[dns-operations] Cloudflare public DNS sometimes forwards incomplete&duplicated subset of NSEC RRs

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Sep 1 05:48:17 UTC 2020 

My validating resolver downstream of CF 1.1.1.1 (among others) at times
sees "bogus" denial of existence for:

    _25._tcp.mx.runbox.com IN TLSA ?

This is because the set of NSEC records forwarded by Cloudflare for this
domain is not complete.  Looking across the major public DNS services:

    * All return AD=1
    * I see the same zone apex SOA and signature for all
    * The same NSEC record and signature for "munin01" for all
    * The apex wildcard record and signature identically ONLY from
      Google, Verisign and Quad9.  From CloudFlare, I get the munin01
      NSEC record and signature twice, but this alone fails to validate the
      NODATA response.

CF ->   @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +dnssec
        runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
        runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
        munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
        munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
        munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
        munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>

GOOG -> @ 8.8.8.8 _25._tcp.mx.runbox.com. IN TLSA ?
        runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
        *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
        munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
        runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
        *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. <apex-wildcard-sig>
        munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>

VRSN -> @ 64.6.64.6 _25._tcp.mx.runbox.com. IN TLSA ?
        runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
        runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
        *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
        *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. <apex-wildcard-sig>
        munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
        munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>

Q9 ->   @ 9.9.9.10 _25._tcp.mx.runbox.com. IN TLSA ?
        runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
        runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
        *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
        *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. <apex-wildcard-sig>
        munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
        munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>

The same incomplete/redundant response comes back from 1.1.1.1 when
queried from California, New York and Germany, presumably different
instances, with fresh uncached results.  Oddly enough, if I send the
same query to CF with also the "CD" bit set, I get a better answer,
be it this time with "AD=0":

        @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +cd +dnssec
        runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
        runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
        *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
        munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
        *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. <apex-wildcard-sig>
        munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>

Asking again without "cd" brings back the original incomplete answer.

-- 
    Viktor.

More information about the dns-operations mailing list