Thanks Viktor, this looks like a bug in writing NSECs to the final response.
On Mon, 31 Aug 2020 at 23:09, Viktor Dukhovni <[email protected]> wrote: > > > My validating resolver downstream of CF 1.1.1.1 (among others) at times > sees "bogus" denial of existence for: > > _25._tcp.mx.runbox.com IN TLSA ? > > This is because the set of NSEC records forwarded by Cloudflare for this > domain is not complete. Looking across the major public DNS services: > > * All return AD=1 > * I see the same zone apex SOA and signature for all > * The same NSEC record and signature for "munin01" for all > * The apex wildcard record and signature identically ONLY from > Google, Verisign and Quad9. From CloudFlare, I get the munin01 > NSEC record and signature twice, but this alone fails to validate the > NODATA response. > > CF -> @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +dnssec > runbox.com. IN SOA dns61.copyleft.no. [email protected]. > 3000008471 14400 3600 1296000 3600 > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > 38438 runbox.com. <same SOA sig> > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > 20200831142225 38438 runbox.com. <munin01-nsec-sig> > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > 20200831142225 38438 runbox.com. <munin01-nsec-sig> > > GOOG -> @ 8.8.8.8 _25._tcp.mx.runbox.com. IN TLSA ? > runbox.com. IN SOA dns61.copyleft.no. [email protected]. > 3000008471 14400 3600 1296000 3600 > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > 38438 runbox.com. <same SOA sig> > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 > 38438 runbox.com. <apex-wildcard-sig> > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > 20200831142225 38438 runbox.com. <munin01-nsec-sig> > > VRSN -> @ 64.6.64.6 _25._tcp.mx.runbox.com. IN TLSA ? > runbox.com. IN SOA dns61.copyleft.no. [email protected]. > 3000008471 14400 3600 1296000 3600 > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > 38438 runbox.com. <same SOA sig> > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 > 38438 runbox.com. <apex-wildcard-sig> > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > 20200831142225 38438 runbox.com. <munin01-nsec-sig> > > Q9 -> @ 9.9.9.10 _25._tcp.mx.runbox.com. IN TLSA ? > runbox.com. IN SOA dns61.copyleft.no. [email protected]. > 3000008471 14400 3600 1296000 3600 > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > 38438 runbox.com. <same SOA sig> > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 > 38438 runbox.com. <apex-wildcard-sig> > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > 20200831142225 38438 runbox.com. <munin01-nsec-sig> > > The same incomplete/redundant response comes back from 1.1.1.1 when > queried from California, New York and Germany, presumably different > instances, with fresh uncached results. Oddly enough, if I send the > same query to CF with also the "CD" bit set, I get a better answer, > be it this time with "AD=0": > > @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +cd +dnssec > runbox.com. IN SOA dns61.copyleft.no. [email protected]. > 3000008471 14400 3600 1296000 3600 > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > 38438 runbox.com. <same SOA sig> > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 > 38438 runbox.com. <apex-wildcard-sig> > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > 20200831142225 38438 runbox.com. <munin01-nsec-sig> > > Asking again without "cd" brings back the original incomplete answer. > > -- > Viktor. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
