Testing KASP, CDS, and .ch

Discussion:

Jim Popovitch via bind-users

2021-04-09 18:57:59 UTC

Hello!

I've read the "Schacher 20200622 Support for and adoption of CDS in .ch
and .li", and studied
https://kb.isc.org/docs/dnssec-key-and-signing-policy, however I've hita brick wall:

https://dnsviz.net/d/domainmail.ch/dnssec/

What am I missing?

I'm using the following policy and zone config:

dnssec-policy "test" {
keys { csk lifetime P30D algorithm ECDSAP256SHA256; };
};

zone "domainmail.ch" {
type master;
file "/etc/bind/zone/domainmail.ch";
dnssec-policy "test";
};

Here are the info of the active keys:

/etc/bind/keys/Kdomainmail.ch.+013+22048.key
; This is a key-signing key, keyid 22048, for domainmail.ch.
; Created: 20210208192710 (Mon Feb 8 19:27:10 2021)
; Publish: 20210208192710 (Mon Feb 8 19:27:10 2021)
; Activate: 20210208222710 (Mon Feb 8 22:27:10 2021)
; Inactive: 20210310222710 (Wed Mar 10 22:27:10 2021)
; Delete: 20210320233210 (Sat Mar 20 23:32:10 2021)
; SyncPublish: 20210208222710 (Mon Feb 8 22:27:10 2021)

/etc/bind/keys/Kdomainmail.ch.+013+17870.key
; This is a key-signing key, keyid 17870, for domainmail.ch.
; Created: 20210310202210 (Wed Mar 10 20:22:10 2021)
; Publish: 20210310202210 (Wed Mar 10 20:22:10 2021)
; Activate: 20210310222710 (Wed Mar 10 22:27:10 2021)
; Inactive: 20210409222710 (Fri Apr 9 22:27:10 2021)
; Delete: 20210419233210 (Mon Apr 19 23:32:10 2021)
; SyncPublish: 20210310222710 (Wed Mar 10 22:27:10 2021)

/etc/bind/keys/Kdomainmail.ch.+013+04319.key
; This is a key-signing key, keyid 4319, for domainmail.ch.
; Created: 20210220012755 (Sat Feb 20 01:27:55 2021)
; Publish: 20210220012755 (Sat Feb 20 01:27:55 2021)
; Activate: 20210220012755 (Sat Feb 20 01:27:55 2021)
; Inactive: 20210221040633 (Sun Feb 21 04:06:33 2021)
; Delete: 20210303051133 (Wed Mar 3 05:11:33 2021)
; SyncPublish: 20210221023255 (Sun Feb 21 02:32:55 2021)

-Jim P.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

John W. Blue via bind-users

2021-04-09 19:05:15 UTC

Permalink

So the issue here is that the DS record that sit in .ch has an ID of 22048 but the domainmail.ch servers are telling the world that the correct ID is 17870.

Thus the DNSSEC breakage.

John

-----Original Message-----
From: bind-users [mailto:bind-users-***@lists.isc.org] On Behalf Of Jim Popovitch via bind-users
Sent: Friday, April 09, 2021 1:58 PM
To: bind-***@lists.isc.org
Subject: Testing KASP, CDS, and .ch

Hello!

I've read the "Schacher 20200622 Support for and adoption of CDS in .ch and .li", and studied https://kb.isc.org/docs/dnssec-key-and-signing-policy, however I've hita brick wall:

https://dnsviz.net/d/domainmail.ch/dnssec/

What am I missing?

I'm using the following policy and zone config:

dnssec-policy "test" {
keys { csk lifetime P30D algorithm ECDSAP256SHA256; }; };

zone "domainmail.ch" {
type master;
file "/etc/bind/zone/domainmail.ch";
dnssec-policy "test";
};

Here are the info of the active keys:

/etc/bind/keys/Kdomainmail.ch.+013+22048.key
; This is a key-signing key, keyid 22048, for domainmail.ch.
; Created: 20210208192710 (Mon Feb 8 19:27:10 2021) ; Publish: 20210208192710 (Mon Feb 8 19:27:10 2021) ; Activate: 20210208222710 (Mon Feb 8 22:27:10 2021) ; Inactive: 20210310222710 (Wed Mar 10 22:27:10 2021) ; Delete: 20210320233210 (Sat Mar 20 23:32:10 2021) ; SyncPublish: 20210208222710 (Mon Feb 8 22:27:10 2021)

/etc/bind/keys/Kdomainmail.ch.+013+17870.key
; This is a key-signing key, keyid 17870, for domainmail.ch.
; Created: 20210310202210 (Wed Mar 10 20:22:10 2021) ; Publish: 20210310202210 (Wed Mar 10 20:22:10 2021) ; Activate: 20210310222710 (Wed Mar 10 22:27:10 2021) ; Inactive: 20210409222710 (Fri Apr 9 22:27:10 2021) ; Delete: 20210419233210 (Mon Apr 19 23:32:10 2021) ; SyncPublish: 20210310222710 (Wed Mar 10 22:27:10 2021)

/etc/bind/keys/Kdomainmail.ch.+013+04319.key
; This is a key-signing key, keyid 4319, for domainmail.ch.
; Created: 20210220012755 (Sat Feb 20 01:27:55 2021) ; Publish: 20210220012755 (Sat Feb 20 01:27:55 2021) ; Activate: 20210220012755 (Sat Feb 20 01:27:55 2021) ; Inactive: 20210221040633 (Sun Feb 21 04:06:33 2021) ; Delete: 20210303051133 (Wed Mar 3 05:11:33 2021) ; SyncPublish: 20210221023255 (Sun Feb 21 02:32:55 2021)

-Jim P.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Jim Popovitch via bind-users

2021-04-09 19:11:34 UTC

Permalink

Post by John W. Blue via bind-users
So the issue here is that the DS record that sit in .ch has an ID of 22048 but the domainmail.ch servers are telling the world that the correct ID is 17870.
Thus the DNSSEC breakage.

John W. Blue via bind-users

2021-04-09 20:17:49 UTC

Permalink

The owner of domainmail.ch will need to give .ch an updated copy of the DS record that contains 17870.

Once that has been accomplished .ch will start telling the open internet to expect 17870 when talking to domainmail.ch. When the open internet matches what it expects with what it gets then DNSSEC will be validated.

John

-----Original Message-----
From: bind-users [mailto:bind-users-***@lists.isc.org] On Behalf Of Jim Popovitch via bind-users
Sent: Friday, April 09, 2021 2:12 PM
To: bind-***@lists.isc.org
Subject: Re: Testing KASP, CDS, and .ch

Of course, however there is no 22048 id in Gandi (the Registrar), yet it appears in .ch, and 17870 is still Active (as of this moment in time).

What I can't figure out is how/when does .ch query the CDS/CDNSKEY data.

I know that I can make the domain validate by manually putting a
keyid+data in Gandi, but the whole purpose of CDS/CDNSKEY is to not have
to do that, no?

-Jim P.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

John W. Blue via bind-users

2021-04-09 20:21:33 UTC

Permalink

Sorry .. clicked send too soon.

Found this via google:

https://docs.gandi.net/en/domain_names/advanced_users/dnssec.html

"You can not add DS keys as we compute it for you with the KSK or ZSK, then we send it to the registry."

So it looks like the owner of domainmail.ch must get the DS from Gandi??? I wouldn't know how that would work exactly but clearly a conversation is needed with Gandi.

Good hunting.

John

-----Original Message-----
From: bind-users [mailto:bind-users-***@lists.isc.org] On Behalf Of Jim Popovitch via bind-users
Sent: Friday, April 09, 2021 2:12 PM
To: bind-***@lists.isc.org
Subject: Re: Testing KASP, CDS, and .ch

Jim Popovitch via bind-users

2021-04-09 21:49:10 UTC

Permalink

Post by John W. Blue via bind-users
Sorry .. clicked send too soon.
https://docs.gandi.net/en/domain_names/advanced_users/dnssec.html
"You can not add DS keys as we compute it for you with the KSK or ZSK, then we send it to the registry."
So it looks like the owner of domainmail.ch must get the DS from Gandi??? I wouldn't know how that would work exactly but clearly a conversation is needed with Gandi.
Good hunting.

Thanks for trying but i think you're missing the point of this thread. I'm not asking about how to configure DNSSEC the traditional way.

Btw, one *can* manually setup a DS RR at Gandi, but they take and decode the actual key data not the DS.

-Jim P
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Hugo Salgado

2021-04-09 20:23:48 UTC

Permalink

Switch has a website to test the CDS processing for .ch:
https://www.nic.ch/security/cds/

for domainmail.ch it says "The CDS configuration of the domain name
domainmail.ch will not be processed.
[ ... ]
The DNS query returned: "Server failed to complete the DNS request".
"

You should check the requirements. You'd need to answer for three
consecutive days, be consistent in all NS IP addresses, etc.

Hugo

Post by Jim Popovitch via bind-users

Jim Popovitch via bind-users

2021-04-09 21:35:01 UTC

Permalink

Post by Hugo Salgado
https://www.nic.ch/security/cds/
for domainmail.ch it says "The CDS configuration of the domain name
domainmail.ch will not be processed.
[ ... ]
The DNS query returned: "Server failed to complete the DNS request".
"
You should check the requirements. You'd need to answer for three
consecutive days, be consistent in all NS IP addresses, etc.
Hugo

Post by Jim Popovitch via bind-users

Thanks Hugo! That helps.

-Jim P.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Oli Schacher

2021-04-10 11:18:41 UTC

Permalink

Hi Jim
let me give you a bit more info

It looks like until last night (when the last check ran), the domain was
BOGUS ( https://dnsviz.net/d/domainmail.ch/YHDacA/dnssec/ ) - so we
couldn't even fetch the CDS RRSET. RFC 8078 / 7344 can not be used to
fix a bogus domain, this needs to be fixed by updating the DS through
the registrar (which it seems you have done by now)

The error message on our website in this case is indeed not very clear.
Eventually I hope to improve this once our resolvers support RFC8914
extended dns errors which we could pass on to the frontend.

Post by Hugo Salgado

Post by Jim Popovitch via bind-users
What I can't figure out is how/when does .ch query the CDS/CDNSKEY data.

This process happens in two stages, once every 24 hours.

In stage 1 (during the night), we scan all .CH and .LI domains for their
CDS RRSETS.
Domains which already have DS in parent are scanned through a validating
resolver. This is where domainmail.ch failed up until last night.
Domains which are currently insecure (=no DS in parent) are scanned over
TCP from multiple locations on every IP address of all nameservers
registered at the registry.

In stage 2 (during the day) we process the domains with CDS records
found in stage1 and perform additional checks. If all checks pass, we
apply the requested change, i.e. the DS RRSET is changed to match the
published CDS RRSET.
Some restrictions are different if the domain already has a valid DS in
parent. For example, INSECURE domains need to provide a consistent CDS
RRSET on all their nameserver IPs for at least three consecutive days
before the DS RRSET is activated. Key Rollovers or going unsigned
happens immediately if the current CDS RRSET validates ok. The 3 day
delay initially also applied to Rollovers and Deletes, but we have
meanwhile lifted this restriction as it did not provide a security
benefit and caused operational issues(for example, changing Nameserver
operators)
Some other restrictions however apply in all cases, for example, the CDS
RRSET will not be processed if the resulting DS RRSET would break the
chain of trust.

Best regards
Oli
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Jim Popovitch via bind-users

2021-04-10 11:42:12 UTC

Permalink

Post by Oli Schacher
Hi Jim
let me give you a bit more info

To be clear, although this is the first time I've reached out to this
list, I have had the DNSSEC correct on and off since it was registered
on 2021-Jan-04.

Post by Oli Schacher
The error message on our website in this case is indeed not very clear.
Eventually I hope to improve this once our resolvers support RFC8914
extended dns errors which we could pass on to the frontend.

+1 Thanks!!

Post by Oli Schacher

Post by Hugo Salgado

Post by Jim Popovitch via bind-users
What I can't figure out is how/when does .ch query the CDS/CDNSKEY data.

This process happens in two stages, once every 24 hours.
In stage 1 (during the night), we scan all .CH and .LI domains for their
CDS RRSETS.
Domains which already have DS in parent are scanned through a validating
resolver. This is where domainmail.ch failed up until last night.
Domains which are currently insecure (=no DS in parent) are scanned over
TCP from multiple locations on every IP address of all nameservers
registered at the registry.
In stage 2 (during the day) we process the domains with CDS records
found in stage1 and perform additional checks. If all checks pass, we
apply the requested change, i.e. the DS RRSET is changed to match the
published CDS RRSET.
Some restrictions are different if the domain already has a valid DS in
parent. For example, INSECURE domains need to provide a consistent CDS
RRSET on all their nameserver IPs for at least three consecutive days
before the DS RRSET is activated. Key Rollovers or going unsigned
happens immediately if the current CDS RRSET validates ok. The 3 day
delay initially also applied to Rollovers and Deletes, but we have
meanwhile lifted this restriction as it did not provide a security
benefit and caused operational issues(for example, changing Nameserver
operators)
Some other restrictions however apply in all cases, for example, the CDS
RRSET will not be processed if the resulting DS RRSET would break the
chain of trust.

Thank you for that info.

Something that most certainly contributed to my problems is that when I
did my first rounds of testing, months ago, I had a dnssec-policy of 24
hours. At that time I didn't know about the 3-day rule, so I have
definitely learned something, Thank you.

-Jim P.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users