I sign my own domain nohats.ca using OpenDNSSEC. Since .ca is not yet signed, I added my key to the ISC DLV Registry. It is enabled by default by Fedora and RHEL if you install the bind/unbound name server for resolving.
Today, I removed and added a few zones to my opendnssec (an alpha version, 1.4.0a) based signer. These domains were unrelated to nohats.ca. But somehow I ended up with a “signed” nohats.ca zone that contained NSEC3 records but no RRSIG records, and one other domain that only contained 1 RRSIG record. As a result, anyone who was using DNSSEC could no longer resolve my domain nohats.ca. That included me. The nohats.ca domain is still in this weird state inside opendnssec, so I decided to remove the DLV record for that domain. Turns out I forgot the password to my login at dlv.isc.org. With my mouse hovering over the “request password reset” option, I realised that my MX records point to “nohats.ca”. If the dlv.isc.org site uses DNSSEC, they will fail to resolve the MX record to send me my password reset information to fix my DNSSEC setting. Catch 22!
Whether by design or by sheer luck, this did not seem to be the case and I received my password reset, and have removed the DLV record for nohats.ca.
I upgraded opendnssec to 1.4.0a2, but this has not resolved the issue of ods-signerd giving me a zone without RRSIGs. I’ll have to investigate this more tomorrow. Our tools really still have lots of room for improvement.
But it does bring up a delicate point. Registrars should ensure that there is a way you can remove a DS record using an account that somehow can do a password reset even if your only email goes into a failing DNSSEC domain. Perhaps a two factor using a text message to a phone? Or perhaps allow more then one email address for a reset, so that people could include use two different email addresses in two different domains. Though one should not point password resets to domains that are not secured by DNSSEC, because these are precisely the kind of messages people could abuse to hack access to your domain account. Another security catch 22.
So if you are a registrar, please think about this issue. Sooner or later one of your customers will be the position I found myself in…..
Hi Paul,
I’m sorry to hear that you got mixed up in such a catch-22. You are aware that you are using an alpha release, which thus may be considered unstable? Second, we would like to receive your report in our JIRA system: issues.opendnssec.org. That’s a better way to track our bugs, instead of digging all blog posts out there.
Hi Matthijs,
I’m aware that I”m running alpha software. And that bugs will happen. I hope to catch them on my own domain on the alpha/beta versions, so it will not hit production systems. I was not putting it up here as a way of complaining. I did file the bug on the opendnssec mailinglist, and got an answer that it is resolved now. I was mostly intrigued by the catch-22 I almost found myself in, and wanted Registrars to be aware of it,