[dns-operations] Quad9 denial of existence for _25._tcp.mx1.p01.antagonist.nl IN TLSA

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Nov 26 04:27:51 UTC 2019 

According DNSViz, and the Cloudflare, Google and Verisign public resolvers the
qname below has a TLSA record, but Quad returns an apparently valid denial of
existence.  It is possible that Quad9 is "the guilty party" here only by
accident, and had I asked at another time, some other server would return the
unexpected denial of existence.

No idea where the associated RRSIGs and NSEC3 records are coming from.  Perhaps
there are some nameservers (reached via Quad9) for antagonist.nl that have a
zone file in which the empty-non-terminal "_tcp" is missing...

    $ dig +dnssec +noall +comment +ans +auth -t tlsa _25._tcp.mx1.p01.antagonist.nl @9.9.9.10
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10642
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 512
    ;; AUTHORITY SECTION:
    antagonist.nl.          180     IN      SOA     ns1.antagonist.nl. hostmaster.antagonist.nl. 2018052300 180 3600 1209600 86400
    cueh7hkbnbrqk65590909p4r0pq6cd45.antagonist.nl. 43200 IN NSEC3 1 0 1 AB D04COHDERT50P43FHSP1N5F7LDVTORH7 A AAAA RRSIG
    i33uq5toep0fslekf0mqpnv6pb6s002e.antagonist.nl. 43200 IN NSEC3 1 0 1 AB IDTV8EDH9FRO5UU2OC4N3PUM51SRLDGH A RRSIG
    g7u4gpdfmf579evnnqmc3v816rafktip.antagonist.nl. 43200 IN NSEC3 1 0 1 AB GFL0IAO83UJDAA6IHCTHFGL6T4KNILQO A RRSIG
    antagonist.nl.          180     IN      RRSIG   SOA 13 2 180 20191205000000 20191114000000 47684 antagonist.nl. TjahhD+sFLbHkIAUcUFFo+vC4icQKK2Zh+74BN+eFQ9JhkZaQ6AMYNbT wGfDZuNntzd2C3FS4SiIptAr6fOkvA==
    cueh7hkbnbrqk65590909p4r0pq6cd45.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 86400 20191205000000 20191114000000 47684 antagonist.nl. 5KPt3wExlfKg4tZJ1fdR1xhnj8x8DsmgYR2+pCHkcc041thw3E6jQCfY CESVytcQcp6Zb/uJ3zxNXExJkEzZoQ==
    i33uq5toep0fslekf0mqpnv6pb6s002e.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 86400 20191205000000 20191114000000 47684 antagonist.nl. Wrzps6dY9zhq14kBiFp0KwDqdkMtceOMV2cMKPkznhxFcsmpsTazZX1Z MAw/565cRwpWRoU5LuGNzGHg3ZstUQ==
    g7u4gpdfmf579evnnqmc3v816rafktip.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 86400 20191205000000 20191114000000 47684 antagonist.nl. DBJvz7HbYSFS/PHtTXD2qMwsKuWXoqNj8MPNMIk84Jv4kY1w52EevWIS nIgDknp9DbzYcczQzOOu1cyEYulYPg==

    6d1aa3h9jtqjdp0vjblqej9e17ub81hs. _25._tcp.mx1.p01.antagonist.nl
    v3rrfku7an9uo5qeuhbdndnruhp9esar. *._tcp.mx1.p01.antagonist.nl
    i9sp4p909spoci68n9q0r33hk9fes0n4. _tcp.mx1.p01.antagonist.nl    (Covered)
    g90cq1j49b7nkrom5lcojqals2gittit. *.mx1.p01.antagonist.nl       (Covered)
    cueh7hkbnbrqk65590909p4r0pq6cd45. mx1.p01.antagonist.nl         (Covered, closest encloser)
    sac7gh66m6avf55q05gbfhh91a48hstf. *.p01.antagonist.nl
    iupnvfafqalai3eke44m2vi4vr89lgpk. p01.antagonist.nl
    83jtudmler6j6tailr1f6hktosq1mvc4. *.antagonist.nl
    29eiirrkt62jjrrigm5ouurhdt4p682u. antagonist.nl

-- 
    Viktor.

More information about the dns-operations mailing list