[dns-operations] issue with wiki.mozilla.org
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Apr 21 00:34:27 UTC 2018
> On Apr 20, 2018, at 4:56 PM, Lutz Donnerhacke <lutz at iks-jena.de> wrote:
>
> Details behind.
> https://lutz.donnerhacke.de/Blog/Outsourcing-mit-Hindernissen
>
> Looks like Infoblox and/or AWS have problems with empty non-terminals.
> And Cloudflare and Google have problems with validation.
The real problem is broken denial of existence (NODATA) for:
http://dnsviz.net/d/nubis.allizom.org/dnssec/
Or:
@ns7-66.akam.net.[96.7.49.66]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11771
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;nubis.allizom.org. IN A
allizom.org. SOA infoblox1.private.mdc2.mozilla.com. sysadmins.mozilla.org. 2018032753 180 180 1209600 3600
0ge0tg7g8mkoml9al6qcts98u20adkd7.allizom.org. NSEC3 1 0 1 4A59E928F4E71F72 0KTJ8JV0RMR8SO0S3D7TJEHO149A494I CNAME RRSIG
With relevant NSEC3 hashes:
up32ens15h11olfrlhq04p3b94rbsa88. nubis.allizom.org
cuojm543rptee6rio0j21oridgmd0r2i. *.allizom.org
388q3eu4vnjqfh4dah4msm5u09pkkl95. allizom.org
The NODATA response is bogus, because the provided NSEC3 records fail to establish a closest-encloser and fail to cover the requested name. The NSEC3 chain for allizom.org is busted.
--
Viktor.
More information about the dns-operations
mailing list