EDE: RRSIG missing for DNSKEY .at

Zero Trust 1.1.1.1
1

Thanks to CF Resolver we the see Extended DNS Errors in the reponse.This helps identify DNSSEC issues quickly.

During a regular i noticed when querying the SOA for the Label at (TLD of Austria) theres an

;; EDE: 10 (RRSIGs Missing): ‘for DNSKEY at., id = 1253’

included.

kdig @1.1.1.1 at  +edns +dnssec
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 2935
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; EDE: 10 (RRSIGs Missing): 'for DNSKEY at., id = 1253'

;; QUESTION SECTION:
;; at.                          IN      A

;; AUTHORITY SECTION:
at.                     10800   IN      SOA     dns.nic.at. domain-admin.univie.ac.at. 1692212402 10800 3600 604800 10800
at.                     10800   IN      RRSIG   SOA 13 1 172800 20230830114054 20230816180140 6345 at. E7KC8G+yvUfWnm/vaNIpXCpCraegPld80mliWZnMfsp/ImP4dHgVN9vR/O70Mp2OEv4wxPQ4dMsGuXtjZq2Ngw==
fjscbioio98ccv4od6ka4d7oh5bgrn00.at. 10800      IN      NSEC3   1 1 0 - fjsgctda26f5nr1uo17l5me78mc61hq3 NS SOA RRSIG DNSKEY NSEC3PARAM
fjscbioio98ccv4od6ka4d7oh5bgrn00.at. 10800      IN      RRSIG   NSEC3 13 2 10800 20230827103411 20230813220146 6345 at. cssVj+Ia0n1grvudBjp7cg9OuQB/QZP6RhYbbDf0yakmzXji+okKgG4at2ynb/j/zsgFdtN9RJcs9YEVY9TEUA==

;; Received 405 B
;; Time 2023-08-16 21:09:44 CEST
;; From 1.1.1.1@53(UDP) in 14.8 ms

Query some of the TLD-Rootservers contains the DNSKEY with the key tag 1253 and a (valid) Signature of the Response.

kdig @u.ns.at at  dnskey  +edns +dnssec +multiline
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 34186
;; Flags: qr aa rd; QUERY: 1; ANSWER: 5; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1400 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; at.                   IN DNSKEY

;; ANSWER SECTION:
at.                     3600 IN DNSKEY 256 3 13 (
                                afqJ2CAlm26vL9vdgWZlvBp1BhCXAvXGPDf96ykT
                                8cf7i7uir4QQA5mLi9wikE4WnvD6Y8S9mU4f3SUg
                                maQOEA==
                                ) ; ZSK, ECDSAP256SHA256 (256b), id = 6345
at.                     3600 IN DNSKEY 257 3 13 (
                                F4hxGBIycDfw7ZIeJ1bkOjeGibnoNdlJ9siahr/G
                                PYh9sIftAPCNOSiypWUnNeKu9zHpFY+HtzzPgbZm
                                LO1VRQ==
                                ) ; KSK, ECDSAP256SHA256 (256b), id = 18942
at.                     3600 IN DNSKEY 257 3 13 (
                                2JRF0JhWxU1FWmhF7eY9oPu4XkUdqPDVNi3tm6uX
                                J9DxltWjAS2JMBdAmm6ehsMdlsvsMV+cz+7DZGMz
                                NhbX1g==
                                ) ; KSK, ECDSAP256SHA256 (256b), id = 1253
at.                     3600 IN DNSKEY 256 3 13 (
                                Yye3yFQfyzze/CB9a+89JY/Zyf7L9gEXx9dI72oH
                                yNU1mrMXdKU69LXiNAl9xnW+7BEFjO2NaxoI+h3F
                                4tsF/A==
                                ) ; ZSK, ECDSAP256SHA256 (256b), id = 8460
at.                     3600 IN RRSIG DNSKEY 13 1 3600 20230825065223 (
                                20230811100145 18942 at.
                                7okFniGJjFQn9lJHj2geedF4KcjDpSv6mbd0itS0
                                xgC1CCP9T04mmE9fHsSL8XYzBRB/mESQcbJoRMcu
                                ge3CKw==
                                )

;; Received 449 B
;; Time 2023-08-16 21:15:00 CEST
;; From 2a02:850:ffff::2@53(UDP) in 17.6 ms

There is certainly an explanation for this. What could be a reason? Failed fetching of the DNSKEY from authoritative Nameserver for at (network issues)?

4

Hi @DasKutti, there are two KSKs for .at (key IDs 18942 and 1253) but only 18942 is used to generate signatures for the ZSK presumably because of a rollover. This is fine and you still get NOERROR as there’s still viable path using the key 18942, it’s just a notice because resolver can’t assume intent (it could be that the signature is stripped by an attacker to force validator to use a weaker key for example).

There’s a documentation for various EDEs here Extended DNS error codes · Cloudflare 1.1.1.1 docs

2 Likes
5

Thank you very mich, @mvavrusa! The reference to the missing (second) signature (with key tag 1253) is very helpful. My question is thus completely resolved. Great!

6

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.