[dns-operations] Cloudflare public DNS sometimes forwards incomplete&duplicated subset of NSEC RRs
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Sep 1 07:58:06 UTC 2020
On Tue, Sep 01, 2020 at 01:48:17AM -0400,
Viktor Dukhovni <ietf-dane at dukhovni.org> wrote
a message of 71 lines which said:
> * The apex wildcard record and signature identically ONLY from
> Google, Verisign and Quad9. From CloudFlare, I get the munin01
> NSEC record and signature twice, but this alone fails to validate the
> NODATA response.
AFAIK, Cloudflare uses Knot Resolver. I tested with another Knot
resolver and it works:
Local Knot resolver (+dnssec in .digrc):
% dig _25._tcp.mx.runbox.com TLSA
; <<>> DiG 9.16.6-Debian <<>> _25._tcp.mx.runbox.com TLSA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9840
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_25._tcp.mx.runbox.com. IN TLSA
;; AUTHORITY SECTION:
runbox.com. 3600 IN SOA dns61.copyleft.no. hostmaster.copyleft.no. (
3000008471 ; serial
14400 ; refresh (4 hours)
3600 ; retry (1 hour)
1296000 ; expire (2 weeks 1 day)
3600 ; minimum (1 hour)
)
*.runbox.com. 3600 IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
munin01.runbox.com. 3600 IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
runbox.com. 3600 IN RRSIG SOA 13 2 86400 (
20200914155225 20200831142225 38438 runbox.com.
W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2
AYQzWGTxV1fKTN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw== )
*.runbox.com. 3600 IN RRSIG NSEC 13 2 3600 (
20200914155225 20200831142225 38438 runbox.com.
3VVEU97k3XDgYtHFscg3EUC/PpiwitKEjpgJDPBFSfu5
rSg165gENRgIMnYNtPhm11IqHSO7yY62C2l6PvnlrA== )
munin01.runbox.com. 3600 IN RRSIG NSEC 13 3 3600 (
20200914155225 20200831142225 38438 runbox.com.
4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIa
lDkYrl3uLycX+K+HKLUiSjAphBiSzDo/JQMx1WjRhg== )
;; Query time: 250 msec
;; SERVER: 192.168.2.254#53(192.168.2.254)
;; WHEN: Tue Sep 01 07:54:35 UTC 2020
;; MSG SIZE rcvd: 546
Cloudflare :
% dig @1.1.1.1 _25._tcp.mx.runbox.com TLSA
; <<>> DiG 9.16.6-Debian <<>> @1.1.1.1 _25._tcp.mx.runbox.com TLSA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11561
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;_25._tcp.mx.runbox.com. IN TLSA
;; AUTHORITY SECTION:
runbox.com. 3600 IN SOA dns61.copyleft.no. hostmaster.copyleft.no. (
3000008471 ; serial
14400 ; refresh (4 hours)
3600 ; retry (1 hour)
1296000 ; expire (2 weeks 1 day)
3600 ; minimum (1 hour)
)
runbox.com. 3600 IN RRSIG SOA 13 2 86400 (
20200914155225 20200831142225 38438 runbox.com.
W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2
AYQzWGTxV1fKTN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw== )
munin01.runbox.com. 3600 IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
munin01.runbox.com. 3600 IN RRSIG NSEC 13 3 3600 (
20200914155225 20200831142225 38438 runbox.com.
4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIa
lDkYrl3uLycX+K+HKLUiSjAphBiSzDo/JQMx1WjRhg== )
munin01.runbox.com. 3600 IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
munin01.runbox.com. 3600 IN RRSIG NSEC 13 3 3600 (
20200914155225 20200831142225 38438 runbox.com.
4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIa
lDkYrl3uLycX+K+HKLUiSjAphBiSzDo/JQMx1WjRhg== )
;; Query time: 80 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Sep 01 07:56:00 UTC 2020
;; MSG SIZE rcvd: 541
More information about the dns-operations
mailing list