[dns-operations] Looping wildcard CNAMEs can be an obstacle for DANE, (googledomains.com-hosted example)

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Apr 15 22:25:54 UTC 2018


When requesting the TLSA records for "frasier.family" I get:

@ns-cloud-c4.googledomains.com.[216.239.38.108]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19564
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.frasier.family. IN TLSA
_25._tcp.frasier.family. CNAME  \@.frasier.family.
\@.frasier.family.      CNAME   \@.frasier.family.
7fuj2o6s59543vbpkjt2172j1s9e0rjr.frasier.family. NSEC3 1 0 1 D2C0A95ED7F4DE57 5CC9LBSIIF6RQE9PH6VKMD03MK5OONUF  A NS SOA RRSIG DNSKEY NSEC3PARAM CDS
7fuj2o6s59543vbpkjt2172j1s9e0rjr.frasier.family. NSEC3 1 0 1 D2C0A95ED7F4DE57 5CC9LBSIIF6RQE9PH6VKMD03MK5OONUF  A NS SOA RRSIG DNSKEY NSEC3PARAM CDS

The relevant NSEC3 hashes are:

qeab7igjja7ohhmn13g8gaue8o2jp81u. _25._tcp.frasier.family
sl76l23hd2i0q3ig0vjepu75kn76ktlc. *._tcp.frasier.family
cosnppmavopo1h5co5fkg17vor7h9r5g. _tcp.frasier.family
5cc9lbsiif6rqe9ph6vkmd03mk5oonuf. *.frasier.family
7fuj2o6s59543vbpkjt2172j1s9e0rjr. frasier.family

The response has a rather odd circular CNAME, and mysteriously
sends the supporting NSEC3 RR and its signature twice (for good
measure?).

Anyway the consequence for unbound as the resolver are:

  frasier.family. IN MX ? ; NODATA AD=1
  frasier.family. IN A 123.203.246.168 ; NoError AD=1
  frasier.family. IN AAAA ? ; NODATA AD=1
  _25._tcp.frasier.family. IN TLSA ? ; ServFail AD=0

and so Postfix with DANE enabled will defer email to the domain, because the TLSA lookups fail.

The circular CNAME might be entirely at the user's discretion, but at least the duplicate NSEC3 is interesting.

-- 
	Viktor.





More information about the dns-operations mailing list