[gnome.org #14466] DNSSEC for *.bugzilla-attachments.gnome.org is wonky

From: "Andrea Veri via RT" <dnsmaster gnome org>
To: grawity gmail com
Cc: gnome-infrastructure gnome org
Subject: [gnome.org #14466] DNSSEC for *.bugzilla-attachments.gnome.org is wonky
Date: Tue, 19 Aug 2014 16:32:39 +0000

On Mon Aug 18 19:29:05 2014, grawity gmail com wrote:

Some tools (but not all) seem to be having problems resolving
<foo>.bugzilla-attachments.gnome.org. For example, the VeriSign
debugger [1] says:


Hey!

I'm starting to think some of the tools out there are not validating wildcard entries correctly and the 
respective NSEC records.

With my local unbound resolver I get:

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 5

;; ANSWER SECTION:
bug11111.bugzilla-attachments.gnome.org. 900 IN A 209.132.180.175
bug11111.bugzilla-attachments.gnome.org. 900 IN RRSIG A 5 3 900 20140917164443 20140818164443 40692 
gnome.org. bjqGR2KuakxNa3fhgdNtOL6CNxLsyXxMG8IpKnYBB+/jH9Irjcyyhx5S 
+ceFEA8CcgJLOrxBDcLTUda7bH1I1tup3Ydy3qGD/rj/gQn/aSlTC/Ll 
m0PTFNFLSt4vl2D0Uom9Dm1LvxquEPM0OBljMYFb8QX7fXV0edqwmipB jQY=

As the 'ad' flag says the record was successfully verified. The same problem was found with the 
*.fedorapeople.org entry for example [1] so I'm pretty much sure the issue is not with the signatures 
themselves but with the tools used to verify them and their problem to verify NSEC records correctly in 
presence of wildcard entries.

Let me know if you found out more!

[1] http://dnssec-debugger.verisignlabs.com/test.fedorapeople.org

-- 
Andrea,
GNOME Sysadmin
GNOME Accounts Team
GNOME Membership & Elections Committee Chairman


----------------------------------------------------
This message was sent via GNOME.org Request Tracker.

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]