[dns-operations] Lingering public DNS bugs at CloudFlare and Verisign.

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Apr 10 19:23:55 UTC 2020


As reported earlier...

On Mon, Mar 30, 2020 at 01:19:21AM -0400, Viktor Dukhovni wrote:

> The authoritative servers look fine to me and DNSViz:
> 
>     https://dnsviz.net/d/_25._tcp.yellow.xy1.nl/XoF-Kg/dnssec/
> 
> but, Cloudflare alone among the big four public DNS services returns
> ServFail, along with most of the answer (sans DNAME RR):
> 
>  Mangled:
>     @1.1.1.1
>     @1.0.0.1
>     _25._tcp.yellow.xy1.nl. IN CNAME _25._tcp.xy1.nl. ; ServFail AD=0
>     _25._tcp.xy1.nl. IN CNAME _dane.xy1.nl. ; ServFail AD=0
>     _dane.xy1.nl. IN TLSA 2 1 1 <...> ; ServFail AD=0
>
>  Correct:
>     @8.8.8.8
>     @8.8.4.4
>     _tcp.yellow.xy1.nl. IN DNAME _tcp.xy1.nl. ; NoError AD=1
>     _25._tcp.yellow.xy1.nl. IN CNAME _25._tcp.xy1.nl. ; NoError AD=1
>     _25._tcp.xy1.nl. IN CNAME _dane.xy1.nl. ; NoError AD=1
>     _dane.xy1.nl. IN TLSA 2 1 1 <...> ; NoError AD=1

On Tue, Mar 24, 2020 at 02:39:24AM -0400, Viktor Dukhovni wrote:

> army.mil (lots of dots in the first rname label):
> 
>  Mangled:
>     $ dig +dnssec -t soa +noall +ans +add army.mil @64.6.64.6
>     army.mil. IN SOA ns01.army.mil. usarmy.huachuca.netcom.mesg.epdns-global.mail.mil. <...>
>     army.mil. IN RRSIG SOA 8 2 3600 20200328054853 20200324044853 51378 army.mil. <...>
> 
>  Correct:
>     $ dig +dnssec -t soa +noall +ans +add army.mil @8.8.8.8
>     army.mil. IN SOA ns01.army.mil. usarmy\.huachuca\.netcom\.mesg\.epdns-global.mail.mil. <...>
>     army.mil. IN RRSIG SOA 8 2 3600 20200328061900 20200324051900 51378 army.mil. <...>

It would be great to get a sense of the timeline for getting these
issues addressed.

Both can impact email delivery to the affected domains when the public
resolvers in question are used as forwarders and TLSA lookups fail.

-- 
    Viktor.


More information about the dns-operations mailing list