[dns-operations] Cloudflare public DNS, ongoing incomplete NSEC responses

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Oct 29 02:27:23 UTC 2020 

The TLSA query below elicits an incomplete NSEC response, with just one
of the two required records present.  The return NSEC record covers the
qname but not the wildcard:

    _25._tcp.fotobehang24.nl. IN TLSA ? ; NXDomain AD=1
    fotobehang24.nl. IN SOA ns.zxcs.nl. hostmaster at zxcs.nl. 2020070913 ...
    fotobehang24.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    _domainkey.fotobehang24.nl. IN NSEC ftp.fotobehang24.nl. TXT RRSIG NSEC
    _domainkey.fotobehang24.nl. IN RRSIG NSEC 13 3 3600 20201112000000 20201022000000 ...

a more complete response is observed from e.g. Google DNS:

    _25._tcp.fotobehang24.nl. IN TLSA ? ; NXDomain AD=1
    fotobehang24.nl. IN SOA ns.zxcs.nl. hostmaster at zxcs.nl. 2020070913 ...
    fotobehang24.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    _domainkey.fotobehang24.nl. IN NSEC ftp.fotobehang24.nl. TXT RRSIG NSEC
    _domainkey.fotobehang24.nl. IN RRSIG NSEC 13 3 3600 20201112000000 20201022000000 ...
    fotobehang24.nl. IN NSEC _dmarc.fotobehang24.nl. A NS SOA TXT AAAA RRSIG NSEC DNSKEY
    fotobehang24.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...

Similar results for a few more domains below my signature, which are but
a fraction of the full set.

-- 
    Viktor.

CloudFlare:

    _25._tcp.commonisme.nl. IN TLSA ? ; NXDomain AD=1
    commonisme.nl. IN SOA ns.zxcs.nl. hostmaster at zxcs.nl. 2020060413 ...
    commonisme.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    _domainkey.commonisme.nl. IN NSEC ftp.commonisme.nl. TXT RRSIG NSEC
    _domainkey.commonisme.nl. IN RRSIG NSEC 13 3 3600 20201112000000 20201022000000 ...

    _25._tcp.highbrunch.nl. IN TLSA ? ; NXDomain AD=1
    highbrunch.nl. IN SOA ns1.zxcs.nl. hostmaster at zxcs.nl. 2018061112 ...
    highbrunch.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    x._domainkey.highbrunch.nl. IN NSEC ftp.highbrunch.nl. TXT RRSIG NSEC
    x._domainkey.highbrunch.nl. IN RRSIG NSEC 13 4 3600 20201112000000 20201022000000 ...

    _25._tcp.houtindefamilie.nl. IN TLSA ? ; NXDomain AD=1
    houtindefamilie.nl. IN SOA ns1.zxcs.nl. hostmaster at zxcs.nl. 2018031712 ...
    houtindefamilie.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    x._domainkey.houtindefamilie.nl. IN NSEC ftp.houtindefamilie.nl. TXT RRSIG NSEC
    x._domainkey.houtindefamilie.nl. IN RRSIG NSEC 13 4 3600 20201112000000 20201022000000 ...

    _25._tcp.culturedbeef.nl. IN TLSA ? ; NXDomain AD=1
    culturedbeef.nl. IN SOA ns1.zxcs.nl. ns1.zxcs.nl. 2017101200 ...
    culturedbeef.nl. IN RRSIG SOA 13 2 86400 20201112000000 20201022000000 ...
    x._domainkey.culturedbeef.nl. IN NSEC ftp.culturedbeef.nl. TXT RRSIG NSEC
    x._domainkey.culturedbeef.nl. IN RRSIG NSEC 13 4 86400 20201112000000 20201022000000 ...

    _25._tcp.kiddemon.nl. IN TLSA ? ; NXDomain AD=1
    kiddemon.nl. IN SOA ns1.zxcs.nl. hostmaster at zxcs.nl. 2020040301 ...
    kiddemon.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    _domainkey.kiddemon.nl. IN NSEC ftp.kiddemon.nl. TXT RRSIG NSEC
    _domainkey.kiddemon.nl. IN RRSIG NSEC 13 3 3600 20201112000000 20201022000000 ...

Google:

    _25._tcp.commonisme.nl. IN TLSA ? ; NXDomain AD=1
    commonisme.nl. IN SOA ns.zxcs.nl. hostmaster at zxcs.nl. 2020060413 ...
    commonisme.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    commonisme.nl. IN NSEC _dmarc.commonisme.nl. A NS SOA TXT AAAA RRSIG NSEC DNSKEY
    commonisme.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...
    _domainkey.commonisme.nl. IN NSEC ftp.commonisme.nl. TXT RRSIG NSEC
    _domainkey.commonisme.nl. IN RRSIG NSEC 13 3 3600 20201112000000 20201022000000 ...

    _25._tcp.houtindefamilie.nl. IN TLSA ? ; NXDomain AD=1
    houtindefamilie.nl. IN SOA ns1.zxcs.nl. hostmaster at zxcs.nl. 2018031712 ...
    houtindefamilie.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    x._domainkey.houtindefamilie.nl. IN NSEC ftp.houtindefamilie.nl. TXT RRSIG NSEC
    x._domainkey.houtindefamilie.nl. IN RRSIG NSEC 13 4 3600 20201112000000 20201022000000 ...
    houtindefamilie.nl. IN NSEC _dmarc.houtindefamilie.nl. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY
    houtindefamilie.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...

    _25._tcp.highbrunch.nl. IN TLSA ? ; NXDomain AD=1
    highbrunch.nl. IN SOA ns1.zxcs.nl. hostmaster at zxcs.nl. 2018061112 ...
    highbrunch.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    x._domainkey.highbrunch.nl. IN NSEC ftp.highbrunch.nl. TXT RRSIG NSEC
    x._domainkey.highbrunch.nl. IN RRSIG NSEC 13 4 3600 20201112000000 20201022000000 ...
    highbrunch.nl. IN NSEC _dmarc.highbrunch.nl. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY
    highbrunch.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...

    _25._tcp.culturedbeef.nl. IN TLSA ? ; NXDomain AD=1
    culturedbeef.nl. IN SOA ns1.zxcs.nl. ns1.zxcs.nl. 2017101200 ...
    culturedbeef.nl. IN RRSIG SOA 13 2 86400 20201112000000 20201022000000 ...
    x._domainkey.culturedbeef.nl. IN NSEC ftp.culturedbeef.nl. TXT RRSIG NSEC
    x._domainkey.culturedbeef.nl. IN RRSIG NSEC 13 4 86400 20201112000000 20201022000000 ...
    culturedbeef.nl. IN NSEC _dmarc.culturedbeef.nl. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY
    culturedbeef.nl. IN RRSIG NSEC 13 2 86400 20201112000000 20201022000000 ...

    _25._tcp.kiddemon.nl. IN TLSA ? ; NXDomain AD=1
    kiddemon.nl. IN SOA ns1.zxcs.nl. hostmaster at zxcs.nl. 2020040301 ...
    kiddemon.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    _domainkey.kiddemon.nl. IN NSEC ftp.kiddemon.nl. TXT RRSIG NSEC
    _domainkey.kiddemon.nl. IN RRSIG NSEC 13 3 3600 20201112000000 20201022000000 ...
    kiddemon.nl. IN NSEC _dmarc.kiddemon.nl. A NS SOA TXT AAAA RRSIG NSEC DNSKEY
    kiddemon.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...

More information about the dns-operations mailing list