Closed Bug 1274066 Opened 8 years ago Closed 8 years ago

Bogus DNSSEC signature

Categories

(Cloud Services :: Operations: AMO, task)

Product:
Cloud Services
Component:
Operations: AMO
Platform:
x86
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: sam.kuper, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.8.0
Build ID: 20160426225641

Steps to reproduce:

Per report at https://groups.google.com/forum/#!topic/mozilla.addons.user-experience/79uVNCcXOzA . Steps to reproduce are as follows:

1. On an up-to-date Debian Jessie install, run Iceweasel (i.e. re-branded Firefox).

2. Install DNSSEC Validator from https://www.dnssec-validator.cz/

3. After DNSSEC Validator installation complete (and Iceweasel restarted if necessary), visit https://addons.mozilla.org/en-US/firefox/ .



Actual results:

A green icon appears at the left of the address bar, indicating an Extended Validation (EV) HTTPS (TLS) implementation. The SSL/TLS certificate has this SHA256 fingerprint: 51:64:6C:66:2B:B3:FD:3A:3B:AC:9D:97:68:03:F4:E6:86:91:83:BB:48:3B:7D:30:DC:DF:C5:C4:D0:48:7B:41 . (Could whoever from Mozilla who is assigned this bug please confirm that this is the expected fingerprint? If it is not, then a man-in-the-middle (MITM) attack is underway against AMO or AMO users.)

However - and this is the bug - there is also a red circle with an open padlock near the right of the address bar. Mousing over this circle gives a tooltip saying, "Bogus DNSSEC signature".


Expected results:

In place of the red circle with an open padlock, a green circle with a closed padlock should appear. Mousing over this should give a tooltip saying, "Certificate corresponds to TLSA".

An example of the expected behaviour can be seen by following the steps to reproduce, but browsing to either of the following URLs instead of https://addons.mozilla.org/en-US/firefox/ :

https://www.debian.org/

https://grepular.com/Understanding_DNSSEC
OS: Unspecified → Linux
Hardware: Unspecified → x86
:wezhou could you take a look at this?
Hi Sam,

Thanks for reporting the bug.

To confirm, 51:64:6C:66:2B:B3:FD:3A:3B:AC:9D:97:68:03:F4:E6:86:91:83:BB:48:3B:7D:30:DC:DF:C5:C4:D0:48:7B:41 is the correct SHA256 fingerprint of our certificate.

addons.mozilla.org currently doesn't have DNSSEC enabled. Thus seeing the red padlock in the DNSSEC validator is an expected behavior at the moment. Unfortunately we don't have immediate plans yet to enable DNSSEC for addons.mozilla.org domain due to other priorities. We need to put this ticket on hold for now and get back to it when possible.
(In reply to :wezhou from comment #2)
> To confirm,
> 51:64:6C:66:2B:B3:FD:3A:3B:AC:9D:97:68:03:F4:E6:86:91:83:BB:48:3B:7D:30:DC:
> DF:C5:C4:D0:48:7B:41 is the correct SHA256 fingerprint of our certificate.

Thanks, good to know!

> addons.mozilla.org currently doesn't have DNSSEC enabled. Thus seeing the
> red padlock in the DNSSEC validator is an expected behavior at the moment.

Actually, that's not expected. Sites that don't have DNSSEC enabled normally yield, in that UI position in the address bar, a grey circle containing: a white, closed padlock, and a small red circle with a white horizontal bar in the middle. Mousing over that icon on a site without DNSSEC enabled yields a tooltip saying, "Not secured by DNSSEC".

> Unfortunately we don't have immediate plans yet to enable DNSSEC for
> addons.mozilla.org domain due to other priorities. We need to put this
> ticket on hold for now and get back to it when possible.

If the DNSSEC Validator were giving one of the two expected results (i.e. a green circle for a working DNSSEC implementation, or a grey circle as above for no DNSSEC implementation), I would agree with you. However, the fact that it is giving a third, unexpected result indicates a fault of some kind an is liable to cause concern among users whose clients attempt to validate the site's DNSSEC.

Thanks again!
s/an is liable/and is liable/
Hi Sam,

Is it possible that you can post the error/warning logs from DNSSEC Validator plugin to help see where it failed?

Thanks!
> Is it possible that you can post the error/warning logs from DNSSEC
> Validator plugin to help see where it failed?

Sure.

First, for the avoidance of doubt: if I right-click on either of the icons that DNSSEC Validator displays in my address bar, and then left-click "About plugin...", I get a window that gives the version as 2.2.0.2.

Second, in the "settings" dialog for the DNSSEC Validator plugin:

- Resolver is set to "Custom" with value "8.8.8.8".

- "Enable TLSA validation" is ticked.

- "Use browser's certificate chain" is ticked.

- No other checkboxes are ticked.

(N.B. This indicates to me that I may have missed off a step in my "Steps to reproduce" given in the initial bug report. I don't specifically recall setting the resolver to "Custom" and to value "8.8.8.8", but re-tracing my steps today, I think I may have done that at some stage, and may have had that setting cached in my Iceweasel (Firefox) profile causing it to be applied even if I uninstalled and re-installed the DNSSEC Validator plugin. This is important, because if I instead set the resolver to "Use system settings", then the plugin behaves slightly differently than noted in this bug report. Apologies for not noticing this earlier. Please therefore read this bug report and all my comments thereon as assuming that the DNSSEC Validator plugin settings are as above unless otherwise stated.)

Third, DNSSEC Validator always shows two icons per web page: one to indicate DNSSEC state, and one to indicate DANE/TLSA state.

When I visit https://addons.mozilla.org , DNSSEC Validator shows me:

- for DNSSEC state, first icon listed here: https://web.archive.org/web/20160404061031/https://www.dnssec-validator.cz/pages/documentation.html#dnssec-states . Specifically, this icon: https://web.archive.org/web/20160404061031im_/https://www.dnssec-validator.cz/images/keys/dnssec_no.png ;
- for DANE/TLSA state, the fifth icon listed here: https://web.archive.org/web/20160404061031/https://www.dnssec-validator.cz/pages/documentation.html#dane-tlsa-states . Specifically, this icon: https://web.archive.org/web/20160404061031im_/https://www.dnssec-validator.cz/images/keys/tlsa_invalid.png .

(Archived copy of documentation used so as to avoid the possibility of causing confusion to future readers of this bug report, should the live documentation disappear or be updated in a way that contradicts my description - e.g. if the description of the icons is re-ordered.)

Fourth, here is the debug log:

> TLSA: Input parameters: domain='addons.mozilla.org'; port='443'; protocol='tcp'; options=3; resolver_address='8.8.8.8';
> TLSA: Adding resolver IP address '8.8.8.8'
> CERT: Initialising SSL context.
> CERT: Trying to load certificates from file '/etc/ssl/certs/ca-certificates.crt'.
> CERT: Trying to load certificates from file '/etc/ssl/certs/ca-bundle.crt'.
> CERT: '/etc/ssl/certs/ca-bundle.crt' is not a file.
> CERT: Trying to load certificates from file '/etc/ssl/certs/ca-bundle.trust.crt'.
> CERT: '/etc/ssl/certs/ca-bundle.trust.crt' is not a file.
> CERT: Trying to load certificates from file '/usr/local/share/certs/ca-root-nss.crt'.
> CERT: '/usr/local/share/certs/ca-root-nss.crt' is not a file.
> CERT: Trying to load certificates from directory '/etc/ssl/certs'.
> CERT: Initialisation of SSL context succeeded.
> DNSSEC: Input parameters: domain='addons.mozilla.org'; options=7; resolver_address='8.8.8.8'; remote_address='54.148.104.15';
> DNSSEC: Adding resolver IP address '8.8.8.8'
> DNSSEC: Examine result: addons.mozilla.org 1 1 0 54.148.104.15
> DNSSEC: Has data.
> DNSSEC: ub-secure: 0
> DNSSEC: ub-bogus: 0
> DNSSEC: Returned value (overall/ipv4/ipv6): "1/1/0"
> TLSA: Domain is bogus: validation failure <_443._tcp.addons.mozilla.org. TLSA IN>: no DNSSEC records from 8.8.8.8 for DS _tcp.addons.mozilla.org. while building chain of trust
> TLSA: Input parameters: domain='addons.mozilla.org'; port='443'; protocol='tcp'; options=3; resolver_address='8.8.8.8';
> TLSA: Domain is bogus: validation failure <_443._tcp.addons.mozilla.org. TLSA IN>: key for validation _tcp.addons.mozilla.org. is marked as invalid because of a previous validation failure <_443._tcp.addons.mozilla.org. TLSA IN>: no DNSSEC records from 8.8.8.8 for DS _tcp.addons.mozilla.org. while building chain of trust
> TLSA: Input parameters: domain='addons.mozilla.org'; port='443'; protocol='tcp'; options=3; resolver_address='8.8.8.8';
> TLSA: Domain is bogus: validation failure <_443._tcp.addons.mozilla.org. TLSA IN>: key for validation _tcp.addons.mozilla.org. is marked as invalid because of a previous validation failure <_443._tcp.addons.mozilla.org. TLSA IN>: no DNSSEC records from 8.8.8.8 for DS _tcp.addons.mozilla.org. while building chain of trust
> TLSA: Input parameters: domain='addons.mozilla.org'; port='443'; protocol='tcp'; options=3; resolver_address='8.8.8.8';
> TLSA: Domain is bogus: validation failure <_443._tcp.addons.mozilla.org. TLSA IN>: key for validation _tcp.addons.mozilla.org. is marked as invalid because of a previous validation failure <_443._tcp.addons.mozilla.org. TLSA IN>: no DNSSEC records from 8.8.8.8 for DS _tcp.addons.mozilla.org. while building chain of trust
> TLSA: Input parameters: domain='addons.mozilla.org'; port='443'; protocol='tcp'; options=3; resolver_address='8.8.8.8';
> TLSA: Domain is bogus: validation failure <_443._tcp.addons.mozilla.org. TLSA IN>: key for validation _tcp.addons.mozilla.org. is marked as invalid because of a previous validation failure <_443._tcp.addons.mozilla.org. TLSA IN>: no DNSSEC records from 8.8.8.8 for DS _tcp.addons.mozilla.org. while building chain of trust
> TLSA: Input parameters: domain='addons.mozilla.org'; port='443'; protocol='tcp'; options=3; resolver_address='8.8.8.8';
> TLSA: Domain is bogus: validation failure <_443._tcp.addons.mozilla.org. TLSA IN>: key for validation _tcp.addons.mozilla.org. is marked as invalid because of a previous validation failure <_443._tcp.addons.mozilla.org. TLSA IN>: no DNSSEC records from 8.8.8.8 for DS _tcp.addons.mozilla.org. while building chain of trust
> DNSSEC: Input parameters: domain='addons.mozilla.org'; options=7; resolver_address='8.8.8.8'; remote_address='54.148.104.15';
> DNSSEC: Examine result: addons.mozilla.org 1 1 0 54.148.104.15
> DNSSEC: Has data.
> DNSSEC: ub-secure: 0
> DNSSEC: ub-bogus: 0
> DNSSEC: Returned value (overall/ipv4/ipv6): "1/1/0"
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
@jason, please could you explain the reason for closing this as WONTFIX?
You need to log in before you can comment on or make changes to this bug.