Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7742

CAA Validator fails DNSSEC validation for CH domains

        Details

        • Type: Bug
        • Status: Closed
        • Priority: Critical
        • Resolution: Fixed
        • Affects Version/s: EJBCA 6.15.1.2
        • Fix Version/s: EJBCA 7.0.0, EJBCA 6.15.2
        • Component/s: None
        • Labels:
        • Sprint:
          EJBCA Team Alice - 2019 w2

          Description

          The CAA validator fails to validate DNSSEC for CH top domains.

          Example of failing domain:

          > java -jar caa-cli.jar caalookup --domains tcpit.ch --issuer ssl.com --dns 1.1.1.1
Failed to validate RRset
RRset failed to verify: all signatures were BOGUS
Failed to validate RRset
RRset failed to verify: all signatures were BOGUS
Failed to validate RRset
RRset failed to verify: all signatures were BOGUS
Failed to validate RRset
RRset failed to verify: all signatures were BOGUS
Failed to validate RRset
RRset failed to verify: all signatures were BOGUS
Lookup for domain 'tcpit.ch.' failed DNSSEC validation. Error description: Could not establish validation of INSECURE status of unsigned response. Reason: Did not match a DS to a DNSKEY.

Lookup failed because of insecure response.
CAA lookup gave the following results: 

    Domain Name     Issuer      Result                          Valid Until     
    tcpit.ch.       ssl.com     DNSSEC validation failed.       n/a

          Expected result:

          delv CAA tcpit.ch @1.1.1.1
; unsigned answer
tcpit.ch.		3200171710 IN	CAA	0 issue "ssl.com"
tcpit.ch.		3200171710 IN	CAA	0 issuewild "ssl.com"

          It looks like the DNSSEC validator fails to verify a signature of the NSEC3 RRset in the CH. zone.

          tailf /opt/wildfly/standalone/log/server.log | grep --line-buffered -E "org.ejbca.util.validation.dnssec"
2019-01-28 13:38:44,505 ERROR [org.ejbca.util.validation.dnssec.DnsSecVerifier] (pool-7-thread-5) Failed to validate RRset
2019-01-28 13:38:44,505 INFO  [org.ejbca.util.validation.dnssec.DnsSecVerifier] (pool-7-thread-5) RRset failed to verify: all signatures were BOGUS
2019-01-28 13:38:44,505 DEBUG [org.ejbca.util.validation.dnssec.KeyEntry] (pool-7-thread-5) Did not match a DS to a DNSKEY.
2019-01-28 13:38:44,555 INFO  [org.ejbca.util.validation.dnssec.DnsSecVerifier] (pool-7-thread-5) RRset failed to verify: all signatures were BOGUS
2019-01-28 13:38:44,555 DEBUG [org.ejbca.util.validation.dnssec.ValUtils] (pool-7-thread-5) verifySRRset: rrset <8fo97su6ko6hlaph5obk65ue67dcj229.ch./NSEC3/IN> found to be BAD
<snip>
2019-01-28 13:38:44,876 DEBUG [org.ejbca.util.validation.dnssec.KeyEntry] (pool-7-thread-5) Did not match a DS to a DNSKEY.

          And then it returns RCode 2 to DnsCaaLookup, which performs a second attempt and then the whole CAA lookup procedure fails with DNSSEC validation error.

            Attachments

              Issue Links

              relates

              Task - A task that needs to be done. ECA-7762 Make pull requests for dnssecjava with our patches

              • Major - Major loss of function.
              • In Progress

                Activity

                  People

                  • Assignee:
                    hsunmark Henrik Sunmark
                    Reporter:
                    bastianf Bastian Fredriksson
                    Verified by:
                    Tomas Gustavsson
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    5 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved:

                      Time Tracking

                      Estimated:
                      Original Estimate - 3 days
                      3d
                      Remaining:
                      Time Spent - 2 hours Remaining Estimate - 2 days, 6 hours
                      2d 6h
                      Logged:
                      Time Spent - 2 hours Remaining Estimate - 2 days, 6 hours
                      2h