[dns-operations] TLSA lookup DNSSEC failure mode, NSEC RR asserts existence of NODATA TLSA RRset

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jan 17 22:19:50 UTC 2018 

[ Bcc'd to affected domain and nameserver domain contact ]

I had not seen the below failure mode before till now.

http://dnsviz.net/d/_25._tcp.mail.sportvereine.online/Wl_HQg/dnssec/

@ns1.falsum.net.[176.56.237.194]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8293
;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.mail.sportvereine.online. IN TLSA
sportvereine.online.    SOA     ns1.falsum.net. dnsmaster.falsum.net. 2018011701 200 100 604800 3600
_25._tcp.mail.sportvereine.online. NSEC \000._25._tcp.mail.sportvereine.online. A HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF

@ns2.falsum.net.[107.191.107.176]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34488
;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.mail.sportvereine.online. IN TLSA
sportvereine.online.    SOA     ns1.falsum.net. dnsmaster.falsum.net. 2018011701 200 100 604800 3600
_25._tcp.mail.sportvereine.online. NSEC \000._25._tcp.mail.sportvereine.online. A HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF

The form of the NSEC record suggests that the NSEC response is generated on
the fly, and yet its bitmap asserts the existence of the very record for
which a NODATA response was received.  Anyone seen anything similar?
What nameserver implementation is responsible for this?

-- 
	Viktor.

P.S. The domain's NS RRset is also a bit odd:

$ dig +noall +ans +nocl +nottl -t ns sportvereine.online @ns1.falsum.net.
sportvereine.online.    NS      ns1.falsum.net.
sportvereine.online.    NS      ns2.falsum.net.

$ dig +noall +ans +nocl +nottl -t ns sportvereine.online @ns2.falsum.net.
sportvereine.online.    NS      ns1.falsum.net.
sportvereine.online.    NS      ns2.falsum.net.
sportvereine.online.    NS      ns1.falsum.net.
sportvereine.online.    NS      ns2.falsum.net.
sportvereine.online.    NS      ns1.falsum.net.
sportvereine.online.    NS      ns2.falsum.net.
sportvereine.online.    NS      ns1.falsum.net.
sportvereine.online.    NS      ns2.falsum.net.

More information about the dns-operations mailing list