[dns-operations] TLSA lookup DNSSEC failure mode, NSEC RR asserts existence of NODATA TLSA RRset

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Jan 18 16:02:52 UTC 2018


[ Original message by Björn Kinscher. Sent to me and Cc'd to the list, but since 
  Björn is not a list member, the original did not get posted to the list. ]

Hi,

the nameserver implementation responsible for this is coredns[1].

The reported behaviour is not intended (according to the comments in the
source code the behaviour should be similar to cloudflares
implementation[2]). I already filed a bug report.

The odd NS RRset seems to come from a bug in the zone transfer. I think
the old NS RRset is not deleted after the transfer. I filed a bug report
for this too.

Thank you for the notice.

Regards
Björn

[1] https://coredns.io/
[2] https://blog.cloudflare.com/black-lies/


Am 17.01.18 um 23:19 schrieb Viktor Dukhovni:
> 
> [ Bcc'd to affected domain and nameserver domain contact ]
> 
> I had not seen the below failure mode before till now.
> 
> http://dnsviz.net/d/_25._tcp.mail.sportvereine.online/Wl_HQg/dnssec/
> 
> @ns1.falsum.net.[176.56.237.194]
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8293
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;_25._tcp.mail.sportvereine.online. IN TLSA
> sportvereine.online.    SOA     ns1.falsum.net. dnsmaster.falsum.net. 2018011701 200 100 604800 3600
> _25._tcp.mail.sportvereine.online. NSEC \000._25._tcp.mail.sportvereine.online. A HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF
> 
> @ns2.falsum.net.[107.191.107.176]
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34488
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;_25._tcp.mail.sportvereine.online. IN TLSA
> sportvereine.online.    SOA     ns1.falsum.net. dnsmaster.falsum.net. 2018011701 200 100 604800 3600
> _25._tcp.mail.sportvereine.online. NSEC \000._25._tcp.mail.sportvereine.online. A HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF
> 
> The form of the NSEC record suggests that the NSEC response is generated on
> the fly, and yet its bitmap asserts the existence of the very record for
> which a NODATA response was received.  Anyone seen anything similar?
> What nameserver implementation is responsible for this?
> 



More information about the dns-operations mailing list