[dns-operations] Wildcard CNAME DNSSEC issue with registrar-servers.com nameservers
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Sep 14 08:55:42 UTC 2017
For some DNSSEC-signed domains, the registrar-servers.com nameservers incorrectly
return wildcard CNAME answers without the NSEC records required to validate the
response in question. I'm told there are no current plans to address the issue
(open since 22-Sep-2016). Perhaps time for a DVE? For example:
@dns1.registrar-servers.com.[216.87.155.33]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.evercondo-demo.com @216.87.155.33
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52623
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;_25._tcp.evercondo-demo.com. IN TLSA
_25._tcp.evercondo-demo.com. CNAME 965-160-630.cloud66.net.
_25._tcp.evercondo-demo.com. RRSIG CNAME 8 2 1800 20170921000000 20170831000000 33196 evercondo-demo.com. ...
@dns2.registrar-servers.com.[216.87.152.33]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.evercondo-demo.com @216.87.152.33
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52379
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;_25._tcp.evercondo-demo.com. IN TLSA
_25._tcp.evercondo-demo.com. CNAME 965-160-630.cloud66.net.
_25._tcp.evercondo-demo.com. RRSIG CNAME 8 2 1800 20170921000000 20170831000000 33196 evercondo-demo.com. ...
More routine denial of existence (NSEC, no wildcard CNAME) seems to work:
@dns1.registrar-servers.com.[216.87.155.33]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.howbacha.com @216.87.155.33
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14369
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.howbacha.com. IN TLSA
howbacha.com. SOA dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2017091100 43200 3600 604800 3601
howbacha.com. RRSIG SOA 8 2 3601 20170921000000 20170831000000 8958 howbacha.com. ...
howbacha.com. NSEC www.howbacha.com. A NS SOA RRSIG NSEC DNSKEY
howbacha.com. RRSIG NSEC 8 2 3601 20170921000000 20170831000000 8958 howbacha.com. ...
@dns2.registrar-servers.com.[216.87.152.33]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.howbacha.com @216.87.152.33
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33149
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.howbacha.com. IN TLSA
howbacha.com. SOA dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2017091100 43200 3600 604800 3601
howbacha.com. RRSIG SOA 8 2 3601 20170921000000 20170831000000 8958 howbacha.com. ...
howbacha.com. NSEC www.howbacha.com. A NS SOA RRSIG NSEC DNSKEY
howbacha.com. RRSIG NSEC 8 2 3601 20170921000000 20170831000000 8958 howbacha.com. ...
--
Viktor.
More information about the dns-operations
mailing list