[dns-operations] [Update] Incomplete NSEC3 denial of existence from domaincontrol.com servers
Viktor Dukhovni
ietf-dane at dukhovni.org
Sun Dec 1 19:55:36 UTC 2019
[ This is still unresolved since the original post on Nov 24th, now at least
289 affected TLSA RRsets in 255 domains. Updated details at:
https://imrryr.org/~viktor/dnsviz/domaincontrol.com.html ]
The NSEC3 denial of existence for the TLSA records of at least 202 MX hosts (in
178 domains) is bogus, because the QNAME (or sometimes the wildcard if the
qname is covered "by accident") is not covered by any NSEC3 RR. In the below
example (RRSIGs elided), the sole NSEC3 RR only covers the zone apex:
@pdns05.domaincontrol.com.[97.74.110.52]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55506
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.nightlifeinbangkok.com. IN TLSA
nightlifeinbangkok.com. SOA pdns05.domaincontrol.com. dns.jomax.net. 2019110901 28800 7200 604800 600
kd5lt0sl1v8e2r1eoib3alo9iu417871.nightlifeinbangkok.com. NSEC3 1 0 1 - KR3PBJU1KUHPUCPBBVANN5QJKTE3ARN0 A NS SOA TXT RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
@pdns06.domaincontrol.com.[173.201.78.52]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59032
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.nightlifeinbangkok.com. IN TLSA
nightlifeinbangkok.com. SOA pdns05.domaincontrol.com. dns.jomax.net. 2019110901 28800 7200 604800 600
kd5lt0sl1v8e2r1eoib3alo9iu417871.nightlifeinbangkok.com. NSEC3 1 0 1 - KR3PBJU1KUHPUCPBBVANN5QJKTE3ARN0 A NS SOA TXT RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
Relevant hashes:
9km4c75r7bndmh1l33fucm7sdsqj6jef. _25._tcp.nightlifeinbangkok.com
9mlqhb5pmr7f1o7goeqk04dl1ijqttlo. *._tcp.nightlifeinbangkok.com
ak4novl0963d2t45t9olk5g5duimgb79. _tcp.nightlifeinbangkok.com
sm7p33mq969iuo1d3fq454je1ofjh2v4. *.nightlifeinbangkok.com
kd5lt0sl1v8e2r1eoib3alo9iu417871. nightlifeinbangkok.com
All 202 TLSA qnames with DNSViz graphs at:
https://imrryr.org/~viktor/dnsviz/domaincontrol.com.html
The mname frequencies from the SOA RR are:
21 pdns01.domaincontrol.com.
25 pdns03.domaincontrol.com.
39 pdns05.domaincontrol.com.
36 pdns07.domaincontrol.com.
14 pdns09.domaincontrol.com.
48 pdns11.domaincontrol.com.
19 pdns13.domaincontrol.com.
--
Viktor.
More information about the dns-operations
mailing list