[dns-operations] Funny DNSSEC problem

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Oct 9 10:22:04 UTC 2015


On Tue, Apr 07, 2015 at 09:37:03PM +0200,
 Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote 
 a message of 191 lines which said:

> The domain juralib.nologs.org does not resolve (SERVFAIL) from Free
> (2nd ISP in France, uses DNSSEC validation).

After a long time, I think I've found the cause: Free's DNS resolvers
drop the NSEC3 record. Since the zone uses wildcards (the number of
labels in the signature is 2, not 3, showing there is a wilcard), the
resolver wants to check that the name does not exist and was indeed
synthetized through the wildcard, but it fails to find the NSEC and
booom.

As, for the root cause (why dropping the NSEC3 record?), I don't know
but I suspect it is a consequence of the other problem, multiplying
the CNAME record: not enough room in the answer, records dropped.

The reply, with the multiple CNAMEs and the missing NSEC3 (the correct
reply follow).

>From Free :

%  dig +cd ladiscordia.noblogs.org  

; <<>> DiG 9.10.2-P2 <<>> +cd ladiscordia.noblogs.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16475
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 15, AUTHORITY: 5, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ladiscordia.noblogs.org. IN A

;; ANSWER SECTION:
ladiscordia.noblogs.org. 2284 IN CNAME www.l.autistici.org.
ladiscordia.noblogs.org. 2284 IN RRSIG CNAME 7 2 9600 (
                                20151101063004 20151002063004 64367 noblogs.org.
                                LuRSXa97Yjr+wYVGjq8yFxIOTXeufRMNaL6L31jqq3im
                                MphTYlJRGvwTzZTPwbbbkZjSuCtt5P7l3/iMx50ZEZ/B
                                x3q0PDD3Yo4ckrfcIzMQ9V+HeosW+W78UBTC0LyQIxSq
                                eRdlhsNZKSELmR8k9sVpJ5mrQPTQ3HzGzUr4z1w= )
ladiscordia.noblogs.org. 2284 IN CNAME www.l.autistici.org.
ladiscordia.noblogs.org. 2284 IN RRSIG CNAME 7 2 9600 (
                                20151101063004 20151002063004 64367 noblogs.org.
                                LuRSXa97Yjr+wYVGjq8yFxIOTXeufRMNaL6L31jqq3im
                                MphTYlJRGvwTzZTPwbbbkZjSuCtt5P7l3/iMx50ZEZ/B
                                x3q0PDD3Yo4ckrfcIzMQ9V+HeosW+W78UBTC0LyQIxSq
                                eRdlhsNZKSELmR8k9sVpJ5mrQPTQ3HzGzUr4z1w= )
ladiscordia.noblogs.org. 2284 IN CNAME www.l.autistici.org.
ladiscordia.noblogs.org. 2284 IN RRSIG CNAME 7 2 9600 (
                                20151101063004 20151002063004 64367 noblogs.org.
                                LuRSXa97Yjr+wYVGjq8yFxIOTXeufRMNaL6L31jqq3im
                                MphTYlJRGvwTzZTPwbbbkZjSuCtt5P7l3/iMx50ZEZ/B
                                x3q0PDD3Yo4ckrfcIzMQ9V+HeosW+W78UBTC0LyQIxSq
                                eRdlhsNZKSELmR8k9sVpJ5mrQPTQ3HzGzUr4z1w= )
ladiscordia.noblogs.org. 2284 IN CNAME www.l.autistici.org.
ladiscordia.noblogs.org. 2284 IN RRSIG CNAME 7 2 9600 (
                                20151101063004 20151002063004 64367 noblogs.org.
                                LuRSXa97Yjr+wYVGjq8yFxIOTXeufRMNaL6L31jqq3im
                                MphTYlJRGvwTzZTPwbbbkZjSuCtt5P7l3/iMx50ZEZ/B
                                x3q0PDD3Yo4ckrfcIzMQ9V+HeosW+W78UBTC0LyQIxSq
                                eRdlhsNZKSELmR8k9sVpJ5mrQPTQ3HzGzUr4z1w= )
ladiscordia.noblogs.org. 2284 IN CNAME www.l.autistici.org.
ladiscordia.noblogs.org. 2284 IN RRSIG CNAME 7 2 9600 (
                                20151101063004 20151002063004 64367 noblogs.org.
                                LuRSXa97Yjr+wYVGjq8yFxIOTXeufRMNaL6L31jqq3im
                                MphTYlJRGvwTzZTPwbbbkZjSuCtt5P7l3/iMx50ZEZ/B
                                x3q0PDD3Yo4ckrfcIzMQ9V+HeosW+W78UBTC0LyQIxSq
                                eRdlhsNZKSELmR8k9sVpJ5mrQPTQ3HzGzUr4z1w= )
ladiscordia.noblogs.org. 2284 IN CNAME www.l.autistici.org.
ladiscordia.noblogs.org. 2284 IN RRSIG CNAME 7 2 9600 (
                                20151101063004 20151002063004 64367 noblogs.org.
                                LuRSXa97Yjr+wYVGjq8yFxIOTXeufRMNaL6L31jqq3im
                                MphTYlJRGvwTzZTPwbbbkZjSuCtt5P7l3/iMx50ZEZ/B
                                x3q0PDD3Yo4ckrfcIzMQ9V+HeosW+W78UBTC0LyQIxSq
                                eRdlhsNZKSELmR8k9sVpJ5mrQPTQ3HzGzUr4z1w= )
www.l.autistici.org.    1800 IN A 94.23.50.208
www.l.autistici.org.    1800 IN A 82.94.249.234
www.l.autistici.org.    1800 IN RRSIG A 7 4 30 (
                                20151105063002 20151006063002 2207 l.autistici.org.
                                HDkkzb8afOIlk5P0HRmiVal7KmAu4bevmkAPpHuAMruS
                                9Pj2OkWjeWwJiLm7zX5MjqIcfUBvJ6gbODvRGr7dDJHn
                                7qqLNA3IXMvxm5trBWz2/YZsTs/2XEgIBDVgxRel+OBp
                                HD+riKX0ZylmTGXG7/fyRfcYLquwphS4gNTMWbk= )

;; AUTHORITY SECTION:
l.autistici.org.        1800 IN NS ns1.investici.org.
l.autistici.org.        1800 IN NS ns2.investici.org.
l.autistici.org.        1800 IN NS ns2-v6.investici.org.
l.autistici.org.        1800 IN NS ns1-v6.investici.org.
l.autistici.org.        1800 IN RRSIG NS 7 3 30 (
                                20151105063002 20151006063002 2207 l.autistici.org.
                                bA28B6AP9NQzyavLXFZoxDCsV1kDpZwid+QyPcR2qhrj
                                c3wfuB6P2PM7WBHzlbZevt1C3+z/FMqvXRr/TrhbseDy
                                ScKCai/LPD68z0bqUucz0uuFbDpTxvJNDf+0zJrMQTsw
                                +zse/UsiopBVrqCjOXRWte2DvDxyCPtN3WnEYJc= )

;; Query time: 26 msec
;; SERVER: 192.168.2.254#53(192.168.2.254)
;; WHEN: Fri Oct 09 11:09:32 CEST 2015
;; MSG SIZE  rcvd: 1648


>From elsewhere:

%  dig ladiscordia.noblogs.org

; <<>> DiG 9.9.5-9+deb8u3-Debian <<>> ladiscordia.noblogs.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21826
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ladiscordia.noblogs.org. IN A

;; ANSWER SECTION:
ladiscordia.noblogs.org. 9599 IN CNAME www.l.autistici.org.
ladiscordia.noblogs.org. 9599 IN RRSIG CNAME 7 2 9600 (
                                20151101063004 20151002063004 64367 noblogs.org.
                                LuRSXa97Yjr+wYVGjq8yFxIOTXeufRMNaL6L31jqq3im
                                MphTYlJRGvwTzZTPwbbbkZjSuCtt5P7l3/iMx50ZEZ/B
                                x3q0PDD3Yo4ckrfcIzMQ9V+HeosW+W78UBTC0LyQIxSq
                                eRdlhsNZKSELmR8k9sVpJ5mrQPTQ3HzGzUr4z1w= )
www.l.autistici.org.    30 IN A 94.23.50.208
www.l.autistici.org.    30 IN A 82.94.249.234
www.l.autistici.org.    30 IN RRSIG A 7 4 30 (
                                20151105063002 20151006063002 2207 l.autistici.org.
                                HDkkzb8afOIlk5P0HRmiVal7KmAu4bevmkAPpHuAMruS
                                9Pj2OkWjeWwJiLm7zX5MjqIcfUBvJ6gbODvRGr7dDJHn
                                7qqLNA3IXMvxm5trBWz2/YZsTs/2XEgIBDVgxRel+OBp
                                HD+riKX0ZylmTGXG7/fyRfcYLquwphS4gNTMWbk= )

;; AUTHORITY SECTION:
EDG28OM0KF8LV6JVVTUAE9R7GLNTNKMD.noblogs.org. 3599 IN NSEC3 1 0 10 5CA1AB1E (
                                K1C26GO8L9TJ398E8MKH7QLSP4LB88UO
                                CNAME RRSIG )
EDG28OM0KF8LV6JVVTUAE9R7GLNTNKMD.noblogs.org. 3599 IN RRSIG NSEC3 7 3 3600 (
                                20151101063004 20151002063004 64367 noblogs.org.
                                juTchEjZZFdj5WkhyKh/2qZxffIjahcjtWrC7aiM78QT
                                nuBLP6AqRatIwpbIauM9ZbBwXD1ZXwRhpZrLTDKqS8bK
                                qU5dsUCKsB3vIYba84I12t1bAg0YKv0HP8bkEMp9ftO+
                                bZNLtY+TXyaZ5FULNI26gMen2YYsqPovY0YnH0M= )
l.autistici.org.        30 IN NS ns2.investici.org.
l.autistici.org.        30 IN NS ns2-v6.investici.org.
l.autistici.org.        30 IN NS ns1-v6.investici.org.
l.autistici.org.        30 IN NS ns1.investici.org.
l.autistici.org.        30 IN RRSIG NS 7 3 30 (
                                20151105063002 20151006063002 2207 l.autistici.org.
                                bA28B6AP9NQzyavLXFZoxDCsV1kDpZwid+QyPcR2qhrj
                                c3wfuB6P2PM7WBHzlbZevt1C3+z/FMqvXRr/TrhbseDy
                                ScKCai/LPD68z0bqUucz0uuFbDpTxvJNDf+0zJrMQTsw
                                +zse/UsiopBVrqCjOXRWte2DvDxyCPtN3WnEYJc= )

;; Query time: 1207 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Oct 09 10:13:25 CEST 2015
;; MSG SIZE  rcvd: 977




More information about the dns-operations mailing list