[dns-operations] issue with wiki.mozilla.org

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Apr 21 00:34:27 UTC 2018

> On Apr 20, 2018, at 4:56 PM, Lutz Donnerhacke <lutz at iks-jena.de> wrote:
> Details behind.
> https://lutz.donnerhacke.de/Blog/Outsourcing-mit-Hindernissen
> Looks like Infoblox and/or AWS have problems with empty non-terminals.
> And Cloudflare and Google have problems with validation.

The real problem is broken denial of existence (NODATA) for:



  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11771
  ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
  ;nubis.allizom.org.     IN A
  allizom.org.            SOA     infoblox1.private.mdc2.mozilla.com. sysadmins.mozilla.org. 2018032753 180 180 1209600 3600
  0ge0tg7g8mkoml9al6qcts98u20adkd7.allizom.org. NSEC3 1 0 1 4A59E928F4E71F72 0KTJ8JV0RMR8SO0S3D7TJEHO149A494I  CNAME RRSIG

With relevant NSEC3 hashes:

  up32ens15h11olfrlhq04p3b94rbsa88. nubis.allizom.org
  cuojm543rptee6rio0j21oridgmd0r2i. *.allizom.org
  388q3eu4vnjqfh4dah4msm5u09pkkl95. allizom.org

The NODATA response is bogus, because the provided NSEC3 records fail to establish a closest-encloser and fail to cover the requested name.  The NSEC3 chain for allizom.org is busted.


More information about the dns-operations mailing list