Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: EJBCA 6.15.1.2
-
Fix Version/s: EJBCA 7.0.0, EJBCA 6.15.2
-
Component/s: None
-
Sprint:EJBCA Team Alice - 2019 w2
Description
The CAA validator fails to validate DNSSEC for CH top domains.
Example of failing domain:
> java -jar caa-cli.jar caalookup --domains tcpit.ch --issuer ssl.com --dns 1.1.1.1 Failed to validate RRset RRset failed to verify: all signatures were BOGUS Failed to validate RRset RRset failed to verify: all signatures were BOGUS Failed to validate RRset RRset failed to verify: all signatures were BOGUS Failed to validate RRset RRset failed to verify: all signatures were BOGUS Failed to validate RRset RRset failed to verify: all signatures were BOGUS Lookup for domain 'tcpit.ch.' failed DNSSEC validation. Error description: Could not establish validation of INSECURE status of unsigned response. Reason: Did not match a DS to a DNSKEY. Lookup failed because of insecure response. CAA lookup gave the following results: Domain Name Issuer Result Valid Until tcpit.ch. ssl.com DNSSEC validation failed. n/a
Expected result:
delv CAA tcpit.ch @1.1.1.1 ; unsigned answer tcpit.ch. 3200171710 IN CAA 0 issue "ssl.com" tcpit.ch. 3200171710 IN CAA 0 issuewild "ssl.com"
It looks like the DNSSEC validator fails to verify a signature of the NSEC3 RRset in the CH. zone.
tailf /opt/wildfly/standalone/log/server.log | grep --line-buffered -E "org.ejbca.util.validation.dnssec"
2019-01-28 13:38:44,505 ERROR [org.ejbca.util.validation.dnssec.DnsSecVerifier] (pool-7-thread-5) Failed to validate RRset
2019-01-28 13:38:44,505 INFO [org.ejbca.util.validation.dnssec.DnsSecVerifier] (pool-7-thread-5) RRset failed to verify: all signatures were BOGUS
2019-01-28 13:38:44,505 DEBUG [org.ejbca.util.validation.dnssec.KeyEntry] (pool-7-thread-5) Did not match a DS to a DNSKEY.
2019-01-28 13:38:44,555 INFO [org.ejbca.util.validation.dnssec.DnsSecVerifier] (pool-7-thread-5) RRset failed to verify: all signatures were BOGUS
2019-01-28 13:38:44,555 DEBUG [org.ejbca.util.validation.dnssec.ValUtils] (pool-7-thread-5) verifySRRset: rrset <8fo97su6ko6hlaph5obk65ue67dcj229.ch./NSEC3/IN> found to be BAD
<snip>
2019-01-28 13:38:44,876 DEBUG [org.ejbca.util.validation.dnssec.KeyEntry] (pool-7-thread-5) Did not match a DS to a DNSKEY.
And then it returns RCode 2 to DnsCaaLookup, which performs a second attempt and then the whole CAA lookup procedure fails with DNSSEC validation error.
Attachments
Issue Links
- relates
-
ECA-7762 Make pull requests for dnssecjava with our patches
-
- Open
-