[dns-operations] Wildcard CNAME DNSSEC issue with registrar-servers.com nameservers
Peter van Dijk
peter.van.dijk at powerdns.com
Thu Sep 21 12:54:41 UTC 2017
Hello Viktor,
I am trying to reach out to them. You can tell from the RRSIG timestamps
that at least their signer is PowerDNS.
Do you have any previous communication you can share?
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
On 14 Sep 2017, at 10:55, Viktor Dukhovni wrote:
> For some DNSSEC-signed domains, the registrar-servers.com nameservers
> incorrectly
> return wildcard CNAME answers without the NSEC records required to
> validate the
> response in question. I'm told there are no current plans to address
> the issue
> (open since 22-Sep-2016). Perhaps time for a DVE? For example:
>
> @dns1.registrar-servers.com.[216.87.155.33]
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans
> +auth +nocl +nottl +nosplit +norecur -t tlsa
> _25._tcp.evercondo-demo.com @216.87.155.33
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52623
> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;_25._tcp.evercondo-demo.com. IN TLSA
> _25._tcp.evercondo-demo.com. CNAME 965-160-630.cloud66.net.
> _25._tcp.evercondo-demo.com. RRSIG CNAME 8 2 1800 20170921000000
> 20170831000000 33196 evercondo-demo.com. ...
>
> @dns2.registrar-servers.com.[216.87.152.33]
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans
> +auth +nocl +nottl +nosplit +norecur -t tlsa
> _25._tcp.evercondo-demo.com @216.87.152.33
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52379
> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;_25._tcp.evercondo-demo.com. IN TLSA
> _25._tcp.evercondo-demo.com. CNAME 965-160-630.cloud66.net.
> _25._tcp.evercondo-demo.com. RRSIG CNAME 8 2 1800 20170921000000
> 20170831000000 33196 evercondo-demo.com. ...
>
> More routine denial of existence (NSEC, no wildcard CNAME) seems to
> work:
>
> @dns1.registrar-servers.com.[216.87.155.33]
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans
> +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.howbacha.com
> @216.87.155.33
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14369
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;_25._tcp.howbacha.com. IN TLSA
> howbacha.com. SOA dns1.registrar-servers.com.
> hostmaster.registrar-servers.com. 2017091100 43200 3600 604800 3601
> howbacha.com. RRSIG SOA 8 2 3601 20170921000000
> 20170831000000 8958 howbacha.com. ...
> howbacha.com. NSEC www.howbacha.com. A NS SOA RRSIG NSEC
> DNSKEY
> howbacha.com. RRSIG NSEC 8 2 3601 20170921000000
> 20170831000000 8958 howbacha.com. ...
>
> @dns2.registrar-servers.com.[216.87.152.33]
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans
> +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.howbacha.com
> @216.87.152.33
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33149
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;_25._tcp.howbacha.com. IN TLSA
> howbacha.com. SOA dns1.registrar-servers.com.
> hostmaster.registrar-servers.com. 2017091100 43200 3600 604800 3601
> howbacha.com. RRSIG SOA 8 2 3601 20170921000000
> 20170831000000 8958 howbacha.com. ...
> howbacha.com. NSEC www.howbacha.com. A NS SOA RRSIG NSEC
> DNSKEY
> howbacha.com. RRSIG NSEC 8 2 3601 20170921000000
> 20170831000000 8958 howbacha.com. ...
>
> --
> Viktor.
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list