[dns-operations] Stale NTA for "peek.ru" at Cloudflare?

Marek Vavruša marek at vavrusa.com
Fri Mar 13 20:52:04 UTC 2020


Hi Viktor,

On Fri, 13 Mar 2020 at 12:56, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> I am running into either a stale NTA or perhaps special-casing of
> algorithm 6 (DSA-NSEC3-SHA1) when using Cloudflare to query the TLSA
> records of beta.peek.ru, which have valid DSA-NSEC3-SHA1 (deprecated)
> 1024-bit signatures:
>
>     https://dnsviz.net/d/_25._tcp.beta.peek.ru/XmvZ6A/dnssec/
>
> but Cloudflare DNS returns AD=0 and no RRSIGs, even with CD=1:
>
>     _25._tcp.beta.peek.ru. IN CNAME _tlsa.peek.ru. ; NoError AD=0
>     _tlsa.peek.ru. IN TLSA 3 0 1 925758b9aed10aa43ad72b5cd170eee4744d56cda9e3d970df2769e3085b083d ; NoError AD=0
>     _tlsa.peek.ru. IN TLSA 3 0 1 ef3d63aa7b10d1f060d43d30b356f19a38fddb36542ab188da787524be265a24 ; NoError AD=0
>
> Can someone from Cloudflare comment on why this is happening?

the DSA-NSEC3-SHA1 has been deprecated in
https://tools.ietf.org/html/rfc8624 so zones below DS with these keys
are effectively treated as unsigned zones (rfc4035 5.2),
but you raise a good point that the method of doing so is not consistent.

> By way of contrast Google, Verisign and Quad9 all return RRSIGs and AD=1:

8.8.8.8/8.8.4.4 seems to return AD=0 but also RRSIGs when CD=1, which
seems to me like the best behavior honestly.

>
> $ for ip in 1.0.0.1 1.1.1.1 8.8.4.4 8.8.8.8 64.6.64.6 64.6.65.6 9.9.9.10 149.112.112.10
>   do
>     printf "%s " $ip
>     hsdig -n $ip -C -D -t tlsa _25._tcp.beta.peek.ru |
>       grep ' IN RRSIG TLSA ' ||
>       echo "<unsigned>"
>   done
> 1.0.0.1 <unsigned>
> 1.1.1.1 <unsigned>
> 8.8.4.4 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=0
> 8.8.8.8 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=0
> 64.6.64.6 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=1
> 64.6.65.6 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=1
> 9.9.9.10 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=1
> 149.112.112.10 _tlsa.peek.ru. IN RRSIG TLSA 6 3 86400 20200331101252 20200303101252 24176 peek.ru. AACzREU9oRWWS7PzYzVNeoV4U7qxCh9zG9Dj6Oj4X0Rdkrvos5mzP0Y= ; NoError AD=0
>
> --
>     Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations


More information about the dns-operations mailing list