Expired RRSIGs, yet still "AD" flag set

Hauke_Lampe · March 30, 2011, 11:54am

Hi.

I have a case here where RRSIGs expired, yet Unbound still sets the "AD"
flag in responses. The records have a TTL of 2 days, so I think the
signatures expired while in the cache and Unbound did not revalidate
them before handing out the answer.

I'm not too deep into the details of all DNSSEC RFCs. Is this behaviour
permitted by the standard or is it a bug in Unbound?

Installed version is svn rev. 2406.

; <<>> DiG 9.8.0rc1 <<>> +dnssec mixmaster.mixmin.net mx @10.42.22.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13580
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65432
;; QUESTION SECTION:
;mixmaster.mixmin.net. IN MX

;; ANSWER SECTION:
mixmaster.mixmin.net. 18287 IN MX 10 snorky.mixmin.net.
mixmaster.mixmin.net. 18287 IN RRSIG MX 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. xIOOe273z9oJb6EM4l0/KzqrYYXUHUbQRP89U1GMjyJ/hYdNhRZGzCj2 RcRx21v3hjL+1F9KCc280MqXUo6FGKUBC4ZQ09geQ5dkHEesXi8Cwoo1 QcETDvSmTR3/PN0Bz/Ho77m/+7DgrV6dRexABBpTWNYio+OBO8kCR1+y iq0=

;; AUTHORITY SECTION:
mixmin.net. 16906 IN NS asteria.debian.or.at.
mixmin.net. 16906 IN NS snorky.mixmin.net.
mixmin.net. 16906 IN NS fleegle.mixmin.net.
mixmin.net. 16906 IN RRSIG NS 5 2 172800 20110328161855 20110226161855 58161 mixmin.net. ezh+yZwfiaI7D9j0m5cV2nhVb7SLPpx3OJymq7GyjT/q3foKCBTUNq5A CqQP5c/ewSenV2uFeDVhQLaeldT6O6Sv+V+Wa+OU7Xc6qFE4IXjM4+Uv DjUhk+e/kV81Gh+I3Z5AvmQ9/H5dTCno6HBp/lzoDj/iU11tcWw3cnK+ K2w=

;; ADDITIONAL SECTION:
snorky.mixmin.net. 16906 IN A 188.40.76.149
snorky.mixmin.net. 16906 IN AAAA 2a01:4f8:100:5243::3
fleegle.mixmin.net. 16906 IN A 82.133.6.118
fleegle.mixmin.net. 16906 IN AAAA 2002:5285:676::1
snorky.mixmin.net. 16906 IN RRSIG A 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. 5+XnM1ATswU8jCbVfEv8YXGbJV2XPH3bbLmNwHCe5Kr+WmMTZ4T/+udL 8fwh/TxDnEDTj5/MZOC5C/7z1/FbPwzkBU5sYWezLnCNrq7IyWr7WlHe nZBu47J48xQuTz1Ag74mCIBUNfEvZ72TPnjEr5X+O1wDfSfcCFOP4nYB sJE=
snorky.mixmin.net. 16906 IN RRSIG AAAA 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. y5a5ai11w1lERhTwlXGj8pcACFSuvcQcKokFHQ/fVBO5b30BKRs2rQ6P n37RO0p9WfcXgYg3Exhv6ae9FyPfbAjHwmGFCr/wl5MJN1s24DG9aj2b L/Rf+AK+Vunyjg4GXYLBZVaC59CZNef/gXlSFquh9RKKwcjVMI8/HM0j JYQ=
fleegle.mixmin.net. 16906 IN RRSIG A 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. 5aglAu0Q61hTr+8lpJk2zWt6XJ9U7sO2Vl6tktDTh4ywr3JR/CrbnzRS jeOO0ZOPopXenSUayQ7t5q7LP2wD2giP9YSWsrFXZBZ0a2po5vkxCsCg aY6LKNPK6tXV2uuZWw0s4XOwC0y7HZ6W2j8atovfVrghtx8Tn0gkL7V0 uVA=
fleegle.mixmin.net. 16906 IN RRSIG AAAA 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. XZWrf/dDj1RgG3cAXBB2oTKgi0tqAkJf4q8lNc0l2i/eqSYiaZAEHEgC RmRVG4W+GmSrb5vp49NCATcCFDe/vmHH9TlN60hQVFkdj6P3i8t/2TxC M9EUtCeX0prPCNuZpJeLYBuXU03hFEnyUag3td6mgW9pCSGaW4c3nxR5 tZo=

;; Query time: 25 msec
;; SERVER: 10.42.22.8#53(10.42.22.8)
;; WHEN: Wed Mar 30 13:39:12 2011
;; MSG SIZE rcvd: 1250

Hauke.

Stephane_Bortzmeyer · March 30, 2011, 12:44pm

a message of 57 lines which said:

I have a case here where RRSIGs expired, yet Unbound still sets the
"AD" flag in responses.

What is your value of val-sig-skew-min and val-sig-skew-max? By
default, Unbound allows expired signatures for 10 % of their validity
period.

PaulWouters · March 30, 2011, 12:48pm

RFC4034 states:

3.1.5. Signature Expiration and Inception Fields

    The Signature Expiration and Inception fields specify a validity
    period for the signature. The RRSIG record MUST NOT be used for
    authentication prior to the inception date and MUST NOT be used for
    authentication after the expiration date.

I read that as: if the record is authenticated, put it in the cache and
use it until the TTL has expired.

Paul

Wouter · March 30, 2011, 12:49pm

Hi,

Hauke_Lampe · March 30, 2011, 12:52pm

What is your value of val-sig-skew-min and val-sig-skew-max? By
default, Unbound allows expired signatures for 10 % of their validity
period.

They're still at their default values:

# The signature inception and expiration dates are allowed to be off
# by 10% of the signature lifetime (expir-incep) from our local clock.
# This leeway is capped with a minimum and a maximum. In seconds.
# val-sig-skew-min: 3600
# val-sig-skew-max: 86400

val-sig-skew-max should have limited the allowed skew anyway, as the
signatures already expired two days ago.

After flushing the cache, Unbound returns SERVFAIL, as expected:

unbound: info: Could not establish a chain of trust to keys for <mixmin.net. DNSKEY IN>
unbound: info: validation failure <fleegle.mixmin.net. A IN>: signature expired from 86.59.118.153 for key mixmin.net. while building chain of trust

Hauke.

Andreas_Schulze · March 30, 2011, 12:54pm

not here: (unbound-1.4.9)

# dig @127.0.0.1 mixmaster.mixmin.net. mx +dnssec

; <<>> DiG 9.5.0-P2 <<>> @127.0.0.1 mixmaster.mixmin.net. mx +dnssec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24891
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;mixmaster.mixmin.net. IN MX

;; ANSWER SECTION:
mixmaster.mixmin.net. 172722 IN MX 10 snorky.mixmin.net.
mixmaster.mixmin.net. 172722 IN RRSIG MX 5 3 172800 20110328161855 20110226161855 58161 mixmin.net. xIOOe273z9oJb6EM4l0/KzqrYYXUHUbQRP89U1GMjyJ/hYdNhRZGzCj2 RcRx21v3hjL+1F9KCc280MqXUo6FGKUBC4ZQ09geQ5dkHEesXi8Cwoo1 QcETDvSmTR3/PN0Bz/Ho77m/+7DgrV6dRexABBpTWNYio+OBO8kCR1+y iq0=

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 30 14:46:59 2011
;; MSG SIZE rcvd: 242

# unbound-host -C /etc/unbound/unbound.conf -v mixmaster.mixmin.net.
mixmaster.mixmin.net. mail is handled by 10 snorky.mixmin.net. (insecure)

# unbound-host -C /etc/unbound/unbound.conf -v nic.cz
nic.cz mail is handled by 10 mail.nic.cz. (secure)
nic.cz mail is handled by 15 mail4.nic.cz. (secure)
nic.cz mail is handled by 20 mx.cznic.org. (secure)
nic.cz mail is handled by 30 bh.nic.cz. (secure)

# date
Wed Mar 30 14:50:34 CEST 2011

Andreas

Hauke_Lampe · March 30, 2011, 1:04pm

You're right. mixmin.net isn't chained from .net anymore (it used to
be). It's still listed in dlv.isc.org, that's where my resolver got the
trust chain from. I notified the domain owner. He'll fix it soon.

I was just curious why mail to that domain still got delivered, even
though the BIND resolver logged lots of validation failures.

Hauke.

Jan-Piet_Mens1 · March 30, 2011, 1:10pm

I was just curious why mail to that domain still got delivered, even
though the BIND resolver logged lots of validation failures.

Maybe from MXs that are using non-validating resolvers?

-JP

PaulWouters · March 30, 2011, 1:30pm

Interesting. Isn't that dangerous? It could cause peak loads if all
resolvers worldwide throw away the record at the exact same time...

Paul

Hauke_Lampe · March 30, 2011, 1:33pm

Paul Wouters wrote:

Hauke_Lampe · March 30, 2011, 1:48pm

Jan-Piet Mens wrote:

Patrik_Wallstrom · March 30, 2011, 1:48pm

Only if you have expiration times that are shorter than TTL, right? Is that common?

Tony_Finch · March 30, 2011, 2:24pm

It's a configuration error that will lead to validation failures.

Tony.

Hauke_Lampe · March 30, 2011, 7:52pm

I increased the maximum cache TTL from the default 1 day to 1 week.
Could that be a factor here?

# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
cache-max-ttl: 604800

In a discussion on IRC, a question came up whether "an attacker can
tamper with TTLs on the wire and cause data to never ever expire, even
long after their signature has expired" and have an application like
OpenSSH still believe in the AD flag.

I haven't quite wrapped my head around how that could work, yet. It
seems like a lot of effort for little gain. I'm thinking of dynamic
address records or SSHFP here. Is the original TTL in the RRSIG data
taken into account anywhere?

I guess, I'll have to read up on some more DNSSSEC details now.

Thanks for all the answers.

Hauke.

Wouter · March 31, 2011, 6:55am

Hi Hauke,

Actually unbound caps the TTL so it does not extend beyond the
expiration time. Or, it should, and there is a bug.

I increased the maximum cache TTL from the default 1 day to 1 week.
Could that be a factor here?

yes. But unbound should still stop the TTL at the expiration time. But
maybe the TTL was very large and the 10% skew, with the higher max-ttl,
gave a larger extra-lenience.

# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
cache-max-ttl: 604800

In a discussion on IRC, a question came up whether "an attacker can
tamper with TTLs on the wire and cause data to never ever expire, even
long after their signature has expired" and have an application like
OpenSSH still believe in the AD flag.

not for unbound, because of the max-ttl.

I haven't quite wrapped my head around how that could work, yet. It
seems like a lot of effort for little gain. I'm thinking of dynamic
address records or SSHFP here. Is the original TTL in the RRSIG data
taken into account anywhere?

Yes the TTL can not be larger than that original TTL. Unbound adjusts
it lower if so.

I guess, I'll have to read up on some more DNSSSEC details now.

Thanks for all the answers.

Best regards,
Wouter

Olafur_Gudmundsson · March 31, 2011, 9:09am

The section to read is 5.3.3 last paragraph:
    If the resolver accepts the RRset as authentic, the validator MUST
    set the TTL of the RRSIG RR and each RR in the authenticated RRset to
    a value no greater than the minimum of:

o the RRset's TTL as received in the response;

o the RRSIG RR's TTL as received in the response;

o the value in the RRSIG RR's Original TTL field; and

o the difference of the RRSIG RR's Signature Expiration time and the
current time.