[dns-operations] Cloudflare public DNS, ongoing incomplete NSEC responses
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Oct 29 02:27:23 UTC 2020
The TLSA query below elicits an incomplete NSEC response, with just one
of the two required records present. The return NSEC record covers the
qname but not the wildcard:
_25._tcp.fotobehang24.nl. IN TLSA ? ; NXDomain AD=1
fotobehang24.nl. IN SOA ns.zxcs.nl. hostmaster at zxcs.nl. 2020070913 ...
fotobehang24.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
_domainkey.fotobehang24.nl. IN NSEC ftp.fotobehang24.nl. TXT RRSIG NSEC
_domainkey.fotobehang24.nl. IN RRSIG NSEC 13 3 3600 20201112000000 20201022000000 ...
a more complete response is observed from e.g. Google DNS:
_25._tcp.fotobehang24.nl. IN TLSA ? ; NXDomain AD=1
fotobehang24.nl. IN SOA ns.zxcs.nl. hostmaster at zxcs.nl. 2020070913 ...
fotobehang24.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
_domainkey.fotobehang24.nl. IN NSEC ftp.fotobehang24.nl. TXT RRSIG NSEC
_domainkey.fotobehang24.nl. IN RRSIG NSEC 13 3 3600 20201112000000 20201022000000 ...
fotobehang24.nl. IN NSEC _dmarc.fotobehang24.nl. A NS SOA TXT AAAA RRSIG NSEC DNSKEY
fotobehang24.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...
Similar results for a few more domains below my signature, which are but
a fraction of the full set.
--
Viktor.
CloudFlare:
_25._tcp.commonisme.nl. IN TLSA ? ; NXDomain AD=1
commonisme.nl. IN SOA ns.zxcs.nl. hostmaster at zxcs.nl. 2020060413 ...
commonisme.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
_domainkey.commonisme.nl. IN NSEC ftp.commonisme.nl. TXT RRSIG NSEC
_domainkey.commonisme.nl. IN RRSIG NSEC 13 3 3600 20201112000000 20201022000000 ...
_25._tcp.highbrunch.nl. IN TLSA ? ; NXDomain AD=1
highbrunch.nl. IN SOA ns1.zxcs.nl. hostmaster at zxcs.nl. 2018061112 ...
highbrunch.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
x._domainkey.highbrunch.nl. IN NSEC ftp.highbrunch.nl. TXT RRSIG NSEC
x._domainkey.highbrunch.nl. IN RRSIG NSEC 13 4 3600 20201112000000 20201022000000 ...
_25._tcp.houtindefamilie.nl. IN TLSA ? ; NXDomain AD=1
houtindefamilie.nl. IN SOA ns1.zxcs.nl. hostmaster at zxcs.nl. 2018031712 ...
houtindefamilie.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
x._domainkey.houtindefamilie.nl. IN NSEC ftp.houtindefamilie.nl. TXT RRSIG NSEC
x._domainkey.houtindefamilie.nl. IN RRSIG NSEC 13 4 3600 20201112000000 20201022000000 ...
_25._tcp.culturedbeef.nl. IN TLSA ? ; NXDomain AD=1
culturedbeef.nl. IN SOA ns1.zxcs.nl. ns1.zxcs.nl. 2017101200 ...
culturedbeef.nl. IN RRSIG SOA 13 2 86400 20201112000000 20201022000000 ...
x._domainkey.culturedbeef.nl. IN NSEC ftp.culturedbeef.nl. TXT RRSIG NSEC
x._domainkey.culturedbeef.nl. IN RRSIG NSEC 13 4 86400 20201112000000 20201022000000 ...
_25._tcp.kiddemon.nl. IN TLSA ? ; NXDomain AD=1
kiddemon.nl. IN SOA ns1.zxcs.nl. hostmaster at zxcs.nl. 2020040301 ...
kiddemon.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
_domainkey.kiddemon.nl. IN NSEC ftp.kiddemon.nl. TXT RRSIG NSEC
_domainkey.kiddemon.nl. IN RRSIG NSEC 13 3 3600 20201112000000 20201022000000 ...
Google:
_25._tcp.commonisme.nl. IN TLSA ? ; NXDomain AD=1
commonisme.nl. IN SOA ns.zxcs.nl. hostmaster at zxcs.nl. 2020060413 ...
commonisme.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
commonisme.nl. IN NSEC _dmarc.commonisme.nl. A NS SOA TXT AAAA RRSIG NSEC DNSKEY
commonisme.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...
_domainkey.commonisme.nl. IN NSEC ftp.commonisme.nl. TXT RRSIG NSEC
_domainkey.commonisme.nl. IN RRSIG NSEC 13 3 3600 20201112000000 20201022000000 ...
_25._tcp.houtindefamilie.nl. IN TLSA ? ; NXDomain AD=1
houtindefamilie.nl. IN SOA ns1.zxcs.nl. hostmaster at zxcs.nl. 2018031712 ...
houtindefamilie.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
x._domainkey.houtindefamilie.nl. IN NSEC ftp.houtindefamilie.nl. TXT RRSIG NSEC
x._domainkey.houtindefamilie.nl. IN RRSIG NSEC 13 4 3600 20201112000000 20201022000000 ...
houtindefamilie.nl. IN NSEC _dmarc.houtindefamilie.nl. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY
houtindefamilie.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...
_25._tcp.highbrunch.nl. IN TLSA ? ; NXDomain AD=1
highbrunch.nl. IN SOA ns1.zxcs.nl. hostmaster at zxcs.nl. 2018061112 ...
highbrunch.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
x._domainkey.highbrunch.nl. IN NSEC ftp.highbrunch.nl. TXT RRSIG NSEC
x._domainkey.highbrunch.nl. IN RRSIG NSEC 13 4 3600 20201112000000 20201022000000 ...
highbrunch.nl. IN NSEC _dmarc.highbrunch.nl. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY
highbrunch.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...
_25._tcp.culturedbeef.nl. IN TLSA ? ; NXDomain AD=1
culturedbeef.nl. IN SOA ns1.zxcs.nl. ns1.zxcs.nl. 2017101200 ...
culturedbeef.nl. IN RRSIG SOA 13 2 86400 20201112000000 20201022000000 ...
x._domainkey.culturedbeef.nl. IN NSEC ftp.culturedbeef.nl. TXT RRSIG NSEC
x._domainkey.culturedbeef.nl. IN RRSIG NSEC 13 4 86400 20201112000000 20201022000000 ...
culturedbeef.nl. IN NSEC _dmarc.culturedbeef.nl. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY
culturedbeef.nl. IN RRSIG NSEC 13 2 86400 20201112000000 20201022000000 ...
_25._tcp.kiddemon.nl. IN TLSA ? ; NXDomain AD=1
kiddemon.nl. IN SOA ns1.zxcs.nl. hostmaster at zxcs.nl. 2020040301 ...
kiddemon.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
_domainkey.kiddemon.nl. IN NSEC ftp.kiddemon.nl. TXT RRSIG NSEC
_domainkey.kiddemon.nl. IN RRSIG NSEC 13 3 3600 20201112000000 20201022000000 ...
kiddemon.nl. IN NSEC _dmarc.kiddemon.nl. A NS SOA TXT AAAA RRSIG NSEC DNSKEY
kiddemon.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...
More information about the dns-operations
mailing list