[dns-operations] Cloudflare public DNS sometimes forwards incomplete&duplicated subset of NSEC RRs

Marek Vavruša marek at vavrusa.com
Tue Sep 1 17:19:03 UTC 2020 

Thanks Viktor, this looks like a bug in writing NSECs to the final response.

On Mon, 31 Aug 2020 at 23:09, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
>
> My validating resolver downstream of CF 1.1.1.1 (among others) at times
> sees "bogus" denial of existence for:
>
>     _25._tcp.mx.runbox.com IN TLSA ?
>
> This is because the set of NSEC records forwarded by Cloudflare for this
> domain is not complete.  Looking across the major public DNS services:
>
>     * All return AD=1
>     * I see the same zone apex SOA and signature for all
>     * The same NSEC record and signature for "munin01" for all
>     * The apex wildcard record and signature identically ONLY from
>       Google, Verisign and Quad9.  From CloudFlare, I get the munin01
>       NSEC record and signature twice, but this alone fails to validate the
>       NODATA response.
>
> CF ->   @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +dnssec
>         runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
>         runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
>         munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
>         munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
>         munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
>         munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
>
> GOOG -> @ 8.8.8.8 _25._tcp.mx.runbox.com. IN TLSA ?
>         runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
>         *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
>         munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
>         runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
>         *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. <apex-wildcard-sig>
>         munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
>
> VRSN -> @ 64.6.64.6 _25._tcp.mx.runbox.com. IN TLSA ?
>         runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
>         runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
>         *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
>         *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. <apex-wildcard-sig>
>         munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
>         munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
>
> Q9 ->   @ 9.9.9.10 _25._tcp.mx.runbox.com. IN TLSA ?
>         runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
>         runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
>         *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
>         *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. <apex-wildcard-sig>
>         munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
>         munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
>
> The same incomplete/redundant response comes back from 1.1.1.1 when
> queried from California, New York and Germany, presumably different
> instances, with fresh uncached results.  Oddly enough, if I send the
> same query to CF with also the "CD" bit set, I get a better answer,
> be it this time with "AD=0":
>
>         @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +cd +dnssec
>         runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
>         runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
>         *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
>         munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
>         *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. <apex-wildcard-sig>
>         munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
>
> Asking again without "cd" brings back the original incomplete answer.
>
> --
>     Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list