Trouble looking up various axc.nl TLSA RRs via Cloudflare DNS

Alexander Dupuy alexdupuy at google.com
Fri Oct 4 00:09:22 UTC 2019


In the past, I believe that when Cloudflare added negative trust anchors
(NTAs)for a domain name, it caused their Knot resolver to not request
DNSSEC data for names under the NTA (that is, it sent queries with DO=0).
As a result, downstream clients that attempt to validate those responses
are unable to do so, since the necessary DNSSEC records are not present.

    1. Reply from Cloudflare (request flags: RD=1, AD=1, DO=1):
>         _25._tcp.mail.axc.nl. IN TLSA ? ; NXDomain AD=0
>         axc.nl. IN SOA nsi1.axc.nl. hostmaster at axc.nl. 2019100301
> <(201)%20910-0301> 28800 7200 2419200 86400 ; AD=0


Other resolvers are more insistent about DNSSEC, even for insecurely
delegated zones, or below an NTA, and will request it if their clients do,
or for some, even if they don't, in order to be able to propagate the
DNSSEC data.

When I query Cloudflare for this domain now (from NYC), I am getting the
DNSSEC data, so if it was an NTA that caused this issue, they have removed
it:

$ dig +nocmd +nocrypto +dnssec TLSA _25._tcp.mail.axc.nl @1.1.1.1
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6211
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;_25._tcp.mail.axc.nl. IN TLSA

;; AUTHORITY SECTION:
axc.nl. 10045 IN SOA nsi1.axc.nl. hostmaster.axc.nl. 2019100301 28800 7200
2419200 86400
axc.nl. 10045 IN RRSIG SOA 8 2 14400 20191017000000 20190926000000 23340
axc.nl. [omitted]
mail.axc.nl. 646 IN NSEC mail-in.axc.nl. A RRSIG NSEC
mail.axc.nl. 646 IN RRSIG NSEC 8 3 86400 20191017000000 20190926000000
23340 axc.nl. [omitted]

;; Query time: 17 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Oct 03 19:44:19 EDT 2019
;; MSG SIZE  rcvd: 469
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20191003/89b94e16/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4849 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20191003/89b94e16/attachment.bin>


More information about the dns-operations mailing list