Jump to content

vatsim.net DNSSEC setup incomplete


Daniel Roesen
 Share

Recommended Posts

Hi,

vatsim.net's DNSSEC setup is incomplete, and thus effectively nonexistent:

vatsim.net is missing the DS signature record in the .net TLD zone, so no verifiable signature chain exists:

https://dnssec-analyzer.verisignlabs.com/data.vatsim.net
https://dnsviz.net/d/data.vatsim.net/dnssec/

Result is that noone can properly verify vatsim.net FQDNs and resolvers fall back to unverified responses.
Also, some logs of resolvers get spammed with:

Dec 20 14:07:29 infra1 named[1415]: validating my.vatsim.net/A: no valid signature found
Dec 20 14:07:29 infra1 named[1415]: validating my.vatsim.net/AAAA: no valid signature found
Dec 20 14:07:29 infra1 named[1415]: validating auth.vatsim.net/AAAA: no valid signature found
Dec 20 14:07:29 infra1 named[1415]: validating auth.vatsim.net/A: no valid signature found
Dec 20 14:07:32 infra1 named[1415]: validating stats.vatsim.net/A: no valid signature found
Dec 20 14:07:32 infra1 named[1415]: validating stats.vatsim.net/AAAA: no valid signature found
Dec 20 14:08:07 infra1 named[1415]: validating status.vatsim.net/A: no valid signature found
Dec 20 14:08:07 infra1 named[1415]: validating status.vatsim.net/AAAA: no valid signature found
Dec 20 14:08:41 infra1 named[1415]: validating metar.vatsim.net/A: no valid signature found
Dec 20 14:08:41 infra1 named[1415]: validating metar.vatsim.net/AAAA: no valid signature found

etc. (This is how I came to that issue...)


Best regards,
Daniel

Link to comment
Share on other sites

  • 4 months later...
2 hours ago, Nick Harasym said:

Filling up your disk with logs eh? Logrotate can help with that.

This is just an annoyance resulting from the broken DNSSEC setup of vatsim.net, but thanks for the sarcasm. I totally dig that arrogance.

And sorry caring about the security of vatsim.net, I won't bother anymore.

Link to comment
Share on other sites

Posted (edited)
On 5/24/2021 at 5:51 PM, Daniel Roesen said:
On 5/24/2021 at 2:58 PM, Nick Harasym said:

Filling up your disk with logs eh? Logrotate can help with that.

This is just an annoyance resulting from the broken DNSSEC setup of vatsim.net, but thanks for the sarcasm. I totally dig that arrogance.

And sorry caring about the security of vatsim.net, I won't bother anymore.

You get used to it after a while. Don't worry about it, just accept that this is the way it is. Sarcasm aside (and maybe it wasn't sarcasm) you have to accept that the VATSIM tech department is ridiculously overloaded, and they can't do what ten people tell them to do, so they do what's most urgent.

 

Edited by Alistair Thomson
Abrasion reduction :)

Alistair Thomson

===

Definition: a gentleman is a flying instructor in a Piper Cherokee who can change tanks without getting his face slapped.

Link to comment
Share on other sites

On 5/24/2021 at 2:51 PM, Daniel Roesen said:

This is just an annoyance resulting from the broken DNSSEC setup of vatsim.net, but thanks for the sarcasm. I totally dig that arrogance.

And sorry caring about the security of vatsim.net, I won't bother anymore.

I didn't intend to upset people. Sometimes I like to be abrasive. 

This is being looked into. I've set a reminder to follow up on it later so that it isn't dropped.

Nick Harasym
Senior Network Infrastructure Engineer 
## [email protected]
## www.vatsim.net
## ##
7JRF7kO.png
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...