[dns-operations] Anyone with contacts at Paypal and/or Ultradns?

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Dec 29 20:56:53 UTC 2019 

On Sat, Dec 28, 2019 at 12:59:34PM -0500, Viktor Dukhovni wrote:

> Another domain served by the same is:
> 
>     sparkblocs.com. IN NS dns1.registrar-servers.com.
>     sparkblocs.com. IN NS dns2.registrar-servers.com.
> 
> here, there's an issue with the RRSIG on the wildcard CNAME record
> (signature fails to verify):
> 
>     https://dnsviz.net/d/_25._tcp.sparkblocs.com/dnssec/
>     https://dnsviz.net/d/%2A.sparkblocs.com/dnssec/

This was before today's refresh of the domains with TLSA DoE issues.
Now I see DoE failure for 330 TLSA RRsets in 322 zones served by:

     253   dns1.registrar-servers.com,   dns2.registrar-servers.com
      68  pdns1.registrar-servers.com,  pdns2.registrar-servers.com
       1 dns101.registrar-servers.com, dns102.registrar-servers.com

which affect email delivery to (at least) 351 domains.  DNSViz reports
the below errors:

    http://imrryr.org/~viktor/dnsviz/registrar-servers.com.html

     222 MISSING_NSEC_FOR_NODATA
         http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.fucking.beer.html
         ...
     105 WILDCARD_NOT_COVERED
         http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.mail.baloch.best.html
         ...
       8 MISSING_RRSIG_FOR_ALG_DS
         http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.denveracrepair.com.html
         ...
       4 SNAME_NOT_COVERED
         http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.mail.tapthislink.com.html
         ...
       4 MISSING_SEP_FOR_ALG
         http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.denveracrepair.com.html
         ...

Also, warnings about missing nameserver AAAA glue:

    286 MISSING_GLUE_IPV6
        http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.31verri.com.html
        ...

because the .com zone has no AAAA glue records for

     dns1.registrar-servers.com,   dns2.registrar-servers.com
    pdns1.registrar-servers.com,  pdns2.registrar-servers.com

even though these have authoritative IPv6 AAAA RRs.

    dns1.registrar-servers.com. IN AAAA 2610:a1:1024::200
    dns2.registrar-servers.com. IN AAAA 2610:a1:1025::200
    pdns1.registrar-servers.com. IN AAAA 2610:a1:1022::200
    pdns2.registrar-servers.com. IN AAAA 2610:a1:1023::200

-- 
    Viktor.

P.S.

In an unrelated note, some of the domains also returned a PMTU_EXCEEDED
warning (one example per TLD):

    http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.deanbassett.info.html
    http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.alpaga.hammerle.me.html
    http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.twilight.one.html
    http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.burntbunch.org.html
    http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.eamon.science.html

because the .INFO, .ME, .ONE, .ORG and .SCIENCE signed DNSKEY RRsets are
too big for unfragmented UDP.

There are likely other TLDs with the same issue, that did not appear in
the registrar-servers.com DoE breakage dataset.

More information about the dns-operations mailing list