Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7742

CAA Validator fails DNSSEC validation for CH domains

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: EJBCA 6.15.1.2
    • Fix Version/s: EJBCA 7.0.0, EJBCA 6.15.2
    • Component/s: None
    • Labels:
    • Sprint:
      EJBCA Team Alice - 2019 w2

      Description

      The CAA validator fails to validate DNSSEC for CH top domains.

      Example of failing domain:

      > java -jar caa-cli.jar caalookup --domains tcpit.ch --issuer ssl.com --dns 1.1.1.1
      Failed to validate RRset
      RRset failed to verify: all signatures were BOGUS
      Failed to validate RRset
      RRset failed to verify: all signatures were BOGUS
      Failed to validate RRset
      RRset failed to verify: all signatures were BOGUS
      Failed to validate RRset
      RRset failed to verify: all signatures were BOGUS
      Failed to validate RRset
      RRset failed to verify: all signatures were BOGUS
      Lookup for domain 'tcpit.ch.' failed DNSSEC validation. Error description: Could not establish validation of INSECURE status of unsigned response. Reason: Did not match a DS to a DNSKEY.
      
      Lookup failed because of insecure response.
      CAA lookup gave the following results: 
      
          Domain Name     Issuer      Result                          Valid Until     
          tcpit.ch.       ssl.com     DNSSEC validation failed.       n/a   
      

      Expected result:

      delv CAA tcpit.ch @1.1.1.1
      ; unsigned answer
      tcpit.ch.		3200171710 IN	CAA	0 issue "ssl.com"
      tcpit.ch.		3200171710 IN	CAA	0 issuewild "ssl.com"
      

      It looks like the DNSSEC validator fails to verify a signature of the NSEC3 RRset in the CH. zone.

      tailf /opt/wildfly/standalone/log/server.log | grep --line-buffered -E "org.ejbca.util.validation.dnssec"
      2019-01-28 13:38:44,505 ERROR [org.ejbca.util.validation.dnssec.DnsSecVerifier] (pool-7-thread-5) Failed to validate RRset
      2019-01-28 13:38:44,505 INFO  [org.ejbca.util.validation.dnssec.DnsSecVerifier] (pool-7-thread-5) RRset failed to verify: all signatures were BOGUS
      2019-01-28 13:38:44,505 DEBUG [org.ejbca.util.validation.dnssec.KeyEntry] (pool-7-thread-5) Did not match a DS to a DNSKEY.
      2019-01-28 13:38:44,555 INFO  [org.ejbca.util.validation.dnssec.DnsSecVerifier] (pool-7-thread-5) RRset failed to verify: all signatures were BOGUS
      2019-01-28 13:38:44,555 DEBUG [org.ejbca.util.validation.dnssec.ValUtils] (pool-7-thread-5) verifySRRset: rrset <8fo97su6ko6hlaph5obk65ue67dcj229.ch./NSEC3/IN> found to be BAD
      <snip>
      2019-01-28 13:38:44,876 DEBUG [org.ejbca.util.validation.dnssec.KeyEntry] (pool-7-thread-5) Did not match a DS to a DNSKEY.
      

      And then it returns RCode 2 to DnsCaaLookup, which performs a second attempt and then the whole CAA lookup procedure fails with DNSSEC validation error.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              hsunmark Henrik Sunmark
              Reporter:
              bastianf Bastian Fredriksson
              Verified by:
              Tomas Gustavsson
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 3 days
                  3d
                  Remaining:
                  Time Spent - 2 hours Remaining Estimate - 2 days, 6 hours
                  2d 6h
                  Logged:
                  Time Spent - 2 hours Remaining Estimate - 2 days, 6 hours
                  2h