[dns-operations] Trouble looking up various axc.nl TLSA RRs via Cloudflare DNS
Marek Vavruša
marek at vavrusa.com
Thu Oct 3 17:32:35 UTC 2019
Hi Viktor,
On Thu, 3 Oct 2019 at 00:45, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> My DNSSEC/DANE survey host unbound resolver forwards lookups for
> some domains to four of the major public DNS providers (Cloudflare,
> Google, Quad9 and Verisign).
>
> Lately I am seeing unexpected failures resolving axc.nl MX host
> TLSA records when Cloudflare happens to be used to resolve the
> query.
>
> Can anyone from Cloudflare offer an explanation? Is this is a
> feature or a bug? Anyone else seeing different results?
This was a NTA added for
https://github.com/dns-violations/dns-violations/blob/f93c7477098da82ab39626a0ed8de07970bb0570/2017/DVE-2017-0009.md
It seems like this was fixed. I've removed the NTA, so it should be
validating again.
> This creates false positives for denial of existence issues at
> axc.nl. The other providers, DNSViz and direct validation via
> "unbound-host -D" see no issues.
>
> For example:
>
> 1. Reply from Cloudflare (request flags: RD=1, AD=1, DO=1):
>
> _25._tcp.mail.axc.nl. IN TLSA ? ; NXDomain AD=0
> axc.nl. IN SOA nsi1.axc.nl. hostmaster at axc.nl. 2019100301 28800 7200 2419200 86400 ; AD=0
>
> 2. Identical replies from each of Google, Quad8 and Verisign:
>
> _25._tcp.mail.axc.nl. IN TLSA ? ; NXDomain AD=1
> axc.nl. IN SOA nsi1.axc.nl. hostmaster at axc.nl. 2019100301 28800 7200 2419200 86400 ; AD=1
> axc.nl. IN RRSIG SOA 8 2 14400 20191017000000 20190926000000 23340 axc.nl. N7n7WT6Pz83Vq4ikTdHzWQP6y1Hqa0x+8TWHnVmgOQ2WsyliqMjzc7wydB1Qcw6kbcRiPX/JBS7iAeeMJW4aEL5iLWi0i/KdQZ0V/1ccChUYdHNfeqzLgGF8RRzjkPL1VIySNqdp4DrBMpZr7UbrRP7IjgxR30COCrAdEyaOH2A= ; AD=1
> mail.axc.nl. IN NSEC mail-in.axc.nl. A RRSIG NSEC ; AD=1
> mail.axc.nl. IN RRSIG NSEC 8 3 86400 20191017000000 20190926000000 23340 axc.nl. DWWMGBX9fX6yk6+lJoY7AKuxRd8kwbHkKBwTpdHcQsuwsiZrInbqjSKDch74ptlfTGrTMQrrnz8GC35ffsNg9XVTjfje6tXJiNPa3W1Q49031Xlz4WfJJPDVBbG5zK6YcVQtrVc7yBVEFj1UgGGfyB8X658+VZ9cgbdpf4i8Qhw= ; AD=1
>
> I also observe the same results when the query is sent from
> "dane.sys4.de" in Germany, rather than my server in NYC.
>
> $ dig +dnssec +nsid +nocl +nottl @1.0.0.1 -t tlsa _25._tcp.mail.axc.nl.
> ; <<>> DiG 9.11.1-P3 <<>> +dnssec +nsid +nocl +nottl @1.0.0.1 -t tlsa _25._tcp.mail.axc.nl.
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36081
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1452
> ;; QUESTION SECTION:
> ;_25._tcp.mail.axc.nl. IN TLSA
>
> ;; AUTHORITY SECTION:
> axc.nl. SOA nsi1.axc.nl. hostmaster.axc.nl. 2019100301 28800 7200 2419200 86400
>
> ;; Query time: 95 msec
> ;; SERVER: 1.0.0.1#53(1.0.0.1)
> ;; WHEN: Thu Oct 03 09:16:21 CEST 2019
> ;; MSG SIZE rcvd: 101
>
> --
> Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list