Is the FBI's DNSSEC broken?

Fri Aug 30 23:02:49 UTC 2013

In message <20130830223510.GA10878 at esri.com>, Ray Van Dolson writes:
> On Fri, Aug 30, 2013 at 10:27:36PM +0000, John Levine wrote:
> > I don't claim to be a big DNSSEC expert, but this looks just plain
> > wrong to me, and unbound agrees, turning it into a SERVFAIL.
> > 
> > Here's a lookup that succeeds, an A record for mail.ic.fbi.gov:
> > 
> > $ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec
> > 
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7222
> > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
> > ;; WARNING: recursion requested but not available
> > 
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags: do; udp: 65235
> > ;; QUESTION SECTION:
> > ;mail.ic.fbi.gov.		IN	A
> > 
> > ;; ANSWER SECTION:
> > mail.ic.fbi.gov.	600	IN	A	153.31.119.142
> > mail.ic.fbi.gov.	600	IN	RRSIG	A 7 4 600 20131124123847 201308
> 26123847 32497 fbi.gov. dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiG
> ryV ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI EZMTcCsnInSIn2IR
> b3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU=
> > 
> > ;; AUTHORITY SECTION:
> > fbi.gov.		600	IN	NS	ns3.fbi.gov.
> > fbi.gov.		600	IN	NS	ns5.fbi.gov.
> > fbi.gov.		600	IN	NS	ns4.fbi.gov.
> > fbi.gov.		600	IN	NS	ns2.fbi.gov.
> > fbi.gov.		600	IN	NS	ns1.fbi.gov.
> > fbi.gov.		600	IN	NS	ns6.fbi.gov.
> > fbi.gov.		600	IN	RRSIG	NS 7 2 600 20131124123847 20130
> 826123847 32497 fbi.gov. l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0Dh
> ZfSo 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv UWz15jLa7N7YKYc
> cR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY=
> > 
> > Here's a query for the same name, but for AAAA which it doesn't have:
> > 
> > $ dig @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec
> > 
> > ; <<>> DiG 9.8.3-P4 <<>> @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec
> > ; (2 servers found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41056
> > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
> > ;; WARNING: recursion requested but not available
> > 
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags: do; udp: 65235
> > ;; QUESTION SECTION:
> > ;mail.ic.fbi.gov.		IN	AAAA
> > 
> > ;; AUTHORITY SECTION:
> > fbi.gov.		600	IN	SOA	ns1.fbi.gov. dns-admin.fbi.gov.
>  2013082601 7200 3600 2592000 43200
> > 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200	IN NSEC3 1 0 10 BBAB 97
> S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG
> > fbi.gov.		600	IN	RRSIG	SOA 7 2 600 20131124123847 2013
> 0826123847 32497 fbi.gov. QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV
> 26IPI 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV J7NDY6O5jTb4MM
> c9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA=
> > 
> > Shouldn't there be some more stuff there in the authority section,
> > like an NSEC3 and RRSIG for mail.ic.fbi.gov?

The NSEC3 is there and it is correct.  What is missing is the
signature for the NSEC3.

% nsec3hash BBAB 1 10 mail.ic.fbi.gov
95RIPFTKTJC9I7J8HDAIA7CM6L279FSR (salt=BBAB, hash=1, iterations=10)
% 

Mark

> > Am I missing something, or is it broken?  The server says it's from
> > Ultradns.
> > 
> > R's,
> > John
> 
> Hi John;
> 
> I don't think you're alone on this!  Ref this thread (an issue we ran
> into with accepting mail from ic.fbi.gov due to DNSSEC validation
> failure) from July[1].
> 
> Have done my best to get someone's attention to fix the issue, but so
> far no joy.
> 
> Ray
> 
> [1] https://lists.isc.org/pipermail/bind-users/2013-July/091140.html
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org