nanog mailing list archives
RE: DNSSEC & WIldcards
From: Dennis Burgess via NANOG <nanog () nanog org>
Date: Fri, 15 Mar 2024 18:12:20 +0000
Looks like Bjorn was correct, one two many signatures ☹ Removed one and its all fixed! Thanks too all that replied!!
-----Original Message-----
From: Bjørn Mork <bjorn () mork no>
Sent: Friday, March 15, 2024 12:59 PM
To: Dennis Burgess via NANOG <nanog () nanog org>
Cc: Dennis Burgess <dmburgess () linktechs net>
Subject: Re: DNSSEC & WIldcards
Looks like your DNS server correctly queues up the RRs, but erronously believes it can drop data from the Authority
section without setting the TC bit.
Reducing the bufsize so the answer doesn't fit makes trucation work:
bjorn@miraculix:~$ dig a www.app.linktechs.net. +dnssec +multiline +norecur @139.60.210.20 +bufsize=512 ;; Truncated,
retrying in TCP mode.
; <<>> DiG 9.18.24-1-Debian <<>> a www.app.linktechs.net. +dnssec +multiline +norecur @139.60.210.20 +bufsize=512 ;;
global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5946 ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 3,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1280 ;; QUESTION SECTION:
;www.app.linktechs.net. IN A
;; ANSWER SECTION:
www.app.linktechs.net. 3600 IN A 139.60.210.81 www.app.linktechs.net. 3600 IN RRSIG A 8 3 3600 (
20240427232616 20240313222616 37041 linktechs.net.
NYC/4H2VZg12vj+tiWVkEROhXwm7JkBna6RQg6LO8kXr
oosDUpGnxrgOtJYsWYbYfM58opiC1OeAbcaCB9+nctIU
grrwcpuhmvlXYLZi1n/oAmelPldnQ6Hf93HuHi4ULFsS
Qfsoo8sdfjt/YSJ4WxjmsM9LMbZ2CZPMU44a3MdftGW1
fNKmZ1fLtVreP41KmvP6b01lyUMvjrvT26Yq57DgUDTo
iqU5skT+OHzx6ERJkt3tzzwm2pBMvBWFDXC668NtouIW
s3mrhJRBuNW3xSCsroaLQ0vmdml2BqNNh7MZNc38FNMJ
eh+ts3mbMnOOkzlI1Q8gKMMCWv+VRmv2DA== ) www.app.linktechs.net. 3600 IN RRSIG A 8 3 3600
(
20240427232616 20240313222616 11340 linktechs.net.
Th3OcZwOMNUb1zMdipnTnFdgFEaOGJ/VofQOTyxmnNCg
wl+1Q7eiQ89KHAWEDBisxd0S+EHu6/YBWY2srNx5q58P
XIZJ9oQXCqDLzSE884DTQNDEVrSMoKJ9slRU4N4Lj5tT
9LzbODmCM9ytRavOKXJHIddQa0MZT4p9cV8K2HI7XSFX
0rjieKFa7wDRJqhKyqrT3Rh/S93pavhKWUgN3GVO6hkI
H5F67UFpZK7o7nRlyqvM42ep5XaRZS/WJtLuXcTk/QM3
MBPTDWgJ0Bh8qpNuHDOb2XFH2I5dwjeKxuYCzeQzN1hL
gsmw3d1J2pNsYbC40jmi1bZr0bz2fDurIA== )
;; AUTHORITY SECTION:
_acme-challenge.app.linktechs.net. 1200 IN NSEC auto.linktechs.net. TXT RRSIG NSEC _acme-challenge.app.linktechs.net.
1200 IN RRSIG NSEC 8 4 1200 (
20240427232616 20240313222616 11340 linktechs.net.
grjacRLmt+h5UMJkWMgrxeeY4m8kzNCokMsEFAi/10ld
2zcx7IZnB5oljSoZo2ZoqN0DEWVOrORGaU0kAcXDIwmD
89JG728W78+gikb8D+rpcSejfpAO8tRFO9saPSDY72uk
oP0Wle87oMcKmP9EXGcgsTZhd6Dld9qcAlUByGAZC/bi
SL5SDeALjpdqzXPXivP597VyJGakeEEjW0y2SmUOIDcg
6lOcSGX1QdmbaiHyAxHSjBsg4VV2Qpo2Br75xyfw3o1Z
oHMeacsAhhz5HQhtzv9DzULzmtmoA5sQn2VyBm2kcS+S
ZKpKioFnHj9BtOv3dn/F5hrQFhEInNPROw== ) _acme-challenge.app.linktechs.net. 1200 IN RRSIG
NSEC 8 4 1200 (
20240427232616 20240313222616 37041 linktechs.net.
bt6W5P4VDC5fs2r/lxwSnI8bhqS2MH7n67Gd2EK6+DDx
HYy9MAmSZEy2OYGg7QHamrWr2I+Bq2Og8A0bRRA5TitQ
VcWyq3b+VpXUPukg7bmXl4KRNGxdAB8NysoOT75yvPTe
Jy1baNzYv9/in6rf8VKXUrKSPUqcAsK3Sz5QHkuzzaIP
d+u5m59DAlobNi17QbRGKIQaXTtgkSHpj4rt61MMEzpB
JDXE5FRLCJ4pqQPm+DcF0ZrKoYqKv/1rYZSVbW3rY0XB
VEBDVy5MJg0YenhbVPcDM9OYh2dfvh5ZvYS6xsXZulv8
mKnjdJo7v6qAzPNvIhymghM+0Tp8INxAjw== )
;; Query time: 120 msec
;; SERVER: 139.60.210.20#53(139.60.210.20) (TCP) ;; WHEN: Fri Mar 15 18:57:20 CET 2024 ;; MSG SIZE rcvd: 1326
And directly using tcp also works:
bjorn@miraculix:~$ dig a www.app.linktechs.net. +dnssec +multiline +norecur @139.60.210.20 +vc
; <<>> DiG 9.18.24-1-Debian <<>> a www.app.linktechs.net. +dnssec +multiline +norecur @139.60.210.20 +vc ;; global
options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29513 ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 3,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1280 ;; QUESTION SECTION:
;www.app.linktechs.net. IN A
;; ANSWER SECTION:
www.app.linktechs.net. 3600 IN A 139.60.210.81 www.app.linktechs.net. 3600 IN RRSIG A 8 3 3600 (
20240427232616 20240313222616 37041 linktechs.net.
NYC/4H2VZg12vj+tiWVkEROhXwm7JkBna6RQg6LO8kXr
oosDUpGnxrgOtJYsWYbYfM58opiC1OeAbcaCB9+nctIU
grrwcpuhmvlXYLZi1n/oAmelPldnQ6Hf93HuHi4ULFsS
Qfsoo8sdfjt/YSJ4WxjmsM9LMbZ2CZPMU44a3MdftGW1
fNKmZ1fLtVreP41KmvP6b01lyUMvjrvT26Yq57DgUDTo
iqU5skT+OHzx6ERJkt3tzzwm2pBMvBWFDXC668NtouIW
s3mrhJRBuNW3xSCsroaLQ0vmdml2BqNNh7MZNc38FNMJ
eh+ts3mbMnOOkzlI1Q8gKMMCWv+VRmv2DA== ) www.app.linktechs.net. 3600 IN RRSIG A 8 3 3600
(
20240427232616 20240313222616 11340 linktechs.net.
Th3OcZwOMNUb1zMdipnTnFdgFEaOGJ/VofQOTyxmnNCg
wl+1Q7eiQ89KHAWEDBisxd0S+EHu6/YBWY2srNx5q58P
XIZJ9oQXCqDLzSE884DTQNDEVrSMoKJ9slRU4N4Lj5tT
9LzbODmCM9ytRavOKXJHIddQa0MZT4p9cV8K2HI7XSFX
0rjieKFa7wDRJqhKyqrT3Rh/S93pavhKWUgN3GVO6hkI
H5F67UFpZK7o7nRlyqvM42ep5XaRZS/WJtLuXcTk/QM3
MBPTDWgJ0Bh8qpNuHDOb2XFH2I5dwjeKxuYCzeQzN1hL
gsmw3d1J2pNsYbC40jmi1bZr0bz2fDurIA== )
;; AUTHORITY SECTION:
_acme-challenge.app.linktechs.net. 1200 IN NSEC auto.linktechs.net. TXT RRSIG NSEC _acme-challenge.app.linktechs.net.
1200 IN RRSIG NSEC 8 4 1200 (
20240427232616 20240313222616 11340 linktechs.net.
grjacRLmt+h5UMJkWMgrxeeY4m8kzNCokMsEFAi/10ld
2zcx7IZnB5oljSoZo2ZoqN0DEWVOrORGaU0kAcXDIwmD
89JG728W78+gikb8D+rpcSejfpAO8tRFO9saPSDY72uk
oP0Wle87oMcKmP9EXGcgsTZhd6Dld9qcAlUByGAZC/bi
SL5SDeALjpdqzXPXivP597VyJGakeEEjW0y2SmUOIDcg
6lOcSGX1QdmbaiHyAxHSjBsg4VV2Qpo2Br75xyfw3o1Z
oHMeacsAhhz5HQhtzv9DzULzmtmoA5sQn2VyBm2kcS+S
ZKpKioFnHj9BtOv3dn/F5hrQFhEInNPROw== ) _acme-challenge.app.linktechs.net. 1200 IN RRSIG
NSEC 8 4 1200 (
20240427232616 20240313222616 37041 linktechs.net.
bt6W5P4VDC5fs2r/lxwSnI8bhqS2MH7n67Gd2EK6+DDx
HYy9MAmSZEy2OYGg7QHamrWr2I+Bq2Og8A0bRRA5TitQ
VcWyq3b+VpXUPukg7bmXl4KRNGxdAB8NysoOT75yvPTe
Jy1baNzYv9/in6rf8VKXUrKSPUqcAsK3Sz5QHkuzzaIP
d+u5m59DAlobNi17QbRGKIQaXTtgkSHpj4rt61MMEzpB
JDXE5FRLCJ4pqQPm+DcF0ZrKoYqKv/1rYZSVbW3rY0XB
VEBDVy5MJg0YenhbVPcDM9OYh2dfvh5ZvYS6xsXZulv8
mKnjdJo7v6qAzPNvIhymghM+0Tp8INxAjw== )
;; Query time: 120 msec
;; SERVER: 139.60.210.20#53(139.60.210.20) (TCP) ;; WHEN: Fri Mar 15 18:57:56 CET 2024 ;; MSG SIZE rcvd: 1326
So you might be able to configure yourself oout of that by simply dropping one of the ZSKs, reducing the number of
signatures. And/or using an algorithm with shorter signatures.
But it will always be fragile.
Bjørn
Current thread:
- DNSSEC & WIldcards Dennis Burgess via NANOG (Mar 15)
- Re: DNSSEC & WIldcards Niels Bakker (Mar 15)
- Re: DNSSEC & WIldcards John Levine (Mar 15)
- Re: DNSSEC & WIldcards Bjørn Mork (Mar 15)
- Re: DNSSEC & WIldcards Mark Andrews (Mar 15)
- Re: DNSSEC & WIldcards Matthew Pounsett (Mar 15)
- Re: DNSSEC & WIldcards Bjørn Mork (Mar 15)
- Re: DNSSEC & WIldcards Mark Andrews (Mar 15)
- Re: DNSSEC & WIldcards Bjørn Mork (Mar 15)
- RE: DNSSEC & WIldcards Dennis Burgess via NANOG (Mar 15)
- Re: DNSSEC & WIldcards Bjørn Mork (Mar 15)
- Re: DNSSEC & WIldcards Mark Andrews (Mar 15)
- RE: DNSSEC & WIldcards Dennis Burgess via NANOG (Mar 15)
- Re: DNSSEC & WIldcards Niels Bakker (Mar 15)