[dns-operations] DoE problem with ns-cloud-e{1, 2, 3, 4}.googledomains.com nameservers

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Jan 14 20:41:16 UTC 2018


http://dnsviz.net/d/_25._tcp.merchantsgrotto.com/dnssec/

merchantsgrotto.com.    NS      ns-cloud-e1.googledomains.com.
merchantsgrotto.com.    NS      ns-cloud-e2.googledomains.com.
merchantsgrotto.com.    NS      ns-cloud-e3.googledomains.com.
merchantsgrotto.com.    NS      ns-cloud-e4.googledomains.com.

Given the following associated NSEC3 hashes:

r0lsfskc1usuq45j8ai51ar3g0jpfbuk. _25._tcp.merchantsgrotto.com
fpi07bou6d19cbivvmdhmc60io9brfm4. *._tcp.merchantsgrotto.com
tv76u352sbfolnmtmbaljq9r17ju6puo. _tcp.merchantsgrotto.com
h4776gipetqofb4uoc023st5teh3o4j0. *.merchantsgrotto.com
31h72dljn4dlhjg5ecfv0umcan7amgmi. merchantsgrotto.com

We see that the googledomains.com nameservers return incorrect
NXDOMAIN proofs.  Based on the returned NSEC3 records, the
answer should be NODATA, not NXDOMAIN, because there's an
NSEC3 record whose hash matches "*.merchantsgrotto.com" (be it
one with an empty RRtype bitmap).

@ns-cloud-e1.googledomains.com.[216.239.32.110]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47460
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;_25._tcp.merchantsgrotto.com. IN TLSA
merchantsgrotto.com.	SOA	ns-cloud-e1.googledomains.com. cloud-dns-hostmaster.google.com. 64 21600 3600 259200 300
31h72dljn4dlhjg5ecfv0umcan7amgmi.merchantsgrotto.com. NSEC3 1 0 1 4D285ADAC82743DF ESI9S5M5V3GQOT32P2JNVG89GQQ1IN72  A NS SOA RRSIG DNSKEY NSEC3PARAM CDS
qhjac766j01aev02hsfe2vp5lcc07bal.merchantsgrotto.com. NSEC3 1 0 1 4D285ADAC82743DF 1F3I8J61P1TDR51TRL1KS9SIAGCPLQDB  A RRSIG
h4776gipetqofb4uoc023st5teh3o4j0.merchantsgrotto.com. NSEC3 1 0 1 4D285ADAC82743DF QCR6MI0SAQOVUDGHECL5IQ8U2UNN40VT 

@ns-cloud-e2.googledomains.com.[216.239.34.110]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59154
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;_25._tcp.merchantsgrotto.com. IN TLSA
merchantsgrotto.com.	SOA	ns-cloud-e1.googledomains.com. cloud-dns-hostmaster.google.com. 64 21600 3600 259200 300
31h72dljn4dlhjg5ecfv0umcan7amgmi.merchantsgrotto.com. NSEC3 1 0 1 4D285ADAC82743DF ESI9S5M5V3GQOT32P2JNVG89GQQ1IN72  A NS SOA RRSIG DNSKEY NSEC3PARAM CDS
qhjac766j01aev02hsfe2vp5lcc07bal.merchantsgrotto.com. NSEC3 1 0 1 4D285ADAC82743DF 1F3I8J61P1TDR51TRL1KS9SIAGCPLQDB  A RRSIG
h4776gipetqofb4uoc023st5teh3o4j0.merchantsgrotto.com. NSEC3 1 0 1 4D285ADAC82743DF QCR6MI0SAQOVUDGHECL5IQ8U2UNN40VT 

@ns-cloud-e3.googledomains.com.[216.239.36.110]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61040
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;_25._tcp.merchantsgrotto.com. IN TLSA
merchantsgrotto.com.	SOA	ns-cloud-e1.googledomains.com. cloud-dns-hostmaster.google.com. 64 21600 3600 259200 300
31h72dljn4dlhjg5ecfv0umcan7amgmi.merchantsgrotto.com. NSEC3 1 0 1 4D285ADAC82743DF ESI9S5M5V3GQOT32P2JNVG89GQQ1IN72  A NS SOA RRSIG DNSKEY NSEC3PARAM CDS
qhjac766j01aev02hsfe2vp5lcc07bal.merchantsgrotto.com. NSEC3 1 0 1 4D285ADAC82743DF 1F3I8J61P1TDR51TRL1KS9SIAGCPLQDB  A RRSIG
h4776gipetqofb4uoc023st5teh3o4j0.merchantsgrotto.com. NSEC3 1 0 1 4D285ADAC82743DF QCR6MI0SAQOVUDGHECL5IQ8U2UNN40VT 

@ns-cloud-e4.googledomains.com.[216.239.38.110]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32158
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;_25._tcp.merchantsgrotto.com. IN TLSA
merchantsgrotto.com.	SOA	ns-cloud-e1.googledomains.com. cloud-dns-hostmaster.google.com. 64 21600 3600 259200 300
31h72dljn4dlhjg5ecfv0umcan7amgmi.merchantsgrotto.com. NSEC3 1 0 1 4D285ADAC82743DF ESI9S5M5V3GQOT32P2JNVG89GQQ1IN72  A NS SOA RRSIG DNSKEY NSEC3PARAM CDS
qhjac766j01aev02hsfe2vp5lcc07bal.merchantsgrotto.com. NSEC3 1 0 1 4D285ADAC82743DF 1F3I8J61P1TDR51TRL1KS9SIAGCPLQDB  A RRSIG
h4776gipetqofb4uoc023st5teh3o4j0.merchantsgrotto.com. NSEC3 1 0 1 4D285ADAC82743DF QCR6MI0SAQOVUDGHECL5IQ8U2UNN40VT

-- 
	Viktor.





More information about the dns-operations mailing list