[dns-operations] Wildcard CNAME DNSSEC issue with registrar-servers.com nameservers

Peter van Dijk peter.van.dijk at powerdns.com
Thu Sep 21 12:54:41 UTC 2017


Hello Viktor,

I am trying to reach out to them. You can tell from the RRSIG timestamps 
that at least their signer is PowerDNS.

Do you have any previous communication you can share?

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

On 14 Sep 2017, at 10:55, Viktor Dukhovni wrote:

> For some DNSSEC-signed domains, the registrar-servers.com nameservers 
> incorrectly
> return wildcard CNAME answers without the NSEC records required to 
> validate the
> response in question.  I'm told there are no current plans to address 
> the issue
> (open since 22-Sep-2016).  Perhaps time for a DVE?  For example:
>
> @dns1.registrar-servers.com.[216.87.155.33]
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans 
> +auth +nocl +nottl +nosplit +norecur -t tlsa 
> _25._tcp.evercondo-demo.com @216.87.155.33
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52623
> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;_25._tcp.evercondo-demo.com. IN        TLSA
> _25._tcp.evercondo-demo.com. CNAME 965-160-630.cloud66.net.
> _25._tcp.evercondo-demo.com. RRSIG CNAME 8 2 1800 20170921000000 
> 20170831000000 33196 evercondo-demo.com. ...
>
> @dns2.registrar-servers.com.[216.87.152.33]
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans 
> +auth +nocl +nottl +nosplit +norecur -t tlsa 
> _25._tcp.evercondo-demo.com @216.87.152.33
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52379
> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;_25._tcp.evercondo-demo.com. IN        TLSA
> _25._tcp.evercondo-demo.com. CNAME 965-160-630.cloud66.net.
> _25._tcp.evercondo-demo.com. RRSIG CNAME 8 2 1800 20170921000000 
> 20170831000000 33196 evercondo-demo.com. ...
>
> More routine denial of existence (NSEC, no wildcard CNAME) seems to 
> work:
>
> @dns1.registrar-servers.com.[216.87.155.33]
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans 
> +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.howbacha.com 
> @216.87.155.33
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14369
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;_25._tcp.howbacha.com. IN TLSA
> howbacha.com.           SOA     dns1.registrar-servers.com. 
> hostmaster.registrar-servers.com. 2017091100 43200 3600 604800 3601
> howbacha.com.           RRSIG   SOA 8 2 3601 20170921000000 
> 20170831000000 8958 howbacha.com. ...
> howbacha.com.           NSEC    www.howbacha.com. A NS SOA RRSIG NSEC 
> DNSKEY
> howbacha.com.           RRSIG   NSEC 8 2 3601 20170921000000 
> 20170831000000 8958 howbacha.com. ...
>
> @dns2.registrar-servers.com.[216.87.152.33]
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans 
> +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.howbacha.com 
> @216.87.152.33
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33149
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;_25._tcp.howbacha.com. IN TLSA
> howbacha.com.           SOA     dns1.registrar-servers.com. 
> hostmaster.registrar-servers.com. 2017091100 43200 3600 604800 3601
> howbacha.com.           RRSIG   SOA 8 2 3601 20170921000000 
> 20170831000000 8958 howbacha.com. ...
> howbacha.com.           NSEC    www.howbacha.com. A NS SOA RRSIG NSEC 
> DNSKEY
> howbacha.com.           RRSIG   NSEC 8 2 3601 20170921000000 
> 20170831000000 8958 howbacha.com. ...
>
> -- 
> 	Viktor.
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list