From psimerda at redhat.com Fri Nov 14 13:42:01 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Fri, 14 Nov 2014 08:42:01 -0500 (EST) Subject: [Dnssec-trigger] DNSSEC Roadblock Avoidance and the wildcard NSEC/NSEC3 issue In-Reply-To: <1994172483.6259875.1415970898693.JavaMail.zimbra@redhat.com> Message-ID: <210158778.6269511.1415972521398.JavaMail.zimbra@redhat.com> Hello, I recently came across the DNSSEC Roadblock Avoidance draft[1] as well as an issue with older BIND versions being detected as DNSSEC capable while incapable of correctly supporting DNSSEC on domains with wildcards. [1] http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-roadblock-avoidance-01 [2] https://bugzilla.redhat.com/show_bug.cgi?id=824219 We identified a need to check the DNSSEC Aware[3] resolver for NSEC/NSEC3 on a domain with wildcard subdomains. I created a trivial patch[4] for dnssec-trigger that replaces the NSEC3 testing domains with wildcard ones and plan to test it with a broken name server and update the test accordingly. [3] http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-roadblock-avoidance-01#section-4.1 [4] https://bugzilla.redhat.com/show_bug.cgi?id=824219#c46 I realized that dnssec-trigger doesn't specifically check for NSEC support and only performs NSEC3 test. I'm curious whether we should add a specific NSEC test to dnssec-trigger. On the other hand, the draft doesn't talk about wildcard records at all, so I suspect it ignores this issue present in actual deployments. I propose that the draft is extended to also include wildcard NSEC/NSEC3 tests. As a side note, when I was at LinuxCon Dusseldorf, I found out that the local network configuration was very bad from the DNS/DNSSEC perspective. I couldn't make most tools work with that network at all. EDNS queries were responded with NXDOMAIN. TCP queries weren't answered at all. UDP queries to external servers were answered from the local servers (with wrong source IP). TCP queries to external servers worked. In such a case I would expect a dnsssec-trigger to configure unbound either to use authoritative servers using TCP, or to use a TCP 80/443 fallback (as configured in dnssec-trigger.conf) which wasn't the case. I wonder whether a tool implementing the draft would cope with such a situation. Cheers, Pavel From psimerda at redhat.com Thu Nov 20 16:19:08 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Thu, 20 Nov 2014 11:19:08 -0500 (EST) Subject: [Dnssec-trigger] a number of patches for various issues In-Reply-To: <606769105.1187875.1416500240759.JavaMail.zimbra@redhat.com> Message-ID: <838613928.1188357.1416500348491.JavaMail.zimbra@redhat.com> Hi, the commit messages are pretty much descriptive. Use the the links to bugzilla tickets for more detailed information about the goals. Cheers, Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-dnssec-trigger-script-lock-update-methods-only.patch Type: text/x-patch Size: 6009 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-dnssec-trigger-script-improve-etc-dnssec.conf-handli.patch Type: text/x-patch Size: 2093 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-dnssec-trigger-script-support-debug-option-in-etc-dn.patch Type: text/x-patch Size: 1353 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-dnssec-trigger-script-clean-up-resolv.conf-backup-an.patch Type: text/x-patch Size: 5397 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0005-dnssec-trigger-script-use-var-run-NetworkManager-res.patch Type: text/x-patch Size: 1724 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0006-allow-the-resolv.conf-hooks-be-handled-by-dnssec-tri.patch Type: text/x-patch Size: 1340 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0007-dnssec-trigger-script-handle-resolv.conf-events-from.patch Type: text/x-patch Size: 4382 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0008-dnssec-trigger-script-support-etc-resolv.conf-and-et.patch Type: text/x-patch Size: 3853 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0009-probe-use-wildcard-probing-domains.patch Type: text/x-patch Size: 930 bytes Desc: not available URL: From psimerda at redhat.com Thu Nov 20 19:25:58 2014 From: psimerda at redhat.com (Pavel Simerda) Date: Thu, 20 Nov 2014 14:25:58 -0500 (EST) Subject: [Dnssec-trigger] a number of patches for various issues In-Reply-To: <838613928.1188357.1416500348491.JavaMail.zimbra@redhat.com> References: <838613928.1188357.1416500348491.JavaMail.zimbra@redhat.com> Message-ID: <320962668.1291288.1416511558464.JavaMail.zimbra@redhat.com> A slightly updated version of the patchset with the following change: /var/run/NetworkManager/resolv.conf is now called /var/run/NetworkManager/resolv.conf.default This is the name being used in the latest NetworkManager patch[1]. [1] https://bug732941.bugzilla-attachments.gnome.org/attachment.cgi?id=291121 Cheers, Pavel ----- Original Message ----- > From: "Pavel Simerda" > To: dnssec-trigger at nlnetlabs.nl > Cc: "W.C.A. Wijngaards" , "Tomas Hozza" , "Petr Spacek" , > "Ond?ej Sur?" > Sent: Thursday, November 20, 2014 5:19:08 PM > Subject: a number of patches for various issues > > Hi, > > the commit messages are pretty much descriptive. Use the the links to > bugzilla tickets for more detailed information about the goals. > > Cheers, > > Pavel -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-dnssec-trigger-script-lock-update-methods-only.patch Type: text/x-patch Size: 6009 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-dnssec-trigger-script-improve-etc-dnssec.conf-handli.patch Type: text/x-patch Size: 2093 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-dnssec-trigger-script-support-debug-option-in-etc-dn.patch Type: text/x-patch Size: 1353 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-dnssec-trigger-script-clean-up-resolv.conf-backup-an.patch Type: text/x-patch Size: 5397 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0005-dnssec-trigger-script-use-var-run-NetworkManager-res.patch Type: text/x-patch Size: 1806 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0006-allow-the-resolv.conf-hooks-be-handled-by-dnssec-tri.patch Type: text/x-patch Size: 1340 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0007-dnssec-trigger-script-handle-resolv.conf-events-from.patch Type: text/x-patch Size: 4390 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0008-dnssec-trigger-script-support-etc-resolv.conf-and-et.patch Type: text/x-patch Size: 3861 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0009-probe-use-wildcard-probing-domains.patch Type: text/x-patch Size: 930 bytes Desc: not available URL: From wouter at nlnetlabs.nl Fri Nov 21 08:59:32 2014 From: wouter at nlnetlabs.nl (W.C.A. Wijngaards) Date: Fri, 21 Nov 2014 09:59:32 +0100 Subject: [Dnssec-trigger] a number of patches for various issues In-Reply-To: <320962668.1291288.1416511558464.JavaMail.zimbra@redhat.com> References: <838613928.1188357.1416500348491.JavaMail.zimbra@redhat.com> <320962668.1291288.1416511558464.JavaMail.zimbra@redhat.com> Message-ID: <546EFEF4.90206@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Pavel, Thanks for the patches. The wildcard test could be very nice, are you use those names will remain available for testing over the next years? Best regards, Wouter On 20/11/14 20:25, Pavel Simerda wrote: > A slightly updated version of the patchset with the following > change: > > /var/run/NetworkManager/resolv.conf is now called > /var/run/NetworkManager/resolv.conf.default > > This is the name being used in the latest NetworkManager patch[1]. > > [1] > https://bug732941.bugzilla-attachments.gnome.org/attachment.cgi?id=291121 > > Cheers, > > Pavel > > ----- Original Message ----- >> From: "Pavel Simerda" To: >> dnssec-trigger at nlnetlabs.nl Cc: "W.C.A. Wijngaards" >> , "Tomas Hozza" , "Petr >> Spacek" , "Ond?ej Sur?" >> Sent: Thursday, November 20, 2014 5:19:08 PM Subject: a number of >> patches for various issues >> >> Hi, >> >> the commit messages are pretty much descriptive. Use the the >> links to bugzilla tickets for more detailed information about the >> goals. >> >> Cheers, >> >> Pavel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUbv70AAoJEJ9vHC1+BF+Na8MP/1XFJ6ILKn5pFRx3KvT/NmNv KTYYDSCTsC6BKqg5XjryGKx7oVR8cYCimHUfEdWgSqHXGGyLt5AN+9VrO1lebddk RdituCt/E3gkEHEoXGaYadBOG2bLUZCbzdPL1Dd7ciqVhGJ2RbpAtjMKgsboKOCB AaALxFkKrDA5S66L71uAjv95NAJnW40qj2ovm6c8BWZO9HRl6zsN0JOl5hiny4Xp XtmewCU2JRkNNWZz2H4LXVCsLslC4DyvGnVx4Pgabau3CJLSvVKlJja4HdlbCzTj 4/pAKFohW6O6DEtl0F83XwBmMdfGUMacBaMij1g4UkjF042ewnauWgWuhshyYN+l xIvgIxyWhUtn+mcSlpnw9/PRQ/O3zFlUMWcFCA3+YaCd/mWY+CCEgXB91G/c+F8u DQ2HuqNRohthhDRNT/DxTBC1uwpbhvLxlYNsZPogM3dXxWH8+uzNV1aRrJvZW/ag uSd3Z4A/+sf/aiIaloYkDj5dIW3MyNa85fnGoVVeL2Z3kUWhLCjcg+yYRPwIdEX9 ZIDaWXMxn8GARWWv7nxcAEw/Zqte9Nt8gr+1i4e29/azYEY2OISuEEGbpNgD14Ai lVgTYb4VwEqdIkGsyLJyn9ghEO7J9fTIFRwzMYRqQtrx55s25LHPu9RrWwvF0tKk LHI21zwXjEGSX2g+vCxo =41c3 -----END PGP SIGNATURE----- From thozza at redhat.com Fri Nov 21 09:15:10 2014 From: thozza at redhat.com (Tomas Hozza) Date: Fri, 21 Nov 2014 10:15:10 +0100 Subject: [Dnssec-trigger] a number of patches for various issues In-Reply-To: <546EFEF4.90206@nlnetlabs.nl> References: <838613928.1188357.1416500348491.JavaMail.zimbra@redhat.com> <320962668.1291288.1416511558464.JavaMail.zimbra@redhat.com> <546EFEF4.90206@nlnetlabs.nl> Message-ID: <546F029E.5050006@redhat.com> On 11/21/2014 09:59 AM, W.C.A. Wijngaards wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi Pavel, > > Thanks for the patches. The wildcard test could be very nice, are you > use those names will remain available for testing over the next years? > > Best regards, Wouter Hi Wouter. Paul Wouters arranged the addition of those records to TLD zones. I'm CC-ing Paul, as he is the best person to answer the question. Regards, Tomas > On 20/11/14 20:25, Pavel Simerda wrote: > > A slightly updated version of the patchset with the following > > change: > > > > /var/run/NetworkManager/resolv.conf is now called > > /var/run/NetworkManager/resolv.conf.default > > > > This is the name being used in the latest NetworkManager patch[1]. > > > > [1] > > https://bug732941.bugzilla-attachments.gnome.org/attachment.cgi?id=291121 > > > > Cheers, > > > > Pavel > > > > ----- Original Message ----- > >> From: "Pavel Simerda" To: > >> dnssec-trigger at nlnetlabs.nl Cc: "W.C.A. Wijngaards" > >> , "Tomas Hozza" , "Petr > >> Spacek" , "Ond?ej Sur?" > >> Sent: Thursday, November 20, 2014 5:19:08 PM Subject: a number of > >> patches for various issues > >> > >> Hi, > >> > >> the commit messages are pretty much descriptive. Use the the > >> links to bugzilla tickets for more detailed information about the > >> goals. > >> > >> Cheers, > >> > >> Pavel > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBCAAGBQJUbv70AAoJEJ9vHC1+BF+Na8MP/1XFJ6ILKn5pFRx3KvT/NmNv > KTYYDSCTsC6BKqg5XjryGKx7oVR8cYCimHUfEdWgSqHXGGyLt5AN+9VrO1lebddk > RdituCt/E3gkEHEoXGaYadBOG2bLUZCbzdPL1Dd7ciqVhGJ2RbpAtjMKgsboKOCB > AaALxFkKrDA5S66L71uAjv95NAJnW40qj2ovm6c8BWZO9HRl6zsN0JOl5hiny4Xp > XtmewCU2JRkNNWZz2H4LXVCsLslC4DyvGnVx4Pgabau3CJLSvVKlJja4HdlbCzTj > 4/pAKFohW6O6DEtl0F83XwBmMdfGUMacBaMij1g4UkjF042ewnauWgWuhshyYN+l > xIvgIxyWhUtn+mcSlpnw9/PRQ/O3zFlUMWcFCA3+YaCd/mWY+CCEgXB91G/c+F8u > DQ2HuqNRohthhDRNT/DxTBC1uwpbhvLxlYNsZPogM3dXxWH8+uzNV1aRrJvZW/ag > uSd3Z4A/+sf/aiIaloYkDj5dIW3MyNa85fnGoVVeL2Z3kUWhLCjcg+yYRPwIdEX9 > ZIDaWXMxn8GARWWv7nxcAEw/Zqte9Nt8gr+1i4e29/azYEY2OISuEEGbpNgD14Ai > lVgTYb4VwEqdIkGsyLJyn9ghEO7J9fTIFRwzMYRqQtrx55s25LHPu9RrWwvF0tKk > LHI21zwXjEGSX2g+vCxo > =41c3 > -----END PGP SIGNATURE----- > -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com From paul at nohats.ca Fri Nov 21 18:29:27 2014 From: paul at nohats.ca (Paul) Date: Fri, 21 Nov 2014 08:29:27 -1000 Subject: [Dnssec-trigger] a number of patches for various issues In-Reply-To: <546F029E.5050006@redhat.com> References: <838613928.1188357.1416500348491.JavaMail.zimbra@redhat.com> <320962668.1291288.1416511558464.JavaMail.zimbra@redhat.com> <546EFEF4.90206@nlnetlabs.nl> <546F029E.5050006@redhat.com> Message-ID: Yes, those should be stable records that Centralnic publishes specifically for these tests. Sent from my iPhone > On Nov 20, 2014, at 23:15, Tomas Hozza wrote: > >> On 11/21/2014 09:59 AM, W.C.A. Wijngaards wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Hi Pavel, >> >> Thanks for the patches. The wildcard test could be very nice, are you >> use those names will remain available for testing over the next years? >> >> Best regards, Wouter > Hi Wouter. > > Paul Wouters arranged the addition of those records to TLD zones. > I'm CC-ing Paul, as he is the best person to answer the question. > > Regards, > Tomas >>> On 20/11/14 20:25, Pavel Simerda wrote: >>> A slightly updated version of the patchset with the following >>> change: >>> >>> /var/run/NetworkManager/resolv.conf is now called >>> /var/run/NetworkManager/resolv.conf.default >>> >>> This is the name being used in the latest NetworkManager patch[1]. >>> >>> [1] >>> https://bug732941.bugzilla-attachments.gnome.org/attachment.cgi?id=291121 >>> >>> Cheers, >>> >>> Pavel >>> >>> ----- Original Message ----- >>>> From: "Pavel Simerda" To: >>>> dnssec-trigger at nlnetlabs.nl Cc: "W.C.A. Wijngaards" >>>> , "Tomas Hozza" , "Petr >>>> Spacek" , "Ond?ej Sur?" >>>> Sent: Thursday, November 20, 2014 5:19:08 PM Subject: a number of >>>> patches for various issues >>>> >>>> Hi, >>>> >>>> the commit messages are pretty much descriptive. Use the the >>>> links to bugzilla tickets for more detailed information about the >>>> goals. >>>> >>>> Cheers, >>>> >>>> Pavel >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> >> iQIcBAEBCAAGBQJUbv70AAoJEJ9vHC1+BF+Na8MP/1XFJ6ILKn5pFRx3KvT/NmNv >> KTYYDSCTsC6BKqg5XjryGKx7oVR8cYCimHUfEdWgSqHXGGyLt5AN+9VrO1lebddk >> RdituCt/E3gkEHEoXGaYadBOG2bLUZCbzdPL1Dd7ciqVhGJ2RbpAtjMKgsboKOCB >> AaALxFkKrDA5S66L71uAjv95NAJnW40qj2ovm6c8BWZO9HRl6zsN0JOl5hiny4Xp >> XtmewCU2JRkNNWZz2H4LXVCsLslC4DyvGnVx4Pgabau3CJLSvVKlJja4HdlbCzTj >> 4/pAKFohW6O6DEtl0F83XwBmMdfGUMacBaMij1g4UkjF042ewnauWgWuhshyYN+l >> xIvgIxyWhUtn+mcSlpnw9/PRQ/O3zFlUMWcFCA3+YaCd/mWY+CCEgXB91G/c+F8u >> DQ2HuqNRohthhDRNT/DxTBC1uwpbhvLxlYNsZPogM3dXxWH8+uzNV1aRrJvZW/ag >> uSd3Z4A/+sf/aiIaloYkDj5dIW3MyNa85fnGoVVeL2Z3kUWhLCjcg+yYRPwIdEX9 >> ZIDaWXMxn8GARWWv7nxcAEw/Zqte9Nt8gr+1i4e29/azYEY2OISuEEGbpNgD14Ai >> lVgTYb4VwEqdIkGsyLJyn9ghEO7J9fTIFRwzMYRqQtrx55s25LHPu9RrWwvF0tKk >> LHI21zwXjEGSX2g+vCxo >> =41c3 >> -----END PGP SIGNATURE----- > > > -- > Tomas Hozza > Software Engineer - EMEA ENG Developer Experience > > PGP: 1D9F3C2D > Red Hat Inc. http://cz.redhat.com > _______________________________________________ > dnssec-trigger mailing list > dnssec-trigger at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger