[dns-operations] Trouble looking up various axc.nl TLSA RRs via Cloudflare DNS

Marek Vavruša marek at vavrusa.com
Thu Oct 3 17:32:35 UTC 2019


Hi Viktor,

On Thu, 3 Oct 2019 at 00:45, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> My DNSSEC/DANE survey host unbound resolver forwards lookups for
> some domains to four of the major public DNS providers (Cloudflare,
> Google, Quad9 and Verisign).
>
> Lately I am seeing unexpected failures resolving axc.nl MX host
> TLSA records when Cloudflare happens to be used to resolve the
> query.
>
> Can anyone from Cloudflare offer an explanation?  Is this is a
> feature or a bug?  Anyone else seeing different results?

This was a NTA added for
https://github.com/dns-violations/dns-violations/blob/f93c7477098da82ab39626a0ed8de07970bb0570/2017/DVE-2017-0009.md
It seems like this was fixed. I've removed the NTA, so it should be
validating again.

> This creates false positives for denial of existence issues at
> axc.nl.  The other providers, DNSViz and direct validation via
> "unbound-host -D" see no issues.
>
> For example:
>
>     1. Reply from Cloudflare (request flags: RD=1, AD=1, DO=1):
>
>         _25._tcp.mail.axc.nl. IN TLSA ? ; NXDomain AD=0
>         axc.nl. IN SOA nsi1.axc.nl. hostmaster at axc.nl. 2019100301 28800 7200 2419200 86400 ; AD=0
>
>     2. Identical replies from each of Google, Quad8 and Verisign:
>
>         _25._tcp.mail.axc.nl. IN TLSA ? ; NXDomain AD=1
>         axc.nl. IN SOA nsi1.axc.nl. hostmaster at axc.nl. 2019100301 28800 7200 2419200 86400 ; AD=1
>         axc.nl. IN RRSIG SOA 8 2 14400 20191017000000 20190926000000 23340 axc.nl. N7n7WT6Pz83Vq4ikTdHzWQP6y1Hqa0x+8TWHnVmgOQ2WsyliqMjzc7wydB1Qcw6kbcRiPX/JBS7iAeeMJW4aEL5iLWi0i/KdQZ0V/1ccChUYdHNfeqzLgGF8RRzjkPL1VIySNqdp4DrBMpZr7UbrRP7IjgxR30COCrAdEyaOH2A= ; AD=1
>         mail.axc.nl. IN NSEC mail-in.axc.nl. A RRSIG NSEC ; AD=1
>         mail.axc.nl. IN RRSIG NSEC 8 3 86400 20191017000000 20190926000000 23340 axc.nl. DWWMGBX9fX6yk6+lJoY7AKuxRd8kwbHkKBwTpdHcQsuwsiZrInbqjSKDch74ptlfTGrTMQrrnz8GC35ffsNg9XVTjfje6tXJiNPa3W1Q49031Xlz4WfJJPDVBbG5zK6YcVQtrVc7yBVEFj1UgGGfyB8X658+VZ9cgbdpf4i8Qhw= ; AD=1
>
> I also observe the same results when the query is sent from
> "dane.sys4.de" in Germany, rather than my server in NYC.
>
>     $ dig +dnssec +nsid  +nocl +nottl @1.0.0.1 -t tlsa _25._tcp.mail.axc.nl.
>     ; <<>> DiG 9.11.1-P3 <<>> +dnssec +nsid +nocl +nottl @1.0.0.1 -t tlsa _25._tcp.mail.axc.nl.
>     ; (1 server found)
>     ;; global options: +cmd
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36081
>     ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
>     ;; OPT PSEUDOSECTION:
>     ; EDNS: version: 0, flags: do; udp: 1452
>     ;; QUESTION SECTION:
>     ;_25._tcp.mail.axc.nl.  IN TLSA
>
>     ;; AUTHORITY SECTION:
>     axc.nl.                 SOA     nsi1.axc.nl. hostmaster.axc.nl. 2019100301 28800 7200 2419200 86400
>
>     ;; Query time: 95 msec
>     ;; SERVER: 1.0.0.1#53(1.0.0.1)
>     ;; WHEN: Thu Oct 03 09:16:21 CEST 2019
>     ;; MSG SIZE  rcvd: 101
>
> --
>         Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list