[dns-operations] Cloudflare (and perhaps also Google) public DNS sometimes forwards incomplete&duplicated subset of NSEC RRs
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Sep 1 08:22:07 UTC 2020
On Tue, Sep 01, 2020 at 01:48:17AM -0400, Viktor Dukhovni wrote:
> Oddly enough, if I send the
> same query to CF with also the "CD" bit set, I get a better answer,
> be it this time with "AD=0":
>
> @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +cd +dnssec
> runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
> runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
> *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
> munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
> *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. <apex-wildcard-sig>
> munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
>
> Asking again without "cd" brings back the original incomplete answer.
It seems that the "+cd" observation is not robust. I also see responses
without the wildcard nsec sometimes with "+cd".
; <<>> DiG 9.16.3 <<>> +cd +dnssec -t tlsa @1.1.1.1 _25._tcp.mx.runbox.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3079
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;_25._tcp.mx.runbox.com. IN TLSA
;; AUTHORITY SECTION:
runbox.com. 3362 IN SOA dns61.copyleft.no. hostmaster.copyleft.no. 3000008471 14400 3600 1296000 3600
runbox.com. 3362 IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2AYQzWGTxV1fK TN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw==
munin01.runbox.com. 3362 IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
munin01.runbox.com. 3362 IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. 4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIalDkYrl3uLycX +K+HKLUiSjAphBiSzDo/JQMx1WjRhg==
munin01.runbox.com. 3362 IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
munin01.runbox.com. 3362 IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. 4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIalDkYrl3uLycX +K+HKLUiSjAphBiSzDo/JQMx1WjRhg==
When that happens, the AD bit is set in the response. This appears to
be correlated with the payload. When +cd elicits a complete response,
the AD bit is not set:
; <<>> DiG 9.11.1-P3 <<>> +cd +dnssec @1.1.1.1 _25._tcp.mx.runbox.com. tlsa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62406
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;_25._tcp.mx.runbox.com. IN TLSA
;; AUTHORITY SECTION:
runbox.com. 3600 IN SOA dns61.copyleft.no. hostmaster.copyleft.no. 3000008471 14400 3600 1296000 3600
runbox.com. 3600 IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2AYQzWGTxV1fK TN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw==
*.runbox.com. 3600 IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
munin01.runbox.com. 3600 IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
*.runbox.com. 3600 IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. 3VVEU97k3XDgYtHFscg3EUC/PpiwitKEjpgJDPBFSfu5rSg165gENRgI MnYNtPhm11IqHSO7yY62C2l6PvnlrA==
munin01.runbox.com. 3600 IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. 4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIalDkYrl3uLycX +K+HKLUiSjAphBiSzDo/JQMx1WjRhg==
Something interesting is going on in the upstream cache. But add
more to the mystery, here's an unexpected response from Google:
; <<>> DiG 9.11.1-P3 <<>> +cd +dnssec @8.8.8.8 _25._tcp.mx.runbox.com. tlsa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8844
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;_25._tcp.mx.runbox.com. IN TLSA
;; AUTHORITY SECTION:
runbox.com. 872 IN SOA dns61.copyleft.no. hostmaster.copyleft.no. 3000008471 14400 3600 1296000 3600
runbox.com. 872 IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2AYQzWGTxV1fK TN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw==
*.runbox.com. 2672 IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
*.runbox.com. 2672 IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. 3VVEU97k3XDgYtHFscg3EUC/PpiwitKEjpgJDPBFSfu5rSg165gENRgI MnYNtPhm11IqHSO7yY62C2l6PvnlrA==
No duplication, but where's the requisite NSEC record proving the
non-existence of "mx.runbox.com"? And without +cd:
; <<>> DiG 9.11.1-P3 <<>> +dnssec @8.8.4.4 _25._tcp.mx.runbox.com. tlsa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13233
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;_25._tcp.mx.runbox.com. IN TLSA
;; AUTHORITY SECTION:
runbox.com. 1274 IN SOA dns61.copyleft.no. hostmaster.copyleft.no. 3000008471 14400 3600 1296000 3600
runbox.com. 1274 IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2AYQzWGTxV1fK TN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw==
*.runbox.com. 3074 IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
*.runbox.com. 3074 IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. 3VVEU97k3XDgYtHFscg3EUC/PpiwitKEjpgJDPBFSfu5rSg165gENRgI MnYNtPhm11IqHSO7yY62C2l6PvnlrA==
What am I "missing"? Why are these responses dropping some of the NSEC
RRs? The reported nameservers for runbox.com from both the .com glue
and the auth data are:
runbox.com. IN NS dns61.copyleft.no.
runbox.com. IN NS dns62.copyleft.no.
runbox.com. IN NS dns63.copyleft.no.
Asking the .no zone I get referrals to:
copyleft.no. IN NS dns10.copyleft.no.
copyleft.no. IN NS dns11.copyleft.no.
copyleft.no. IN NS dns12.copyleft.no.
;
dns10.copyleft.no. IN A 185.226.148.5
dns11.copyleft.no. IN A 178.255.144.240
dns12.copyleft.no. IN A 151.252.14.5
dns10.copyleft.no. IN AAAA 2a0c:5a00:148::5
dns11.copyleft.no. IN AAAA 2a02:20c8:1422:1::f0
dns12.copyleft.no. IN AAAA 2a02:d140:1:25::5
>From all these in turn I get:
dns61.copyleft.no. IN A 185.226.148.4
dns61.copyleft.no. IN AAAA 2a0c:5a00:148::4
dns62.copyleft.no. IN A 178.255.144.4
dns62.copyleft.no. IN AAAA 2a02:20c8:1422:1::4
dns63.copyleft.no. IN A 151.252.14.13
dns63.copyleft.no. IN AAAA 2a02:d140:1:3c::3
And from these, asking the original question, with or without
the CD bit, I get the same answer with the full NSEC chain:
@ 185.226.148.4
_25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=0
runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600 ; AD=0
*.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC ; AD=0
munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC ; AD=0
runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2AYQzWGTxV1fKTN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw== ; AD=0
*.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. 3VVEU97k3XDgYtHFscg3EUC/PpiwitKEjpgJDPBFSfu5rSg165gENRgIMnYNtPhm11IqHSO7yY62C2l6PvnlrA== ; AD=0
munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. 4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIalDkYrl3uLycX+K+HKLUiSjAphBiSzDo/JQMx1WjRhg== ; AD=0
@ 2a0c:5a00:148::4
_25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=0
runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600 ; AD=0
*.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC ; AD=0
munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC ; AD=0
runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2AYQzWGTxV1fKTN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw== ; AD=0
*.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. 3VVEU97k3XDgYtHFscg3EUC/PpiwitKEjpgJDPBFSfu5rSg165gENRgIMnYNtPhm11IqHSO7yY62C2l6PvnlrA== ; AD=0
munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. 4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIalDkYrl3uLycX+K+HKLUiSjAphBiSzDo/JQMx1WjRhg== ; AD=0
@ 178.255.144.4
_25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=0
runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600 ; AD=0
*.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC ; AD=0
munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC ; AD=0
runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2AYQzWGTxV1fKTN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw== ; AD=0
*.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. 3VVEU97k3XDgYtHFscg3EUC/PpiwitKEjpgJDPBFSfu5rSg165gENRgIMnYNtPhm11IqHSO7yY62C2l6PvnlrA== ; AD=0
munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. 4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIalDkYrl3uLycX+K+HKLUiSjAphBiSzDo/JQMx1WjRhg== ; AD=0
@ 2a02:20c8:1422:1::4
_25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=0
runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600 ; AD=0
*.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC ; AD=0
munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC ; AD=0
runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2AYQzWGTxV1fKTN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw== ; AD=0
*.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. 3VVEU97k3XDgYtHFscg3EUC/PpiwitKEjpgJDPBFSfu5rSg165gENRgIMnYNtPhm11IqHSO7yY62C2l6PvnlrA== ; AD=0
munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. 4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIalDkYrl3uLycX+K+HKLUiSjAphBiSzDo/JQMx1WjRhg== ; AD=0
@ 151.252.14.13
_25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=0
runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600 ; AD=0
*.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC ; AD=0
munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC ; AD=0
runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2AYQzWGTxV1fKTN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw== ; AD=0
*.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. 3VVEU97k3XDgYtHFscg3EUC/PpiwitKEjpgJDPBFSfu5rSg165gENRgIMnYNtPhm11IqHSO7yY62C2l6PvnlrA== ; AD=0
munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. 4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIalDkYrl3uLycX+K+HKLUiSjAphBiSzDo/JQMx1WjRhg== ; AD=0
@ 2a02:d140:1:3c::3
_25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=0
runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600 ; AD=0
*.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC ; AD=0
munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC ; AD=0
runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2AYQzWGTxV1fKTN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw== ; AD=0
*.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. 3VVEU97k3XDgYtHFscg3EUC/PpiwitKEjpgJDPBFSfu5rSg165gENRgIMnYNtPhm11IqHSO7yY62C2l6PvnlrA== ; AD=0
munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. 4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIalDkYrl3uLycX+K+HKLUiSjAphBiSzDo/JQMx1WjRhg== ; AD=0
So I'm at a loss to explain what's happening... Haven't seen any
anomalous replies yet from either VRSN or Quad9.
--
Viktor.
More information about the dns-operations
mailing list