[dns-operations] Stale NTA for "peek.ru" at Cloudflare?

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Mar 13 19:40:32 UTC 2020


I am running into either a stale NTA or perhaps special-casing of
algorithm 6 (DSA-NSEC3-SHA1) when using Cloudflare to query the TLSA
records of beta.peek.ru, which have valid DSA-NSEC3-SHA1 (deprecated)
1024-bit signatures:

    https://dnsviz.net/d/_25._tcp.beta.peek.ru/XmvZ6A/dnssec/

but Cloudflare DNS returns AD=0 and no RRSIGs, even with CD=1:

    _25._tcp.beta.peek.ru. IN CNAME _tlsa.peek.ru. ; NoError AD=0
    _tlsa.peek.ru. IN TLSA 3 0 1 925758b9aed10aa43ad72b5cd170eee4744d56cda9e3d970df2769e3085b083d ; NoError AD=0
    _tlsa.peek.ru. IN TLSA 3 0 1 ef3d63aa7b10d1f060d43d30b356f19a38fddb36542ab188da787524be265a24 ; NoError AD=0

Can someone from Cloudflare comment on why this is happening?

By way of contrast Google, Verisign and Quad9 all return RRSIGs and AD=1:

$ for ip in 1.0.0.1 1.1.1.1 8.8.4.4 8.8.8.8 64.6.64.6 64.6.65.6 9.9.9.10 149.112.112.10
  do
    printf "%s " $ip
    hsdig -n $ip -C -D -t tlsa _25._tcp.beta.peek.ru |
      grep ' IN RRSIG TLSA ' ||
      echo "<unsigned>"
  done
1.0.0.1 <unsigned>
1.1.1.1 <unsigned>
8.8.4.4 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=0
8.8.8.8 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=0
64.6.64.6 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=1
64.6.65.6 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=1
9.9.9.10 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=1
149.112.112.10 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=0

-- 
    Viktor.


More information about the dns-operations mailing list