Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)

[Arne Jensen <darkdevil () darkdevil dk>]

Den 08-12-2021 kl. 16:23 skrev Masataka Ohta:
> Arne Jensen wrote:
>
> > It is my understanding that the CNAME should never have been followed,
>
> Wrong.

Hmm, okay.

-> https://www.rfc-editor.org/rfc/rfc4034.txt

Section 3, "The RRSIG Resource Record", at the third phrase:

>     Because every authoritative RRset in a zone must be protected by a
>     digital signature, RRSIG RRs must be present for names containing a
>     CNAME RR.  This is a change to the traditional DNS specification
>     [RFC1034], which stated that if a CNAME is present for a name, it is
>     the only type allowed at that name.  A RRSIG and NSEC (see Section 4)
>     MUST exist for the same name as a CNAME resource record in a signed
>     zone.
Can you tell me what exactly this means?

I fail to see that RRSIG in the following output:

> $ dig +dnssec AAAA european-union.europa.eu @1.1.1.1
>
> ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> +dnssec AAAA 
> european-union.europa.eu @1.1.1.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16457
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1232
> ; OPT=15: 00 00 72 65 73 65 72 76 65 64 20 44 53 20 61 6c 67 6f 72 69 
> 74 68 6d ("..reserved DS algorithm")
> ;; QUESTION SECTION:
> ;european-union.europa.eu.      IN      AAAA
>
> ;; ANSWER SECTION:
> european-union.europa.eu. 1800  IN      CNAME 
> d1d395kgk3q1uk.cloudfront.net.
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:ea00:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:8200:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:4c00:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:1c00:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:e600:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:3a00:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:f600:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:2000:13:6ecf:b700:93a1
>
> ;; Query time: 68 msec
> ;; SERVER: 1.1.1.1#53(1.1.1.1)
> ;; WHEN: Wed Dec 08 14:53:06 CET 2021
> ;; MSG SIZE  rcvd: 347
>
> $

So maybe you would care to elaborate why I am wrong, and why Google and 
Quad9 is wrong too, while CloudFlare is actually doing the "right" thing 
here?

I would still, with the above output, say that CloudFlare shouldn't have 
followed the CNAME at that time.

> > since there isn't any covering RRSIG for the actual CNAME, exactly as 
> > the elaborative message on dnsviz.net claims.
>
> That CNAME RR is authenticated means it securely points to some
> other domain name, which may or may not be covered by RRSIG
> signature, which is no different from domain names pointed by
> signed MX RRs.

Both the CNAME RR (european-union.europa.eu) and MX RR's (your mention) 
must have a valid RRSIG when they are within a DNSSEC signed zone, but 
the CNAME RR didn't, as you can see above.

With the timestamp above showing 14:53 CET, and my message appearing 
here at 15:22 CET, the DNSSEC issue was actually fixed within that time, 
so if you're first checking around your own message at 16:23, an hour 
after it had already been resolved, then you will of course see no 
issues, at all, which I am not either.

Seems like it was fixed ~4 minutes after my output above:

> $ dig +dnssec AAAA european-union.europa.eu @1.1.1.1
>
> ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> +dnssec AAAA 
> european-union.europa.eu @1.1.1.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19554
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1232
> ;; QUESTION SECTION:
> ;european-union.europa.eu.      IN      AAAA
>
> ;; ANSWER SECTION:
> european-union.europa.eu. 1800  IN      CNAME 
> d1d395kgk3q1uk.cloudfront.net.
> european-union.europa.eu. 1800  IN      RRSIG   CNAME 8 3 1800 
> 20220107135603 20211208125711 6276 europa.eu. 
> Gu/Zmxulc0RhNnCE55ATi/yCIUxP4NK9/msFIqPJuBhGrZiGT9+KomfL 
> XcgBGXlzNt24uE9cQo59/r6liN0BV4IA8k4DCwRKDp2dDJUSLYK6AvMa 
> Og+VVAKZvvHJZI6C41vBnD/PJahf9660CvXazzBX5a/W8FGhhVXsUUKx 
> 6780SgvqiXPn0RRNdJ2ZUFzGfY6/kTXsfAkT0TN7ZgGHq6whp/TVoZYb 
> vihl1NoiY4Ou/LFCtAmCJGWaT/h49kTCwIcq/5IgaBLn/CvcSz6YNXi0 
> RAV4jx+IVlTMzxIgBUsnOrOIoVH3j6LhtUrymfspWESoWBD7mFOjreyh wG+icw==
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:d400:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:c800:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:9200:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:d200:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:c200:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:be00:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:b800:13:6ecf:b700:93a1
> d1d395kgk3q1uk.cloudfront.net. 60 IN    AAAA 
> 2600:9000:2021:600:13:6ecf:b700:93a1
>
> ;; Query time: 48 msec
> ;; SERVER: 1.1.1.1#53(1.1.1.1)
> ;; WHEN: Thu Dec 09 09:34:59 CET 2021
> ;; MSG SIZE  rcvd: 617
>
> $

And now, CloudFlare should indeed follow the CNAME, as the RRSIG for 
european-union.europa.eu is there.

--
Med venlig hilsen / Kind regards,
Arne Jensen