> On 22 Apr 2021, at 10:00, Bron Gondwana <brong@xxxxxxxxxxxxxxxx> wrote: > > On Thu, Apr 22, 2021, at 09:47, Viktor Dukhovni wrote: >> My domain has been signed since 2014 without any disruptions, with just >> a modest monitoring script that has alerted me to pendign expiration >> (automated re-signing wasn't kicking in) a couple of times, well before >> the signatures expired. The bugs that resulted in resigning not >> happening have been fixed for some time, and I don't have to expend any >> energy to keep DNSSEC running, it just works. > > That's you - you're an expert in this field. Most people aren't. And yet - as you mention, you had a bug with automated re-signing failing and had to add monitoring. > > Also, I suspect that the content of your zone is managed by... you. > > Extrapolating from that to assume that everyone else in the world will have the same experience... maybe the tooling has become heaps better than when we looked in 2016, but the list of DNSSEC failures hasn't exactly trickled to zero - cdc.gov in the year 2021 being a nice example case: > > https://mailman.nanog.org/pipermail/nanog/2021-January/211507.html CDC just have plain incompetent DNS administrators. Serving different (unsigned/bad) content on ns[123].cdc.gov to that on the delegated server for akam.cdc.gov at the time was just idiotic. It will cause issues even without DNSSEC. If they are trying to make ns[123].cdc.gov hidden primaries for akam.cdc.gov they did an abysmal job of it. Put the hidden primaries on different addresses or use TSIG to select a different view with the unsigned content. They sent what appeared to be spoofed (signatures stripped) responses to every validating resolver on the planet. The validating resolvers eventually figure it out but not without exceeding client timeouts and/or query limits. Currently they are returning REFUSED for names ending in akam.cdc.gov which means they effectively only have a single working nameserver for cdc.gov for anyone trying to reach their web site. % dig dnskey akam.cdc.gov +norec +bufsize=1400 @ns1.cdc.gov ; <<>> DiG 9.15.4 <<>> dnskey akam.cdc.gov +norec +bufsize=1400 @ns1.cdc.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 8482 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 4a0cdd6da4a272451d341bfd6080edd34da99a5353fecd1d (good) ;; QUESTION SECTION: ;akam.cdc.gov. IN DNSKEY ;; Query time: 229 msec ;; SERVER: 198.246.96.61#53(198.246.96.61) ;; WHEN: Thu Apr 22 13:30:27 AEST 2021 ;; MSG SIZE rcvd: 69 % dig dnskey akam.cdc.gov +norec +bufsize=1400 @ns2.cdc.gov ; <<>> DiG 9.15.4 <<>> dnskey akam.cdc.gov +norec +bufsize=1400 @ns2.cdc.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 35055 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: b57f84015326a3acecdc0fa36080ede53418789f416c7f42 (good) ;; QUESTION SECTION: ;akam.cdc.gov. IN DNSKEY ;; Query time: 394 msec ;; SERVER: 198.246.96.92#53(198.246.96.92) ;; WHEN: Thu Apr 22 13:30:46 AEST 2021 ;; MSG SIZE rcvd: 69 % dig dnskey akam.cdc.gov +norec +bufsize=1400 @ns3.cdc.gov ; <<>> DiG 9.15.4 <<>> dnskey akam.cdc.gov +norec +bufsize=1400 @ns3.cdc.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 9881 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 55043d8473bc59bbfd7e57206080edf744d56968c25be8bc (good) ;; QUESTION SECTION: ;akam.cdc.gov. IN DNSKEY ;; Query time: 303 msec ;; SERVER: 198.246.125.10#53(198.246.125.10) ;; WHEN: Thu Apr 22 13:31:04 AEST 2021 ;; MSG SIZE rcvd: 69 % dig dnskey akam.cdc.gov +norec +bufsize=1400 @auth00.ns.uu.net ; <<>> DiG 9.15.4+ <<>> dnskey akam.cdc.gov +norec +bufsize=1400 @auth00.ns.uu.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7246 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 5ac471018fb08a53284b835c6080ee0d00573362d9cb243e (good) ;; QUESTION SECTION: ;akam.cdc.gov. IN DNSKEY ;; AUTHORITY SECTION: akam.cdc.gov. 86400 IN NS a9-64.akam.net. akam.cdc.gov. 86400 IN NS a5-66.akam.net. akam.cdc.gov. 86400 IN NS a28-65.akam.net. akam.cdc.gov. 86400 IN NS a8-67.akam.net. akam.cdc.gov. 86400 IN NS a1-43.akam.net. akam.cdc.gov. 86400 IN NS a2-64.akam.net. ;; Query time: 1266 msec ;; SERVER: 198.6.1.65#53(198.6.1.65) ;; WHEN: Thu Apr 22 13:31:26 AEST 2021 ;; MSG SIZE rcvd: 198 % % dig www.cdc.gov @ns1.cdc.gov +norec ; <<>> DiG 9.15.4 <<>> www.cdc.gov @ns1.cdc.gov +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58095 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 0753cc8fb65017d8e84280f26080ef345d618fe913abd0fe (good) ;; QUESTION SECTION: ;www.cdc.gov. IN A ;; ANSWER SECTION: www.cdc.gov. 300 IN CNAME www.akam.cdc.gov. ;; Query time: 704 msec ;; SERVER: 198.246.96.61#53(198.246.96.61) ;; WHEN: Thu Apr 22 13:36:21 AEST 2021 ;; MSG SIZE rcvd: 91 % dig www.cdc.gov @ns2.cdc.gov +norec ; <<>> DiG 9.15.4 <<>> www.cdc.gov @ns2.cdc.gov +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5508 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 527eb3a3f9958642ae7a63f76080ef4ff9709b05d69578e1 (good) ;; QUESTION SECTION: ;www.cdc.gov. IN A ;; ANSWER SECTION: www.cdc.gov. 300 IN CNAME www.akam.cdc.gov. ;; Query time: 227 msec ;; SERVER: 198.246.96.92#53(198.246.96.92) ;; WHEN: Thu Apr 22 13:36:47 AEST 2021 ;; MSG SIZE rcvd: 91 % dig www.cdc.gov @ns3.cdc.gov +norec ; <<>> DiG 9.15.4 <<>> www.cdc.gov @ns3.cdc.gov +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14138 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: d152743ae9d43d26022fb3856080ef59995338b4117d63fe (good) ;; QUESTION SECTION: ;www.cdc.gov. IN A ;; ANSWER SECTION: www.cdc.gov. 300 IN CNAME www.akam.cdc.gov. ;; Query time: 338 msec ;; SERVER: 198.246.125.10#53(198.246.125.10) ;; WHEN: Thu Apr 22 13:36:57 AEST 2021 ;; MSG SIZE rcvd: 91 % dig www.cdc.gov @auth00.ns.uu.net +norec ; <<>> DiG 9.15.4 <<>> www.cdc.gov @auth00.ns.uu.net +norec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11325 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 1248394757c2c358b65340b76080ef880260f2463fd1f873 (good) ;; QUESTION SECTION: ;www.cdc.gov. IN A ;; ANSWER SECTION: www.cdc.gov. 300 IN CNAME www.akam.cdc.gov. ;; AUTHORITY SECTION: akam.cdc.gov. 86400 IN NS a5-66.akam.net. akam.cdc.gov. 86400 IN NS a1-43.akam.net. akam.cdc.gov. 86400 IN NS a9-64.akam.net. akam.cdc.gov. 86400 IN NS a2-64.akam.net. akam.cdc.gov. 86400 IN NS a8-67.akam.net. akam.cdc.gov. 86400 IN NS a28-65.akam.net. ;; Query time: 223 msec ;; SERVER: 198.6.1.65#53(198.6.1.65) ;; WHEN: Thu Apr 22 13:37:44 AEST 2021 ;; MSG SIZE rcvd: 220 % > Bron. > > -- > Bron Gondwana, CEO, Fastmail Pty Ltd > brong@xxxxxxxxxxxxxxxx -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx
