[dns-operations] TLSA lookup DNSSEC failure mode, NSEC RR asserts existence of NODATA TLSA RRset
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Jan 18 16:02:52 UTC 2018
[ Original message by Björn Kinscher. Sent to me and Cc'd to the list, but since
Björn is not a list member, the original did not get posted to the list. ]
Hi,
the nameserver implementation responsible for this is coredns[1].
The reported behaviour is not intended (according to the comments in the
source code the behaviour should be similar to cloudflares
implementation[2]). I already filed a bug report.
The odd NS RRset seems to come from a bug in the zone transfer. I think
the old NS RRset is not deleted after the transfer. I filed a bug report
for this too.
Thank you for the notice.
Regards
Björn
[1] https://coredns.io/
[2] https://blog.cloudflare.com/black-lies/
Am 17.01.18 um 23:19 schrieb Viktor Dukhovni:
>
> [ Bcc'd to affected domain and nameserver domain contact ]
>
> I had not seen the below failure mode before till now.
>
> http://dnsviz.net/d/_25._tcp.mail.sportvereine.online/Wl_HQg/dnssec/
>
> @ns1.falsum.net.[176.56.237.194]
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8293
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;_25._tcp.mail.sportvereine.online. IN TLSA
> sportvereine.online. SOA ns1.falsum.net. dnsmaster.falsum.net. 2018011701 200 100 604800 3600
> _25._tcp.mail.sportvereine.online. NSEC \000._25._tcp.mail.sportvereine.online. A HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF
>
> @ns2.falsum.net.[107.191.107.176]
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34488
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;_25._tcp.mail.sportvereine.online. IN TLSA
> sportvereine.online. SOA ns1.falsum.net. dnsmaster.falsum.net. 2018011701 200 100 604800 3600
> _25._tcp.mail.sportvereine.online. NSEC \000._25._tcp.mail.sportvereine.online. A HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF
>
> The form of the NSEC record suggests that the NSEC response is generated on
> the fly, and yet its bitmap asserts the existence of the very record for
> which a NODATA response was received. Anyone seen anything similar?
> What nameserver implementation is responsible for this?
>
More information about the dns-operations
mailing list