[dns-operations] Trouble looking up various axc.nl TLSA RRs via Cloudflare DNS

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Oct 3 07:26:42 UTC 2019 

My DNSSEC/DANE survey host unbound resolver forwards lookups for
some domains to four of the major public DNS providers (Cloudflare,
Google, Quad9 and Verisign).

Lately I am seeing unexpected failures resolving axc.nl MX host
TLSA records when Cloudflare happens to be used to resolve the
query.

Can anyone from Cloudflare offer an explanation?  Is this is a
feature or a bug?  Anyone else seeing different results?

This creates false positives for denial of existence issues at
axc.nl.  The other providers, DNSViz and direct validation via
"unbound-host -D" see no issues.

For example:

    1. Reply from Cloudflare (request flags: RD=1, AD=1, DO=1):

	_25._tcp.mail.axc.nl. IN TLSA ? ; NXDomain AD=0
	axc.nl. IN SOA nsi1.axc.nl. hostmaster at axc.nl. 2019100301 28800 7200 2419200 86400 ; AD=0

    2. Identical replies from each of Google, Quad8 and Verisign:

	_25._tcp.mail.axc.nl. IN TLSA ? ; NXDomain AD=1
	axc.nl. IN SOA nsi1.axc.nl. hostmaster at axc.nl. 2019100301 28800 7200 2419200 86400 ; AD=1
	axc.nl. IN RRSIG SOA 8 2 14400 20191017000000 20190926000000 23340 axc.nl. N7n7WT6Pz83Vq4ikTdHzWQP6y1Hqa0x+8TWHnVmgOQ2WsyliqMjzc7wydB1Qcw6kbcRiPX/JBS7iAeeMJW4aEL5iLWi0i/KdQZ0V/1ccChUYdHNfeqzLgGF8RRzjkPL1VIySNqdp4DrBMpZr7UbrRP7IjgxR30COCrAdEyaOH2A= ; AD=1
	mail.axc.nl. IN NSEC mail-in.axc.nl. A RRSIG NSEC ; AD=1
	mail.axc.nl. IN RRSIG NSEC 8 3 86400 20191017000000 20190926000000 23340 axc.nl. DWWMGBX9fX6yk6+lJoY7AKuxRd8kwbHkKBwTpdHcQsuwsiZrInbqjSKDch74ptlfTGrTMQrrnz8GC35ffsNg9XVTjfje6tXJiNPa3W1Q49031Xlz4WfJJPDVBbG5zK6YcVQtrVc7yBVEFj1UgGGfyB8X658+VZ9cgbdpf4i8Qhw= ; AD=1

I also observe the same results when the query is sent from
"dane.sys4.de" in Germany, rather than my server in NYC.

    $ dig +dnssec +nsid  +nocl +nottl @1.0.0.1 -t tlsa _25._tcp.mail.axc.nl.
    ; <<>> DiG 9.11.1-P3 <<>> +dnssec +nsid +nocl +nottl @1.0.0.1 -t tlsa _25._tcp.mail.axc.nl.
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36081
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1452
    ;; QUESTION SECTION:
    ;_25._tcp.mail.axc.nl.  IN TLSA

    ;; AUTHORITY SECTION:
    axc.nl.                 SOA     nsi1.axc.nl. hostmaster.axc.nl. 2019100301 28800 7200 2419200 86400

    ;; Query time: 95 msec
    ;; SERVER: 1.0.0.1#53(1.0.0.1)
    ;; WHEN: Thu Oct 03 09:16:21 CEST 2019
    ;; MSG SIZE  rcvd: 101

-- 
	Viktor.

More information about the dns-operations mailing list