[dns-operations] TLSA lookup DNSSEC failure mode, NSEC RR asserts existence of NODATA TLSA RRset

[Miek Gieben]

[ Quoting <ietf-dane at dukhovni.org> in "[dns-operations] TLSA lookup DNSSEC..." ]
>
>[ Bcc'd to affected domain and nameserver domain contact ]
>
>I had not seen the below failure mode before till now.
>
>http://dnsviz.net/d/_25._tcp.mail.sportvereine.online/Wl_HQg/dnssec/
>
>@ns1.falsum.net.[176.56.237.194]
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8293
>;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>;_25._tcp.mail.sportvereine.online. IN TLSA
>sportvereine.online.    SOA     ns1.falsum.net. dnsmaster.falsum.net. 2018011701 200 100 604800 3600
>_25._tcp.mail.sportvereine.online. NSEC \000._25._tcp.mail.sportvereine.online. A HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF
>
>@ns2.falsum.net.[107.191.107.176]
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34488
>;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>;_25._tcp.mail.sportvereine.online. IN TLSA
>sportvereine.online.    SOA     ns1.falsum.net. dnsmaster.falsum.net. 2018011701 200 100 604800 3600
>_25._tcp.mail.sportvereine.online. NSEC \000._25._tcp.mail.sportvereine.online. A HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF
>
>The form of the NSEC record suggests that the NSEC response is generated on
>the fly, and yet its bitmap asserts the existence of the very record for
>which a NODATA response was received.  Anyone seen anything similar?
>What nameserver implementation is responsible for this?

Can't comment on that weird NS set, but this looks *almost* like cloudflares' 
nsec black lies, but not quite. In fact it looks what I do in CoreDNS' dnssec 
plugin. I'll double check if I filter the qtype from type bitmap.