[dns-operations] Unbound vs. dnsviz DNSSEC edge-case, which is right?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Aug 10 05:00:06 UTC 2016 

For the query:

    _25._tcp.tjejhockey.se. IN TLSA ?

the authoritative nameservers respond with a wildcard CNAME for
the zone apex (signature bits trimmed):

    @ns1.loopia.se.[93.188.0.20]
    ; <<>> DiG 9.10.3-P4 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.tjejhockey.se @93.188.0.20
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56343
    ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
    ;_25._tcp.tjejhockey.se.        IN TLSA
    _25._tcp.tjejhockey.se. CNAME   s07.hello-clarice.net.
    _25._tcp.tjejhockey.se. RRSIG   CNAME 8 2 3600 20160818000000 20160728000000 7374 tjejhockey.se.
    odu67o2pp21pb7toq3ltvtjvevpghgv5.tjejhockey.se. NSEC3 1 1 1 AB ODU67O2PP21PB7TOQ3LTVTJVEVPGHGV7
    odu67o2pp21pb7toq3ltvtjvevpghgv5.tjejhockey.se. RRSIG NSEC3 8 3 86400 20160818000000 20160728000000 7374 tjejhockey.se.

    @ns2.loopia.se.[93.188.0.21]
    ; <<>> DiG 9.10.3-P4 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.tjejhockey.se @93.188.0.21
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62297
    ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
    ;_25._tcp.tjejhockey.se.        IN TLSA
    _25._tcp.tjejhockey.se. CNAME   s07.hello-clarice.net.
    _25._tcp.tjejhockey.se. RRSIG   CNAME 8 2 3600 20160818000000 20160728000000 7374 tjejhockey.se.
    odu67o2pp21pb7toq3ltvtjvevpghgv5.tjejhockey.se. NSEC3 1 1 1 AB ODU67O2PP21PB7TOQ3LTVTJVEVPGHGV7
    odu67o2pp21pb7toq3ltvtjvevpghgv5.tjejhockey.se. RRSIG NSEC3 8 3 86400 20160818000000 20160728000000 7374 tjejhockey.se.

The relevant NSEC3 hash is:

    odu67o2pp21pb7toq3ltvtjvevpghgv6. _tcp.tjejhockey.se

which is covered by a corresponding NSEC3 record that sets the
"opt-out" bit!  As a result it seems that we don't know whether
"_tcp" does not exist, or is perhaps an insecure delegated sub-domain.

If "_tcp" does not exist, then the wildcard CNAME is just fine,
there's no "empty non-terminal" in the way.  On the other hand if
it does exist (as an insecure delegation) then the CNAME response
is invalid.

What then is the security status of the CNAME response?  Is it
valid because by virtue of its inclusion in the response we
should conclude that there is no empty non-terminal "_tcp"?

Or is it invalid, because there is no proof provided of the
non-existence of "_tcp".  (Is such a proof possible here?)

My instinct is that this may be a bug in unbound on my end (I am
running 1.5.8).  Am I on the right track?  Is this a known issue?

-- 
	Viktor.

More information about the dns-operations mailing list