[dns-operations] [Update] Incomplete NSEC3 denial of existence from domaincontrol.com servers

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Dec 1 19:55:36 UTC 2019


[ This is still unresolved since the original post on Nov 24th, now at least
  289 affected TLSA RRsets in 255 domains. Updated details at:
  https://imrryr.org/~viktor/dnsviz/domaincontrol.com.html ]

The NSEC3 denial of existence for the TLSA records of at least 202 MX hosts (in
178 domains) is bogus, because the QNAME (or sometimes the wildcard if the
qname is covered "by accident") is not covered by any NSEC3 RR.  In the below
example (RRSIGs elided), the sole NSEC3 RR only covers the zone apex:

   @pdns05.domaincontrol.com.[97.74.110.52]
   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55506
   ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
   ;_25._tcp.nightlifeinbangkok.com. IN TLSA
   nightlifeinbangkok.com. SOA     pdns05.domaincontrol.com. dns.jomax.net. 2019110901 28800 7200 604800 600
   kd5lt0sl1v8e2r1eoib3alo9iu417871.nightlifeinbangkok.com. NSEC3 1 0 1 - KR3PBJU1KUHPUCPBBVANN5QJKTE3ARN0 A NS SOA TXT RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY

   @pdns06.domaincontrol.com.[173.201.78.52]
   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59032
   ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
   ;_25._tcp.nightlifeinbangkok.com. IN TLSA
   nightlifeinbangkok.com. SOA     pdns05.domaincontrol.com. dns.jomax.net. 2019110901 28800 7200 604800 600
   kd5lt0sl1v8e2r1eoib3alo9iu417871.nightlifeinbangkok.com. NSEC3 1 0 1 - KR3PBJU1KUHPUCPBBVANN5QJKTE3ARN0 A NS SOA TXT RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY

   Relevant hashes:
   9km4c75r7bndmh1l33fucm7sdsqj6jef. _25._tcp.nightlifeinbangkok.com
   9mlqhb5pmr7f1o7goeqk04dl1ijqttlo. *._tcp.nightlifeinbangkok.com
   ak4novl0963d2t45t9olk5g5duimgb79. _tcp.nightlifeinbangkok.com
   sm7p33mq969iuo1d3fq454je1ofjh2v4. *.nightlifeinbangkok.com
   kd5lt0sl1v8e2r1eoib3alo9iu417871. nightlifeinbangkok.com

All 202 TLSA qnames with DNSViz graphs at:

   https://imrryr.org/~viktor/dnsviz/domaincontrol.com.html

The mname frequencies from the SOA RR are:

   21 pdns01.domaincontrol.com.
   25 pdns03.domaincontrol.com.
   39 pdns05.domaincontrol.com.
   36 pdns07.domaincontrol.com.
   14 pdns09.domaincontrol.com.
   48 pdns11.domaincontrol.com.
   19 pdns13.domaincontrol.com.

-- 
   Viktor.




More information about the dns-operations mailing list