[dns-operations] At least 3 CloudFlare DNS-hosted domains with oddball TLSA lookup ServFail

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Apr 19 06:55:58 UTC 2020


The CloudFlare auth servers return ServFail for the TLSA lookup of:

    https://dnsviz.net/d/_25._tcp.mx01.mx-hosting.ch/XpvvXg/dnssec/
    https://dnsviz.net/d/_25._tcp.mail.markleenen.eu/Xpvvcg/dnssec/
    https://dnsviz.net/d/_25._tcp.box.nobodyghost.net/Xpvvow/dnssec/

For all three, "A" lookups for the same qname return valid denial of
existence:

    _25._tcp.mx01.mx-hosting.ch. IN A ?
    mx-hosting.ch. IN SOA alla.ns.cloudflare.com. dns at cloudflare.com. 2033851210 10000 2400 604800 3600
    mx-hosting.ch. IN RRSIG SOA 13 2 3600 20200420074057 20200418054057 34505 mx-hosting.ch. /UdtXD25WrZSBniBBtO+i3HSJaqJgeGf/xIt/NVRKjvBTjDdn8u1lf1L1nHxA4SnX25MseCt+rvzUsn0Qk40dA==
    _25._tcp.mx01.mx-hosting.ch. IN NSEC \000._25._tcp.mx01.mx-hosting.ch. HINFO MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF CAA
    _25._tcp.mx01.mx-hosting.ch. IN RRSIG NSEC 13 5 3600 20200420074057 20200418054057 34505 mx-hosting.ch. ZielhuDJf3hD4fxBfgXSAYVD8TvgkLL1swZPiWGDsTodwgM4U0A7D27i/UBhxRsV6BnCGco3UuRtBuI2frLKlw==

    _25._tcp.mail.markleenen.eu. IN A ?
    markleenen.eu. IN SOA darl.ns.cloudflare.com. dns at cloudflare.com. 2033859863 10000 2400 604800 3600 
    markleenen.eu. IN RRSIG SOA 13 2 3600 20200420074525 20200418054525 34505 markleenen.eu. ifsayHev5tJ4baUIwUR9b+HiFBc0aHsPbPxi4fOkV15lIKOxzyioxoT11pg5TTzMzlOwfmASo2hAMIjPVtaJQg==
    _25._tcp.mail.markleenen.eu. IN NSEC \000._25._tcp.mail.markleenen.eu. HINFO MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF CAA
    _25._tcp.mail.markleenen.eu. IN RRSIG NSEC 13 5 3600 20200420074525 20200418054525 34505 markleenen.eu. e1V94BttXUGsBQLQq9cEJD/lqoeTzA+Z/d0RFgeJR3i5qoAa1jOpTRldxHSQnJUcb95S6f9qOZ85BLbrZ3Bzbw==

    _25._tcp.box.nobodyghost.net. IN A ?
    nobodyghost.net. IN SOA ernest.ns.cloudflare.com. dns at cloudflare.com. 2033875276 10000 2400 604800 3600
    nobodyghost.net. IN RRSIG SOA 13 2 3600 20200420074525 20200418054525 34505 nobodyghost.net. 9aH2tAT34IFLVuQNcFcGxzA6bjSPs6BLAAf4atFTUSpWp590UCkvYHs80gN05WbtmBPFoLSNo5GSYbWwk13JHA==
    _25._tcp.box.nobodyghost.net. IN NSEC \000._25._tcp.box.nobodyghost.net. HINFO MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF CAA
    _25._tcp.box.nobodyghost.net. IN RRSIG NSEC 13 5 3600 20200420074525 20200418054525 34505 nobodyghost.net. igoW77YIYQvEm2iJ/JmMtgTuBfmVv4wL/6aw2J50JWY+4DEDdWZXsmWUI0xG9L7DfYCVonv5Xp/h2QwYM28PpA==

but, the NSEC RR promises TLSA records, among a rather oddball mix of
other rrtypes:

    HINFO MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF CAA

that one would not expect to see associated with the qname in question.
My guess is that none of these are actually present, hence the ServFail.

-- 
    Viktor.


More information about the dns-operations mailing list