[dns-operations] NSEC chains that omit wildcards.

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Apr 25 18:51:24 UTC 2019 

On Sun, Apr 14, 2019 at 02:54:18PM -0400, Viktor Dukhovni wrote:

> That'd be great.  One recent problem "hotspot" is epik.com, where
> I'm seeing many new problem domains showing.  These signed domains
> have only the zone apex in their NSEC chain, but TLSA queries for
> sub-domains return NODATA rather than NXDOMAIN.

[ The problems at epik.com are now fully resoved, so I did reach the
  right contact in the end!  Thanks to Shumon for the nudge. ]

But it seems that similar issues still crop up from time to time
at other providers.  It looks like some versions of PowerDNS (?
telltale RRSIG inception midnight Thursday) are, or were (if
outdated), too easily misconfigured to not include the wildcard in
the zone's NSEC chain.  Today's case in point is firestorm.ch.

    http://imrryr.org/~viktor/dnsviz/firestorm.ch.html

    e.g.:

    hauspilot.ch [.] [.]
      [.]  DS: 13/146/1 [.], 13/146/2 [.]
      [.]    RRSIG: ch/13/2668 (2019-04-19 - 2019-05-19) [.]
      [.]  DNSKEY: 13/146/257 [.]
      [.]    RRSIG: hauspilot.ch/13/146 (2019-04-18 - 2019-05-09) [.]
      [.]    RRSIG: hauspilot.ch/13/146 (2019-04-18 - 2019-05-09) [.]
      [.]    RRSIG: hauspilot.ch/13/146 (2019-04-18 - 2019-05-09) [.]
      [.]    RRSIG: hauspilot.ch/13/146 (2019-04-18 - 2019-05-09) [.]
      [.]    RRSIG: hauspilot.ch/13/146 (2019-04-18 - 2019-05-09) [.]
    _25._tcp.mail.hauspilot.ch
      [!]  TLSA: NODATA
      [.]    SOA: dns11.firestorm.ch. info.firestorm.ch. 2019034787 10800 3600 604800 3600
      [.]      RRSIG: hauspilot.ch/13/146 (2019-04-18 - 2019-05-09) [.]
      [.]      RRSIG: hauspilot.ch/13/146 (2019-04-18 - 2019-05-09) [.]
      [.]      RRSIG: hauspilot.ch/13/146 (2019-04-18 - 2019-05-09) [.]
      [.]      RRSIG: hauspilot.ch/13/146 (2019-04-18 - 2019-05-09) [.]
      [!]    PROOF:  [!!]
	       E:NO_NSEC_MATCHING_SNAME
      [.]      NSEC: hauspilot.ch. hauspilot.ch. A NS SOA MX TXT RRSIG NSEC DNSKEY CDS CDNSKEY CAA
      [.]        RRSIG: hauspilot.ch/13/146 (2019-04-18 - 2019-05-09) [.]
      [.]        RRSIG: hauspilot.ch/13/146 (2019-04-18 - 2019-05-09) [.]
      [.]        RRSIG: hauspilot.ch/13/146 (2019-04-18 - 2019-05-09) [.]
      [.]        RRSIG: hauspilot.ch/13/146 (2019-04-18 - 2019-05-09) [.]

Does anyone know whether the issue is outdated software (is an
upgrade required), operator negligence (explicitly incorrect
configuration) or pitfalls in the default configuration requiring
operatator attention to detail to avoid the problem?

-- 
	Viktor.

More information about the dns-operations mailing list