[dns-operations] At least 3 CloudFlare DNS-hosted domains with oddball TLSA lookup ServFail

Sun Apr 19 19:26:13 UTC 2020

On Sun, Apr 19, 2020 at 07:45:04PM +0200, Vladimír Čunát wrote:

> On 4/19/20 6:49 PM, Viktor Dukhovni wrote:
> I only meant that those NSECs are normal (for them), not the ServFails
> or timeouts which they most likely have to debug themselves.

I see what you mean... For most of the mishmash of RRtypes[1] in the "A"
record NSEC response, if I ask for that RRtype explicitly, I get a new
NSEC record with that RRtype no longer listed:

    _25._tcp.mx01.mx-hosting.ch. IN A ?
    _25._tcp.mx01.mx-hosting.ch. IN NSEC \000._25._tcp.mx01.mx-hosting.ch. TYPE13 MX TXT AAAA TYPE29 SRV TYPE37 TYPE44 RRSIG NSEC TLSA TYPE55 TYPE61 TYPE99 CAA

    _25._tcp.mx01.mx-hosting.ch. IN TYPE13 ?
    _25._tcp.mx01.mx-hosting.ch. IN NSEC \000._25._tcp.mx01.mx-hosting.ch. A MX TXT AAAA TYPE29 SRV TYPE37 TYPE44 RRSIG NSEC TLSA TYPE55 TYPE61 TYPE99 CAA

    _25._tcp.mx01.mx-hosting.ch. IN TYPE29 ?
    _25._tcp.mx01.mx-hosting.ch. IN NSEC \000._25._tcp.mx01.mx-hosting.ch. A TYPE13 MX TXT AAAA SRV TYPE37 TYPE44 RRSIG NSEC TLSA TYPE55 TYPE61 TYPE99 CAA

    _25._tcp.mx01.mx-hosting.ch. IN TYPE37 ?
    _25._tcp.mx01.mx-hosting.ch. IN NSEC \000._25._tcp.mx01.mx-hosting.ch. A TYPE13 MX TXT AAAA TYPE29 SRV TYPE44 RRSIG NSEC TLSA TYPE55 TYPE61 TYPE99 CAA

    _25._tcp.mx01.mx-hosting.ch. IN TXT ?
    _25._tcp.mx01.mx-hosting.ch. IN NSEC \000._25._tcp.mx01.mx-hosting.ch. A TYPE13 MX AAAA TYPE29 SRV TYPE37 TYPE44 RRSIG NSEC TLSA TYPE55 TYPE61 TYPE99 CAA

    _25._tcp.mx01.mx-hosting.ch. IN MX ?
    _25._tcp.mx01.mx-hosting.ch. IN NSEC \000._25._tcp.mx01.mx-hosting.ch. A TYPE13 TXT AAAA TYPE29 SRV TYPE37 TYPE44 RRSIG NSEC TLSA TYPE55 TYPE61 TYPE99 CAA

There's just something odd about the TLSA case, where now I also see
timeouts (rather than the previous ServFail):

    @173.245.59.172 +dnssec +norecur -t tlsa _25._tcp.mx01.mx-hosting.ch
    @173.245.58.62  +dnssec +norecur -t tlsa _25._tcp.mx01.mx-hosting.ch
    _25._tcp.mx01.mx-hosting.ch. IN TLSA ? ; RetryLimitExceeded

This breaks email to at least 6 signed domains:

    mx-hosting.ch
    flavio-meyer.ch
    itsupport-luzern.ch
    premier-etage.ch
    smartcity-system.ch
    smartcity-system.com

And also some unsigned domains using the same MX host (my DANE survey
does not track unsigned domains using signed MX hosts), but I found one
via a reverse MX lookup site:

    jdtraining.ch

whose MX RRset also includes mx02.mx-hosting.ch, for which TLSA DoE
works fine, and the mix of RRtypes in the NSEC respose is much closer
to what one would expect:

    _25._tcp.mx02.mx-hosting.ch. IN TLSA ?
    mx-hosting.ch. IN SOA alla.ns.cloudflare.com. dns at cloudflare.com. 2033851210 10000 2400 604800 3600
    _25._tcp.mx02.mx-hosting.ch. IN NSEC \000._25._tcp.mx02.mx-hosting.ch. RRSIG NSEC

So how "normal" is it to return something other than just the expected
"RRSIG NSEC" for an empty non-terminal (real or synthetic)?

-- 
    Viktor.

[1] RRtypes 13, 29, 37, 44, 55, 61 and 99 are not yet as such supported
by the Haskell DNS library.  This has nothing to do with these being
either 1 mod 4 primes, or multiples of 11. :-)