[dns-operations] Akamai now works with ENT (Empty Non-Terminals)?
Peter van Dijk
peter.van.dijk at powerdns.com
Mon Apr 15 22:16:14 UTC 2019
On 15 Apr 2019, at 22:05, Shumon Huque wrote:
> Ah, I see. I did some quick tests using 18.104.22.168 yesterday and it was
> producing SERVFAIL for wildcard expanded positive responses too,
> assumed that it was related to the incorrect NSEC, and didn't bother
> investigate further.
> Try dig @22.214.171.124 blah.h4ha.net. A for example.
> With BIND/Unbound/Knot, this authenticates correctly. But I'd say that
> the reason is a bit more interesting than mundane. The apparent sole
> NSEC record in the zone, that is returned in the authority section of
> the response, although incorrect (because there is at least one other
> in the zone, the wildcard), accidentally causes the right thing to
> namely it also proves no explicit match and no closer wildcard match
> of the
> name is possible.
PowerDNS also accepts it. My suspicions match yours :)
> Wonder why Google fails though? Is it determining that a wildcard
> and thus the NSEC record must be wrong ..
$ dig +dnssec blah.h4ha.net
; <<>> DiG 9.12.3-P4 <<>> +dnssec blah.h4ha.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14658
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;blah.h4ha.net. IN A
;; ANSWER SECTION:
blah.h4ha.net. 300 IN A 126.96.36.199
blah.h4ha.net. 300 IN RRSIG A 13 2 300 20190425000000 20190404000000
39543 h4ha.net. RVUeiqgWhB9TaUwlJBqtEkqTa5QbL+jty4JluMmtFp+ttTWG4N7GFTck
;; AUTHORITY SECTION:
h4ha.net. 3600 IN NSEC h4ha.net. A NS SOA RRSIG NSEC DNSKEY CAA
h4ha.net. 3600 IN RRSIG NSEC 13 2 3600 20190425000000 20190404000000
39543 h4ha.net. MykC0Gl+N7t1JQP3XPRl7qL4izW9gkHh3yUce0fhti9pOIsUbAkwz4Ms
;; Query time: 229 msec
;; SERVER: 188.8.131.52#53(184.108.40.206)
;; WHEN: Mon Apr 15 23:30:23 CEST 2019
;; MSG SIZE rcvd: 300
The response contains the asked-for A record. The (cryptographically
valid) RRSIG over that mentions off-hand that it was expanded from a
wildcard. An NSEC is included that says that ‘blah’ does not exist.
I believe that that is a conclusion that a validator is allowed to jump
However, the NSEC does prove that the wildcard itself does not exist and
thus the answer makes no sense. I believe that that is also a conclusion
that a validator is allowed to end up with, and it looks like that is
what Google is doing.
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dns-operations