[dns-operations] At least 3 CloudFlare DNS-hosted domains with oddball TLSA lookup ServFail

Christian Elmerot christian at elmerot.se
Mon Apr 20 10:55:38 UTC 2020 

On 2020-04-19 07:55, Viktor Dukhovni wrote:
> The CloudFlare auth servers return ServFail for the TLSA lookup of:
>
>      https://dnsviz.net/d/_25._tcp.mx01.mx-hosting.ch/XpvvXg/dnssec/
>      https://dnsviz.net/d/_25._tcp.mail.markleenen.eu/Xpvvcg/dnssec/
>      https://dnsviz.net/d/_25._tcp.box.nobodyghost.net/Xpvvow/dnssec/
>
> For all three, "A" lookups for the same qname return valid denial of
> existence:
>
>      _25._tcp.mx01.mx-hosting.ch. IN A ?
>      mx-hosting.ch. IN SOA alla.ns.cloudflare.com. dns at cloudflare.com. 2033851210 10000 2400 604800 3600
>      mx-hosting.ch. IN RRSIG SOA 13 2 3600 20200420074057 20200418054057 34505 mx-hosting.ch. /UdtXD25WrZSBniBBtO+i3HSJaqJgeGf/xIt/NVRKjvBTjDdn8u1lf1L1nHxA4SnX25MseCt+rvzUsn0Qk40dA==
>      _25._tcp.mx01.mx-hosting.ch. IN NSEC \000._25._tcp.mx01.mx-hosting.ch. HINFO MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF CAA
>      _25._tcp.mx01.mx-hosting.ch. IN RRSIG NSEC 13 5 3600 20200420074057 20200418054057 34505 mx-hosting.ch. ZielhuDJf3hD4fxBfgXSAYVD8TvgkLL1swZPiWGDsTodwgM4U0A7D27i/UBhxRsV6BnCGco3UuRtBuI2frLKlw==
>
>      _25._tcp.mail.markleenen.eu. IN A ?
>      markleenen.eu. IN SOA darl.ns.cloudflare.com. dns at cloudflare.com. 2033859863 10000 2400 604800 3600
>      markleenen.eu. IN RRSIG SOA 13 2 3600 20200420074525 20200418054525 34505 markleenen.eu. ifsayHev5tJ4baUIwUR9b+HiFBc0aHsPbPxi4fOkV15lIKOxzyioxoT11pg5TTzMzlOwfmASo2hAMIjPVtaJQg==
>      _25._tcp.mail.markleenen.eu. IN NSEC \000._25._tcp.mail.markleenen.eu. HINFO MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF CAA
>      _25._tcp.mail.markleenen.eu. IN RRSIG NSEC 13 5 3600 20200420074525 20200418054525 34505 markleenen.eu. e1V94BttXUGsBQLQq9cEJD/lqoeTzA+Z/d0RFgeJR3i5qoAa1jOpTRldxHSQnJUcb95S6f9qOZ85BLbrZ3Bzbw==
>
>      _25._tcp.box.nobodyghost.net. IN A ?
>      nobodyghost.net. IN SOA ernest.ns.cloudflare.com. dns at cloudflare.com. 2033875276 10000 2400 604800 3600
>      nobodyghost.net. IN RRSIG SOA 13 2 3600 20200420074525 20200418054525 34505 nobodyghost.net. 9aH2tAT34IFLVuQNcFcGxzA6bjSPs6BLAAf4atFTUSpWp590UCkvYHs80gN05WbtmBPFoLSNo5GSYbWwk13JHA==
>      _25._tcp.box.nobodyghost.net. IN NSEC \000._25._tcp.box.nobodyghost.net. HINFO MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF CAA
>      _25._tcp.box.nobodyghost.net. IN RRSIG NSEC 13 5 3600 20200420074525 20200418054525 34505 nobodyghost.net. igoW77YIYQvEm2iJ/JmMtgTuBfmVv4wL/6aw2J50JWY+4DEDdWZXsmWUI0xG9L7DfYCVonv5Xp/h2QwYM28PpA==
>
> but, the NSEC RR promises TLSA records, among a rather oddball mix of
> other rrtypes:
>
>      HINFO MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF CAA
>
> that one would not expect to see associated with the qname in question.
> My guess is that none of these are actually present, hence the ServFail.
>
Those ServFails are being looked into as that is something different and 
a bug I believe. I'll get back with more information when the issue's 
been identified in out pipeline.

As for the "oddball mix" of types, well that's our NSEC black-lies in 
action (as Vladimir pointed out)

Christian Elmerot, Cloudflare

More information about the dns-operations mailing list