZuuDwBDEJ2DgbikiTU80MexCzkhEB3ihXhYYOnEuk4n71cSYB IM1YcEFaECkLN/meQ077fiAgyF+hkMIzs/VFlA/mOtkNhJeP81lUVT37 Gjo1w46qWilFtRq1TJTfB47XXDxoLHZZcFmtW9fk6BR/a+4NlxL7X8xI dII0Z9B3I40=
mythic-beasts.com.      86397   IN      DNSKEY  257 3 10 AwEAAaXuiwGP7BTBwrhYj8V+J7VQ+nalXaK3Mo5pXI4x//xD4O8ZN9ZF CMuvKYhPW+VjsDWYO/QT6KqcqHEErWgYjv/c5vdxJAkM5zfa8UJiOp0q X2S7RJinMkGqXz05YNp7o+ZE5W/Yykzwfn3k036Mrf4NY9FYKU5uznrc fzW4vP8vQzXLNBEn+/ErWfbG3mYFjmhYxVsvw0yoIAmhL6xzagdQHJId vc1G00tqjIFWXwqm3med63G/SX0ggiT/QPwe/D618wibbXu7cUpSjSpP NxSZg+pX+hejg1DTU6x3UJ6EwMIZWzCccAg0S4KJIy8uOZrifACD4okB OM6yRjFq+TM=
mythic-beasts.com.      86397   IN      RRSIG   DNSKEY 10 2 86400 20191002000509 20190901230509 42918 mythic-beasts.com. UltVyLHHD+qVowOQIqZLtTc9cA5T/O4t72EiLsgiH9oRjLz7D0MgB+F2 0TXv8OoufV3mzf2bjaou1ziIi6FBb5j1RQSqGT44O1zJyQmX40z3LQ3L UUB6hQU5eh9Q4JTgChHNDpvlvWBTnObTy6NuJn5hdtQKtGN8yZ4gGHM7 gGB+Y2N595abpWcz9xq2mtXQgGbVJUshe+JfQ3JgU034eDTlvLBTdM73 HVjpfbxCoMboXOCtjndEB0200gloJSumqdEnlFufWfISqXhruSIB6IKP 5o2yUSv4mtQUOtVm+RPwcIoprm6ON5Ln2tFHJlgquuJA5vhrIIl+/e99 qarI4Q==

;; Query time: 2 msec
;; SERVER: 87.238.33.1#53(87.238.33.1)
;; WHEN: ty. sep. 03 18:12:01 CEST 2019
;; MSG SIZE  rcvd: 1179

(If you would like access to query this server yourself, just send me a ssh public key and I'll spin up a VM for you.)

In any case, to me it seems pointless for Dnsmasq to try to perform DNSSEC validation on proxy.mythic-beasts.com, considering that the www.ipv6.org.uk IN CNAME record is Insecure in the first place, so the answer to the original query cannot possibly be Secure.

(For what it's worth, Knot Resolver will just supply the addresses included in the answer to the original www.ipv6.org.uk IN A query, it doesn't chase down the signatures of the proxy.mythic-beasts.com domain name.)

Tore

More information about the Dnsmasq-discuss mailing list