Re: postbank.de / dslbank.de

2 Feb 2016


      Andreas Pothe mailinglisten+spamtrap@pothe.de writes:
...
Oh, dslbank.de has a corrupt DS entry at .de level (DS without
corresponding DNSKEY). This can make trouble too, I think.
I don't see that (now at least).  There are 4 DS records and 4 ZSKs with
matching IDs at least:
bjorn@canardo:~$ dig +dnssec ds postbank.de @a.nic.de +multiline
; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> +dnssec ds postbank.de @a.nic.de +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63458
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;postbank.de.		IN DS
;; ANSWER SECTION:
postbank.de.		86400 IN DS 53214 7 2 (
    			0D2B8312AC2E52B9A1B1FD8A8F9824CF6D7545D0A0D5
    			EFC47AB5C84AF0AB06FC )
postbank.de.		86400 IN DS 41601 7 2 (
    			6553D5202663A13E67C3E0E38E457B01DA54B0583D1E
    			03943D88EEE15DEDF2E3 )
postbank.de.		86400 IN DS 13734 7 2 (
    			52392391140DF30BE650BD34073BAC554A420D5657BE
    			3F00A0B41B8336937C7C )
postbank.de.		86400 IN DS 18276 7 2 (
    			CF18D83746B799D046A0B7DF751F5EB0A1DB2CD154CE
    			77BBD44E0CB261CA05C5 )
postbank.de.		86400 IN RRSIG DS 8 2 86400 (
    			20160209110000 20160202110000 62490 de.
    			fz+k9OA+O2FHN5JQETlhGd/XuLKVUCXO1rwQ0fqZhqzP
    			JFQStHcSs9tyjLfz8IuCPgiQUphtKtzjT44D0HH5j0FI
    			rNqv/43lpiQtH/EI2Qbfub1SyV9HbO4g71btTvvlT33T
    			Vva7w3WnYKFUeF48kOfJNdK2TArAgftttM7/alM= )
;; Query time: 45 msec
;; SERVER: 2001:678:2::53#53(2001:678:2::53)
;; WHEN: Tue Feb 02 14:37:16 CET 2016
;; MSG SIZE  rcvd: 394
bjorn@canardo:~$ dig +dnssec dnskey postbank.de @ns1.postbank.de +multiline
; <<>> DiG 9.9.5-9+deb8u5-Debian <<>> +dnssec dnskey postbank.de @ns1.postbank.de +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22666
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;postbank.de.		IN DNSKEY
;; ANSWER SECTION:
postbank.de.		86400 IN DNSKEY	257 3 7 (
    			AwEAAcRzTe+/LM0moPFfSFK8F5kg+z6EFCzy2RcUUT2E
    			CY12qLab0PqjHqPa/qN3k+FzgJlrZzlkuDwWLJg6Mvco
    			7JgIHEl3447G2NLUOcpuiHZ9HlId5jvyN2GXOij+C+wB
    			Fhuo54rAG+TT6tXk+B1pH88enxLUH14iihFsKiJdkMkW
    			D2ejskL/upKoRWh0ke/IlfheSnLMppJRouPjxU6TWTko
    			odkFy3xkZFM7C+1fo+HzY6arN7zhj1wSqAikSLoOBZlC
    			N/B+Afx53UMawP00Ftc+xm6pD3VhDp9NjcB1fOdVtUMc
    			+CWTl3kXaoWdPDjesD5PbTiDgDzCCcn+/1e280U=
    			) ; KSK; alg = NSEC3RSASHA1; key id = 18276
postbank.de.		86400 IN DNSKEY	257 3 7 (
    			AwEAAbN0sNttYJE7OlzpVif9w5RzZ7Atmc+/pR9Qfh5w
    			C/rBwFuxADYbC6FUhQkpRZT+oXIW7aaSBUjA3QFyMK7f
    			zfM7F3iIqdgDLL2ettHFBTy2Ch2MoTleFtWU26lJ0YPz
    			DLWtHbQdz6KHP5NJR+K6NqlPtn8hH3N88BpLVwITY855
    			uXFHEPqmAOP9pSpDcs2FHAduJxq6KtBhMLrDasE01dfn
    			xlX2+EpLqD2V7BKrJ7s9/3u2d6YFrmHhkS8HX73yexbz
    			mXo5RVncdn6S55gmFc3q7E0iUUAdZbuAyQfX92lcM+9y
    			e8wHPktQyaKa6obRekZUJr4FNe7+hwESnw+/dXM=
    			) ; KSK; alg = NSEC3RSASHA1; key id = 13734
postbank.de.		86400 IN DNSKEY	257 3 7 (
    			AwEAAfAiDH5Os1tmMwBS+p4SczjzYUNCBOX3MZjRcoWl
    			cErrjNWlAVWqimM4bFZB/nRzreVtmHCO3kYfJgazuT3T
    			2W6Qe6fs4HN8k4ETUTC5taPfmZQ9ReNDD5QfLIk/LIAQ
    			MJ39Y1QAeJrK2/RFQA1LwKPyuehQZWNxsuPoClVFKizQ
    			2eozAIV1g6JtCyrtsin3288coz/ZAaGDShQQXoMzMfyg
    			rFiZyurtUqf90IWZhI4Gc9rxApdFgrV4t4FeFNk+LGtr
    			ahun1yy2UNtUcpgvRgzG4mw8HG41PYDUCmzvlwNXUmpo
    			Cwt7Oa3Zybu6ikGprfBSM11SZURRSRv8BryCy+k=
    			) ; KSK; alg = NSEC3RSASHA1; key id = 53214
postbank.de.		86400 IN DNSKEY	257 3 7 (
    			AwEAAcnx4BAUeeDyAkPIkm9gAXERrFxy9XIDN5EPFQny
    			H/eLjqgmSA2B09sTODO+5loPR1PTsk0RkJabwrPJXUll
    			6FfRodV/1lW3QltT/7y17698rqGrc7sqyDgxo5vJx+Ta
    			JDjD6IlhWjI6FH8pAFonBgrOJz/nS0sy1oxbubEbGCcY
    			1W8+l2X6fecHqVR3tvdhdPmCOVzCh5sX6YC/FnisOQ/h
    			2Pi2kKIiac9iTq/A2Vw0i5dWYWw//ZqeO0TA0WDmXCtK
    			UtvUVurDeTrKx5WiMIYrefLUC77Aa9vjXb6gpzCiJxoo
    			cJCgvXateBayPTrit/fBay24fvqRWWoBvolVIhE=
    			) ; KSK; alg = NSEC3RSASHA1; key id = 41601
postbank.de.		86400 IN DNSKEY	256 3 7 (
    			AwEAAbIrv7LW/T9qjAM9p+kkppvH1K3GJhbSS+cNza3B
    			1r2tRR82Z8PcZclYRqv2aBvjiAPcZv6lOupQcYD/Vrpg
    			MEjrzEbSn85vr0OYYjqHq+/WTT57x9Ko6Y9/vtbIws7x
    			Kq9GigSWhbpTRn9qsSFisI17yn9jVdWsN9bNinOMnzm1
    			) ; ZSK; alg = NSEC3RSASHA1; key id = 63284
postbank.de.		86400 IN DNSKEY	256 3 7 (
    			AwEAAbipCwn6Fbh3kbrGENYu4EGKnkLsh1+9ACGLcDR7
    			iTysuces2ot9VnGdq+zg0+D3f/IDgSMNU+PPE09bvKfg
    			HqDod+f2TuvBiYLZfjr2sMwrlqQnGvSpXfuc9t071JI7
    			uz80LnlDR9rtoF+Ni6dSI6Nw8AX10hQTkS4KwqAx/Ftd
    			) ; ZSK; alg = NSEC3RSASHA1; key id = 48839
postbank.de.		86400 IN DNSKEY	256 3 7 (
    			AwEAAda3BdXHnv5nGstQ9nECdO5S25sihAMCJbphVJ13
    			QJ9yw+fsfOZHaFMX3Oi3uTkwtobOZGizeuUF8SsQRpY6
    			wXEP1Aa4HMgm0coCcGbGHjkE86pvmDDh9PExpmg71VvW
    			lQZubucLoGRj6ZAr64UeNofci9J1sTo1Ub6WAoKXANIT
    			) ; ZSK; alg = NSEC3RSASHA1; key id = 13394
postbank.de.		86400 IN DNSKEY	256 3 7 (
    			AwEAAahHOOnai3XHpvSa2fKArbATWwHQA4+xeUitroui
    			7i+l+Exy5Q3pQ0AASRo2k6iYWXGCpklLO0mKryjCpFUN
    			VuIdyVC+fSZlgOPpdRgzwjv9w3C7EBafTl0bVit0TNHS
    			WzFfzy/0rSr4Bpkg2YrfGy38WqDwHmcOUG86HfugBedp
    			) ; ZSK; alg = NSEC3RSASHA1; key id = 43898
postbank.de.		86400 IN RRSIG DNSKEY 7 2 86400 (
    			20160208145154 20160201145154 53214 postbank.de.
    			hgawwvu2Ne5583qitm7cnXtDI2fx8ZAskZfJ+B7dBe9T
    			K24imxqC8DC98y5+QcVFKEv0KW8qxNSitlIJt8CrjgMH
    			C6TPj8O9RMG/ro0jou2GpQMANJjcmszwpGCWVsT2h90P
    			pR3jPb0+6S24ee/0Z+dVj94iCi5D51WOwxQJGVCIqRj0
    			7cOtfcKo2XGIqQWw8pnPaeOUA9yn0VPG3P4dHAqbRuEI
    			Uj6rD4qh5FEwaIZJU3oqR05/Q+h7utoKsAM9HO3uzUfY
    			U0n+IYfG+ZYixQaw8jxP3kmgo73skIIHgIfZjTRltzhb
    			CACU/qcwPCayLAjlBp98xzIpWCgM7ho4kQ== )
postbank.de.		86400 IN RRSIG DNSKEY 7 2 86400 (
    			20160208145154 20160201145154 41601 postbank.de.
    			hKsw+kmm3JqYblS2dNOVGpfe5SzNViRs8XBTPznTst5Q
    			Vj6VGdWmTB0RdeOby/WF1e5l/MsV1Z9lwD4VL1gVmWnm
    			dqTVYJMamep/FI1yRxEY6PPkdryr3KBDyNTWPBALnRpm
    			IFSmg7et8l3MWqAZk80RSfiNZ8UhDJjXgzJP3gE6C8JD
    			nTwsLx7DGu2Lnd0gRv/I8CCEr0Mlyv3QPZR+Qii2J2jO
    			t3/au2vyYZ2hRnaZfAB/PL1reISUkcIPiCfwshXGkA4b
    			fEunkTZIy5hegC6olhzx4wdmpWg1CZudltNfqBxp3dZh
    			dIBHlFQiZFfZYVz1Eb5I9Y44LogZfRMblg== )
postbank.de.		86400 IN RRSIG DNSKEY 7 2 86400 (
    			20160208145154 20160201145154 13394 postbank.de.
    			z/a7WjxUUZrRvG0MhqaTsAowKoYitadMDYxaFc3c3qhj
    			x8a67ihz55MwRLiD6TgBPDUd8cpWyCTNzJne8vhoAAIK
    			bVaL5ide8NCqDLljbq9+qHVp+oWUr21Q2VcUwSUie3KR
    			6/WF+LqfeTw2bXnTjVu2SY0Ms4HNDvQsQpoK81Y= )
postbank.de.		86400 IN RRSIG DNSKEY 7 2 86400 (
    			20160208145154 20160201145154 43898 postbank.de.
    			F4TUFHteWlIpCf682c8Ymd5ZK7q9XQs+vekUNoB36fUL
    			yPLElMUh1hOrsS3hJ4gTUyDkoa0o3R0p5fh/6URdRpeW
    			RdP6PwqFvFpkU+pXSRHFdteoLBZmQQTv7ajeTPJJo4L7
    			43Z6LSbK3El2VCeu9p9IuUJqw2tafjjOOvi3TRM= )
;; Query time: 48 msec
;; SERVER: 62.153.105.1#53(62.153.105.1)
;; WHEN: Tue Feb 02 14:37:26 CET 2016
;; MSG SIZE  rcvd: 2808
But publishing no less than 8 keys, resulting in a 2808 reply, is more
than risky IMHO.  Especially in the bank business.  You only need one
paranoid firewall to break that.
Why would anyone need to publish 4 ZSKs *and* 4 KSKs?
Bjørn

Re: postbank.de / dslbank.de

Bjørn Mork