[dns-operations] SOA rname breakage (first label split on internal dots) from Verisign public DNS

Wessels, Duane dwessels at verisign.com
Fri Mar 27 15:55:56 UTC 2020


Viktor,

Thanks again for reporting this.  We have identified the source of the problem and have begun developing a fix.  We'll let you know once it has been deployed.

DW


> On Mar 24, 2020, at 8:02 AM, Wessels, Duane <dwessels at verisign.com> wrote:
> 
> Thanks Viktor, we will investigate and report back.
> 
> DW
> 
> 
>> On Mar 23, 2020, at 11:39 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>> 
>> The podotrack.nl domain has two authoritative servers: 
>> 
>>   podotrack.nl. IN NS ns1.exsilia.net.
>>   podotrack.nl. IN NS ns2.exsilia.net.
>> 
>> Both return the same SOA RR with a escaped "." in the first label of the SOA "rname":
>> 
>>   $ dig +norecur +dnssec -t SOA +noall +ans podotrack.nl @ns1.exsilia.net
>>   podotrack.nl.           86400   IN      RRSIG   SOA 8 2 86400 20200402000000 20200312000000 16285 podotrack.nl. QaAaTslfbdObE8V2vsPtN9j3VEiW5rb1Rq/K7xb9IlDShj06tw3ruRfx wmeyaKEqiD+HmXwERervVbx+ilgIcNwD8emqJ+BfZxv4lyhwyVnmPpIW /ggeijP4L7EywS7lsO0zs2nwB/Bhv/f5KwFIQy4Cm+hj99zbvULaNuNf ibw=
>>   podotrack.nl.           86400   IN      SOA     ns2.exsilia.net. j\.deklein.lijnco.nl. 2019111101 10800 3600 604800 10800
>> 
>>   $ dig +norecur +dnssec -t SOA +noall +ans podotrack.nl @ns2.exsilia.net
>>   podotrack.nl.           86400   IN      SOA     ns2.exsilia.net. j\.deklein.lijnco.nl. 2019111101 10800 3600 604800 10800
>>   podotrack.nl.           86400   IN      RRSIG   SOA 8 2 86400 20200402000000 20200312000000 16285 podotrack.nl. QaAaTslfbdObE8V2vsPtN9j3VEiW5rb1Rq/K7xb9IlDShj06tw3ruRfx wmeyaKEqiD+HmXwERervVbx+ilgIcNwD8emqJ+BfZxv4lyhwyVnmPpIW /ggeijP4L7EywS7lsO0zs2nwB/Bhv/f5KwFIQy4Cm+hj99zbvULaNuNf ibw=
>> 
>> But that is *not* what I see from Verisign public DNS:
>> 
>>   $ dig +dnssec -t SOA +noall +ans podotrack.nl @64.6.64.6
>>   podotrack.nl.           86400   IN      SOA     ns2.exsilia.net. j.deklein.lijnco.nl. 2019111101 10800 3600 604800 10800
>>   podotrack.nl.           86400   IN      RRSIG   SOA 8 2 86400 20200402000000 20200312000000 16285 podotrack.nl. QaAaTslfbdObE8V2vsPtN9j3VEiW5rb1Rq/K7xb9IlDShj06tw3ruRfx wmeyaKEqiD+HmXwERervVbx+ilgIcNwD8emqJ+BfZxv4lyhwyVnmPpIW /ggeijP4L7EywS7lsO0zs2nwB/Bhv/f5KwFIQy4Cm+hj99zbvULaNuNf ibw=
>> 
>> Even though the serial number and RRSIG are the same, the first label is
>> not escaped!  The answer has a TTL of 86400 and looks fresh (!cached).
>> This breaks the SOA RRSIG and denial of existence of TLSA RRs, ...
>> 
>> The remaining usual suspects all return the expected rname:
>> 
>>   $ dig +dnssec -t SOA +noall +ans podotrack.nl @8.8.8.8
>>   podotrack.nl.           21599   IN      RRSIG   SOA 8 2 86400 20200402000000 20200312000000 16285 podotrack.nl. QaAaTslfbdObE8V2vsPtN9j3VEiW5rb1Rq/K7xb9IlDShj06tw3ruRfx wmeyaKEqiD+HmXwERervVbx+ilgIcNwD8emqJ+BfZxv4lyhwyVnmPpIW /ggeijP4L7EywS7lsO0zs2nwB/Bhv/f5KwFIQy4Cm+hj99zbvULaNuNf ibw=
>>   podotrack.nl.           21599   IN      SOA     ns2.exsilia.net. j\.deklein.lijnco.nl. 2019111101 10800 3600 604800 10800
>> 
>>   $ dig +dnssec -t SOA +noall +ans podotrack.nl @1.1.1.1
>>   podotrack.nl.           10596   IN      SOA     ns2.exsilia.net. j\.deklein.lijnco.nl. 2019111101 10800 3600 604800 10800
>>   podotrack.nl.           10596   IN      RRSIG   SOA 8 2 86400 20200402000000 20200312000000 16285 podotrack.nl. QaAaTslfbdObE8V2vsPtN9j3VEiW5rb1Rq/K7xb9IlDShj06tw3ruRfx wmeyaKEqiD+HmXwERervVbx+ilgIcNwD8emqJ+BfZxv4lyhwyVnmPpIW /ggeijP4L7EywS7lsO0zs2nwB/Bhv/f5KwFIQy4Cm+hj99zbvULaNuNf ibw=
>> 
>>   $ dig +dnssec -t SOA +noall +ans podotrack.nl @9.9.9.10
>>   podotrack.nl.           43200   IN      SOA     ns2.exsilia.net. j\.deklein.lijnco.nl. 2019111101 10800 3600 604800 10800
>>   podotrack.nl.           43200   IN      RRSIG   SOA 8 2 86400 20200402000000 20200312000000 16285 podotrack.nl. QaAaTslfbdObE8V2vsPtN9j3VEiW5rb1Rq/K7xb9IlDShj06tw3ruRfx wmeyaKEqiD+HmXwERervVbx+ilgIcNwD8emqJ+BfZxv4lyhwyVnmPpIW /ggeijP4L7EywS7lsO0zs2nwB/Bhv/f5KwFIQy4Cm+hj99zbvULaNuNf ibw=
>> 
>> Checking army.mil (lots of dots in the first rname label), I find the
>> same symptoms:
>> 
>>   $ dig +dnssec -t soa +noall +ans +add army.mil @64.6.64.6
>>   army.mil.               1700    IN      SOA     ns01.army.mil. usarmy.huachuca.netcom.mesg.epdns-global.mail.mil. 2007040001 900 90 2419200 300
>>   army.mil.               1700    IN      RRSIG   SOA 8 2 3600 20200328054853 20200324044853 51378 army.mil. gKsZWexzUD9tYM09JQnF/5pnd1ZKwxtBd9FjWtRTIimQRqldhMwFdALV 3vg4UGde6iSS1xH0jmXLeBPlk0ETNLtXwGRl7ywko8Q12eVy7XgUASwM OM3Sv6XEfaNglTHbqmeJo987BSlkNqwUFIlCnvI0OFiboLX9le+xl6eI bw2GsGrd+/Q+XU37JvDAQ55X9mECMM1jHjraBD2NKfcPGRP700Myie+q WgUuQrs40YGR8jFLrxk5/R/A4uPK0hlXVpjHv6cmrlAW00BS7LlP+5Ha H+oh10/0hQkofrjhQWINXUKCSHI4mMSO6liubK74cjS5fxg07BnvaMKJ OtoIuQ==
>> 
>>   $ dig +dnssec -t soa +noall +ans +add army.mil @8.8.8.8
>>   army.mil.               2830    IN      SOA     ns01.army.mil. usarmy\.huachuca\.netcom\.mesg\.epdns-global.mail.mil. 2007040004 900 90 2419200 300
>>   army.mil.               2830    IN      RRSIG   SOA 8 2 3600 20200328061900 20200324051900 51378 army.mil. WVAHvrkjdrq4Z1QShUec3xqGT3DSPJIx6vABFUVlO+mQfI4w9ZclXYqP iAVr0VP/erA2aztQp6qaLEYo3TXMlPG5iIpC6Abay3N0mmdndsfwl78v 5kveVZ1CiKoMD8jzT67x6CCU053vTtQAbOm0PR153D9DD1ObGj3kTx8n hKbDGQzmbWiQybguAjOGoSZ+jDcjjrtFcXyrzhpUYndrddsSYpA1RjA1 mJIK/AYPESTLZ1/SnNgyLBtP3CxBKsyBftqhpHLcLaUMHiSgjNExqDGI aM4FearWrfAm0lB95OtX3AjWgFbhcPR7KTFOCO1JHs9hmvYE2q+UgYYU 20er6g==
>> 
>> Looks like some sort of systemic issue.
>> 
>> -- 
>>   Viktor.
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4695 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200327/4485b0e9/attachment.bin>


More information about the dns-operations mailing list