[185573] in North American Network Operators' Group
Re: DNSSEC broken for login.microsoftonline.com
daemon@ATHENA.MIT.EDU (Bruce Curtis)
Wed Oct 28 00:27:43 2015
X-Original-To: nanog@nanog.org
From: Bruce Curtis <bruce.curtis@ndsu.edu>
To: North American Network Operators' Group <nanog@nanog.org>
Date: Wed, 28 Oct 2015 04:27:32 +0000
In-Reply-To: <D94BD500-C8AB-41D1-813E-FB81100AA392@ndsu.edu>
Errors-To: nanog-bounces@nanog.org
Actually login.microsoftonline.com is resolving but the CNAME it points to,=
login.microsoftonline.com.nsatc.net is not resolving because of a DNSSEC i=
ssue.
[ns1 ~]$ drill -k /tmp/rootkey -DT login.microsoftonline.com.nsatc.net CNA=
ME
;; Number of trusted keys: 2
;; Domain: .
[T] . 172800 IN DNSKEY 257 3 8 ;{id =3D 19036 (ksk), size =3D 2048b}
. 172800 IN DNSKEY 256 3 8 ;{id =3D 62530 (zsk), size =3D 1024b}
Checking if signing key is trusted:
New key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJ=
UxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcg=
ooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =3D 625=
30 (zsk), size =3D 1024b}
Trusted key: . 143619 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXT=
cskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMS=
qgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =
=3D 62530 (zsk), size =3D 1024b}
Key is now trusted!
Trusted key: . 143619 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29eu=
xhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRk=
xoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvP=
VjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0s=
GIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnu=
lqQxA+Uk1ihz0=3D ;{id =3D 19036 (ksk), size =3D 2048b}
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29eu=
xhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRk=
xoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvP=
VjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0s=
GIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnu=
lqQxA+Uk1ihz0=3D ;{id =3D 19036 (ksk), size =3D 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXT=
cskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMS=
qgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =
=3D 62530 (zsk), size =3D 1024b}
Key is now trusted!
[T] net. 86400 IN DS 35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c4=
65f00236401d8bd973ee=20
;; Domain: net.
[T] net. 86400 IN DNSKEY 257 3 8 ;{id =3D 35886 (ksk), size =3D 2048b}
net. 86400 IN DNSKEY 256 3 8 ;{id =3D 37703 (zsk), size =3D 1024b}
;; No DS for nsatc.net.;; No ds record for delegation
[B] ;; Error verifying denial of existence for name nsatc.net.NS: No DNSSEC=
signature(s)
cemacmini:~ curtis$ drill -k /tmp/rootkey -DT login.microsoftonline.com.ns=
atc.net CNAME
;; Number of trusted keys: 2
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id =3D 62530 (zsk), size =3D 1024b}
. 172800 IN DNSKEY 257 3 8 ;{id =3D 19036 (ksk), size =3D 2048b}
Checking if signing key is trusted:
New key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJ=
UxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcg=
ooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =3D 625=
30 (zsk), size =3D 1024b}
Trusted key: . 29585 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTc=
skYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSq=
gVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =3D=
62530 (zsk), size =3D 1024b}
Key is now trusted!
Trusted key: . 29585 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29eux=
hJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkx=
oXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPV=
jR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sG=
IcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnul=
qQxA+Uk1ihz0=3D ;{id =3D 19036 (ksk), size =3D 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXT=
cskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMS=
qgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =
=3D 62530 (zsk), size =3D 1024b}
Key is now trusted!
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29eu=
xhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRk=
xoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvP=
VjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0s=
GIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnu=
lqQxA+Uk1ihz0=3D ;{id =3D 19036 (ksk), size =3D 2048b}
[T] net. 86400 IN DS 35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c4=
65f00236401d8bd973ee=20
;; Domain: net.
[T] net. 86400 IN DNSKEY 257 3 8 ;{id =3D 35886 (ksk), size =3D 2048b}
net. 86400 IN DNSKEY 256 3 8 ;{id =3D 37703 (zsk), size =3D 1024b}
[B] Error verifying denial of existence for nsatc.net. DS: General LDNS err=
or
;; No ds record for delegation
;; Domain: nsatc.net.
;; No DNSKEY record found for nsatc.net.
;; No DS for com.nsatc.net.;; No ds record for delegation
[B] ;; Error verifying denial of existence for name com.nsatc.net.NS: No DN=
SSEC signature(s)
> On Oct 27, 2015, at 4:59 PM, Bruce Curtis <bruce.curtis@ndsu.edu> wrote:
>=20
>=20
>> On Oct 27, 2015, at 3:37 PM, Bruce Curtis <bruce.curtis@ndsu.edu> wrote:
>>=20
>>=20
>>> On Oct 27, 2015, at 12:35 PM, Tony Finch <dot@dotat.at> wrote:
>>>=20
>>> Bruce Curtis <bruce.curtis@ndsu.edu> wrote:
>>>>=20
>>>> FYI our DNS requests to resolve login.microsoftonline.com are failing
>>>> because of a DNSSEC error.
>>>=20
>>> There's no DS record for microsoftonline.com so you shouldn't have any
>>> DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't
>>> show any problems. The only thing which might cause trouble is the
>>> SERVFAIL responses to DNSKEY queries flagged by the Verisign DNSSEC
>>> debugger.
>>=20
>>=20
>> DNSvis did list 4 errors earlier. =20
>>=20
>> 4 recursive DNS servers here still fail to resolve login.microsoftonline=
.com.
>>=20
>> I turned DNSSEC validation off on one and it then resolved correctly.
>>=20
>> dnssec-validation no;
>>=20
>> Thanks for the info. Our customers have reported that it does resolve a=
t the Google public DNS servers also.
>=20
>=20
> Drill run on one of our name servers shows that the error is
>=20
> Existence denied: microsoftonline.com
>=20
>=20
> [ns1 domain]$ drill -k /tmp/rootkey -DT login.microsoftonline.com
> ;; Number of trusted keys: 2
> ;; Domain: .
> [T] . 172800 IN DNSKEY 256 3 8 ;{id =3D 62530 (zsk), size =3D 1024b}
> . 172800 IN DNSKEY 257 3 8 ;{id =3D 19036 (ksk), size =3D 2048b}
> Checking if signing key is trusted:
> New key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcsk=
YJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgV=
cgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =3D 6=
2530 (zsk), size =3D 1024b}
> Trusted key: . 143619 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcC=
XTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6v=
MSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =
=3D 62530 (zsk), size =3D 1024b}
> Key is now trusted!
> Trusted key: . 143619 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29=
euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJ=
RkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68Ls=
vPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul=
0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knN=
nulqQxA+Uk1ihz0=3D ;{id =3D 19036 (ksk), size =3D 2048b}
> Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcC=
XTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6v=
MSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =
=3D 62530 (zsk), size =3D 1024b}
> Key is now trusted!
> Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29=
euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJ=
RkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68Ls=
vPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul=
0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knN=
nulqQxA+Uk1ihz0=3D ;{id =3D 19036 (ksk), size =3D 2048b}
> [T] com. 86400 IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc54=
59588f4a9184cfc41a5766=20
> ;; Domain: com.
> [T] com. 86400 IN DNSKEY 256 3 8 ;{id =3D 51797 (zsk), size =3D 1024b}
> com. 86400 IN DNSKEY 257 3 8 ;{id =3D 30909 (ksk), size =3D 2048b}
> [T] Existence denied: microsoftonline.com. DS
> ;; No ds record for delegation
> ;; Domain: microsoftonline.com.
> ;; No DNSKEY record found for microsoftonline.com.
> ;; No DS for login.microsoftonline.com.;; No ds record for delegation
> ;; Domain: login.microsoftonline.com.
> ;; No DNSKEY record found for login.microsoftonline.com.
> [U] No data found for: login.microsoftonline.com. type A
> ;;[S] self sig OK; [B] bogus; [T] trusted
>=20
>=20
>>=20
>>> http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com
>>>>=20
>>>> http://dnsviz.net/d/login.microsoftonline.com/dnssec/
>>>=20
>>> Tony.
>>> --=20
>>> f.anthony.n.finch <dot@dotat.at> http://dotat.at/
>>> Fitzroy, Sole: Cyclonic, mainly southwesterly, 5 to 7, occasionally gal=
e 8 in
>>> west Fitzroy. Very rough or high, becoming rough in Sole. Rain or thund=
ery
>>> showers. Moderate or poor, occasionally good.
>>=20
>> ---
>> Bruce Curtis bruce.curtis@ndsu.edu
>> Certified NetAnalyst II 701-231-8527
>> North Dakota State University =20
>>=20
>=20
> ---
> Bruce Curtis bruce.curtis@ndsu.edu
> Certified NetAnalyst II 701-231-8527
> North Dakota State University =20
>=20
---
Bruce Curtis bruce.curtis@ndsu.edu
Certified NetAnalyst II 701-231-8527
North Dakota State University =20
