[dns-operations] Wildcard CNAME DNSSEC issue with registrar-servers.com nameservers

Thu Sep 14 08:55:42 UTC 2017

For some DNSSEC-signed domains, the registrar-servers.com nameservers incorrectly
return wildcard CNAME answers without the NSEC records required to validate the
response in question.  I'm told there are no current plans to address the issue
(open since 22-Sep-2016).  Perhaps time for a DVE?  For example:

@dns1.registrar-servers.com.[216.87.155.33]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.evercondo-demo.com @216.87.155.33
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52623
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;_25._tcp.evercondo-demo.com. IN        TLSA
_25._tcp.evercondo-demo.com. CNAME 965-160-630.cloud66.net.
_25._tcp.evercondo-demo.com. RRSIG CNAME 8 2 1800 20170921000000 20170831000000 33196 evercondo-demo.com. ...

@dns2.registrar-servers.com.[216.87.152.33]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.evercondo-demo.com @216.87.152.33
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52379
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;_25._tcp.evercondo-demo.com. IN        TLSA
_25._tcp.evercondo-demo.com. CNAME 965-160-630.cloud66.net.
_25._tcp.evercondo-demo.com. RRSIG CNAME 8 2 1800 20170921000000 20170831000000 33196 evercondo-demo.com. ...

More routine denial of existence (NSEC, no wildcard CNAME) seems to work:

@dns1.registrar-servers.com.[216.87.155.33]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.howbacha.com @216.87.155.33
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14369
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.howbacha.com. IN TLSA
howbacha.com.           SOA     dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2017091100 43200 3600 604800 3601
howbacha.com.           RRSIG   SOA 8 2 3601 20170921000000 20170831000000 8958 howbacha.com. ...
howbacha.com.           NSEC    www.howbacha.com. A NS SOA RRSIG NSEC DNSKEY
howbacha.com.           RRSIG   NSEC 8 2 3601 20170921000000 20170831000000 8958 howbacha.com. ...

@dns2.registrar-servers.com.[216.87.152.33]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.howbacha.com @216.87.152.33
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33149
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.howbacha.com. IN TLSA
howbacha.com.           SOA     dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2017091100 43200 3600 604800 3601
howbacha.com.           RRSIG   SOA 8 2 3601 20170921000000 20170831000000 8958 howbacha.com. ...
howbacha.com.           NSEC    www.howbacha.com. A NS SOA RRSIG NSEC DNSKEY
howbacha.com.           RRSIG   NSEC 8 2 3601 20170921000000 20170831000000 8958 howbacha.com. ...

-- 
	Viktor.