[dns-operations] [Ext] Verisign TLDs, some other servers may trim critical glue from very large referrals

Edward Lewis edward.lewis at icann.org
Fri Jan 4 14:43:12 UTC 2019 

This is an interesting protocol-implementation question.  What's being returned by the server in this case is reasonable (according to the protocol) but evidently less than useful.

The additional section is sort of a "wild-west" there aren't many formal rules for what is in there.  I've never seen a specified case where omitting a record set from the additional section would trigger the TC bit.

The tradeoff is the DS set, which is authoritatively served by the responding server, versus glue, which is not authoritative but needed for connectivity.  The two don't fit together, so one has to be dropped which is a use case that wasn't considered.  It might be good to consider which additional sets are more useful.  In this case, it is indeed the glue.

Another thing to fix is the receiving software...to know to ask for the glue when it isn't found.  But that isn't simple - you have to ask with DNSSEC off:

dig +bufsize=512 +dnssec +norecurse @b.edu-servers.net ns1.chattanoogastate.edu
(still with the large DS set)
vs.
dig +bufsize=512 +norecurse @b.edu-servers.net ns1.chattanoogastate.edu
(finally with the glue)

What a pain - to have to hunt so hard for the glue.

On 1/4/19, 08:52, "dns-operations on behalf of Matt Nordhoff" <dns-operations-bounces at dns-oarc.net on behalf of lists at mn0.us> wrote:

    Hi,
    
    It turns out that, with some authoritative servers, if a client sends
    a query specifying a small EDNS buffer size, and the server is
    returning a large referral with in-bailiwick nameservers, if the sizes
    align just right, some servers will trim *all* critical additional
    records from the response, *without* setting the TC bit.
    
    (Run-on sentence, wow.)
    
    If all of a parent zone's servers return such unusable referrals,
    Unbound will give up and return SERVFAIL. I don't know how other
    recursive servers behave.
    
    This was found in the wild by an Unbound resolver configured with an
    EDNS buffer size of 512 bytes, with the domain chattanoogastate.edu
    (TLD backend operator: Verisign). For example:
    
    $ dig +bufsize=512 +dnssec +norecurse @b.edu-servers.net chattanoogastate.edu
    
    ; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> +bufsize
    +dnssec +norecurse @b.edu-servers.net chattanoogastate.edu
    ; (2 servers found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53484
    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;chattanoogastate.edu.          IN      A
    
    ;; AUTHORITY SECTION:
    chattanoogastate.edu.   172800  IN      NS      ns2.chattanoogastate.edu.
    chattanoogastate.edu.   172800  IN      NS      ns1.chattanoogastate.edu.
    chattanoogastate.edu.   86400   IN      DS      10114 5 2
    A22479C3577ABDDA48962F74EECCE16D3EFE14B5C95FD9463BA5A28F CD67CF3A
    chattanoogastate.edu.   86400   IN      DS      10114 5 1
    2CA51C740D54B8B3EBE5D58BD012196D5584A895
    chattanoogastate.edu.   86400   IN      DS      10618 5 1
    F8B1C75138745E23976CAD453E812D89E366E5A1
    chattanoogastate.edu.   86400   IN      DS      10618 5 2
    54592BC341F637A43C0D14F0704B58913A2B1B702266083AAEEF11B8 96E84400
    chattanoogastate.edu.   86400   IN      DS      4483 5 1
    5BC068184A5BEC46EC3C786AB8722C8E74559A3B
    chattanoogastate.edu.   86400   IN      DS      4483 5 2
    D19A8289B0EA70DF1F986138200EE3D5BDF5CA4FAEECD439C72847A6 965AF362
    chattanoogastate.edu.   86400   IN      RRSIG   DS 8 2 86400
    20190109062913 20190102051913 37217 edu.
    EncjLTtHy8zy5lHiqCe8vRayTf/8Miwik4LhUY9wkntu4uWmltruXD6J
    OiHAaOeYJeHNzlf0BYLoJCgfySL6uIlyf+3cmxobIvoGTy9bmseg+OWi
    ckkgTK5n3yU/b4w0J+j51oRGh1H2etBVxdy5a0QnUu10FIRAw6Mzi00+ tJo=
    
    ;; Query time: 1 msec
    ;; SERVER: 2001:503:231d::2:30#53(2001:503:231d::2:30)
    ;; WHEN: Fri Jan 04 10:57:54 UTC 2019
    ;; MSG SIZE  rcvd: 500
    
    Gist without mangled line wrapping:
    
    <https://urldefense.proofpoint.com/v2/url?u=https-3A__gist.github.com_mnordhoff_ce9f4d1a8c496751ef6e8ab435f0c45f&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=yJ8xMytSvOQUH1EsEoepPvEQ6SYa1yHijUedldNfhlk&s=NsAbMQ6PCEHaAlJDE4onwGQaejd4kNiiOiOtaJRjlWE&e=>
    
    (I'm not affiliated with Chattanooga State. They are aware of the issue.)
    
    I experimented with some of my own (expendable) domains under the TLDs
    .info (backend Afilias), .ooo and .xyz (both CentralNic). With them,
    _some_ of the TLD servers set TC and some do not, and I haven't been
    able to coax Unbound into failing.
    
    I'm running edns-buffer-size.ooo as a demonstration, with a similar
    configuration to chattanoogastate.edu.
    
    PowerDNS Authoritative doesn't set TC. [0] I haven't tested other DNS servers.
    
    As background context, with the renewed attention to fragmentation
    attacks last year, Let's Encrypt [1] and at least one other CA [2]
    have configured the resolvers in their domain validation
    infrastructure with an EDNS buffer size of 512 bytes to reduce the
    risk of fragmentation.
    
    Let's Encrypt changed their production DNS servers November 15. Since
    then, there have been about a half dozen public reports of problems.
    The chattanoogastate.edu issue [3] is the only one that's out of the
    ordinary -- the others were all caused by nameservers that didn't
    support TCP.
    
    I've chatted about this with some people; none of us had any immediate
    conclusions. (Also it's the holidays...) I haven't emailed any TLDs.
    
    It turns out RFC 4472 appendix B [4] discusses this problem, and it
    even links to a short namedroppers thread from 2005 [5].
    
    Do any of you have thoughts, experiences, quotes from standards track
    RFCs, or friends at Verisign? ;-)
    
    Obviously, authoritative and recursive servers _could_ both work
    around this, and people probably shouldn't set six DS records anyway.
    
    Should anything be changed?
    
    [0] <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PowerDNS_pdns_issues_7315&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=yJ8xMytSvOQUH1EsEoepPvEQ6SYa1yHijUedldNfhlk&s=m84xrmDtbRp0jB9ubVHJ4-aLXEZN1V4AOGsmr0iTK2I&e=>
    [1] <https://urldefense.proofpoint.com/v2/url?u=https-3A__mn0.us_L-2Dwy&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=yJ8xMytSvOQUH1EsEoepPvEQ6SYa1yHijUedldNfhlk&s=ThfAT6Lr5oMKpShsZg11By-NRyrB-Xd4_QWOm4wDVtg&e=>
    <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.letsencrypt.org_t_edns-2Dbuffer-2Dsize-2Dchanging-2Dto-2D512-2Dbytes_77945&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=yJ8xMytSvOQUH1EsEoepPvEQ6SYa1yHijUedldNfhlk&s=TjIrfufVVumABs3J_AihUdEEIkRH1s680VTk4K6os6I&e=>
    [2] <https://urldefense.proofpoint.com/v2/url?u=https-3A__mn0.us_XTNm&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=yJ8xMytSvOQUH1EsEoepPvEQ6SYa1yHijUedldNfhlk&s=th5AitrC1R2SSz90mZWp_fqxdD6ZD7Gbi03hKEZawcI&e=>
    <https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_d_msg_mozilla.dev.security.policy_emREqhAZ3nM_ZNB35l-5FGBwAJ&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=yJ8xMytSvOQUH1EsEoepPvEQ6SYa1yHijUedldNfhlk&s=uRWL_0fDGLc9eqE_oNDsL3FEePsEoXHTXJ9OBUolF6A&e=>
    [3] <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.letsencrypt.org_t_servfail-2Dwhile-2Drenewing_80430&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=yJ8xMytSvOQUH1EsEoepPvEQ6SYa1yHijUedldNfhlk&s=cFtA-kWXQHuATQ6LHso0tH0mUb7JHJrfPxdn_NpTfLU&e=>
    [4] <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc4472-23appendix-2DB&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=yJ8xMytSvOQUH1EsEoepPvEQ6SYa1yHijUedldNfhlk&s=jmx1Cgf4F-WWizn1GB7l7ZL4rCy4i4Ewy_lwwn6PvWc&e=>
    [5] <https://urldefense.proofpoint.com/v2/url?u=https-3A__mn0.us_Vn6R&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=yJ8xMytSvOQUH1EsEoepPvEQ6SYa1yHijUedldNfhlk&s=YREtU6mJUxoEDyQJWmSLJio9JJhEoJ_9Zsm7Qyh4VXY&e=>
    <https://urldefense.proofpoint.com/v2/url?u=https-3A__web.archive.org_web_20060714005533_http-3A__ops.ietf.org-3A80_lists_namedroppers_namedroppers.2005_msg01032.html&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=yJ8xMytSvOQUH1EsEoepPvEQ6SYa1yHijUedldNfhlk&s=Z-u1JFduCNdgHqu5P13b_MVTNbSIYlvMaVBYSzrQCGk&e=>
    
    Happy new year,
    -- 
    Matt Nordhoff
    _______________________________________________
    dns-operations mailing list
    dns-operations at lists.dns-oarc.net
    https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.dns-2Doarc.net_mailman_listinfo_dns-2Doperations&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=yJ8xMytSvOQUH1EsEoepPvEQ6SYa1yHijUedldNfhlk&s=yMVdoJl4FRO5qcbTWh1bAiiAA1Eb2cnprYYIwgl5HVE&e=
    dns-operations mailing list
    https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.dns-2Doarc.net_mailman_listinfo_dns-2Doperations&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=yJ8xMytSvOQUH1EsEoepPvEQ6SYa1yHijUedldNfhlk&s=yMVdoJl4FRO5qcbTWh1bAiiAA1Eb2cnprYYIwgl5HVE&e=

More information about the dns-operations mailing list