[dns-operations] Cloudflare public DNS sometimes forwards incomplete&duplicated subset of NSEC RRs

Marek Vavruša marek at vavrusa.com
Wed Sep 16 18:50:31 UTC 2020 

Hi Viktor, I forgot to update this thread, but this should be fixed.

Best,
Marek


On Tue, 1 Sep 2020 at 10:19, Marek Vavruša <marek at vavrusa.com> wrote:
>
> Thanks Viktor, this looks like a bug in writing NSECs to the final response.
>
> On Mon, 31 Aug 2020 at 23:09, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> >
> >
> > My validating resolver downstream of CF 1.1.1.1 (among others) at times
> > sees "bogus" denial of existence for:
> >
> >     _25._tcp.mx.runbox.com IN TLSA ?
> >
> > This is because the set of NSEC records forwarded by Cloudflare for this
> > domain is not complete.  Looking across the major public DNS services:
> >
> >     * All return AD=1
> >     * I see the same zone apex SOA and signature for all
> >     * The same NSEC record and signature for "munin01" for all
> >     * The apex wildcard record and signature identically ONLY from
> >       Google, Verisign and Quad9.  From CloudFlare, I get the munin01
> >       NSEC record and signature twice, but this alone fails to validate the
> >       NODATA response.
> >
> > CF ->   @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +dnssec
> >         runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
> >         runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
> >         munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
> >         munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
> >         munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
> >         munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
> >
> > GOOG -> @ 8.8.8.8 _25._tcp.mx.runbox.com. IN TLSA ?
> >         runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
> >         *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
> >         munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
> >         runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
> >         *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. <apex-wildcard-sig>
> >         munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
> >
> > VRSN -> @ 64.6.64.6 _25._tcp.mx.runbox.com. IN TLSA ?
> >         runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
> >         runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
> >         *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
> >         *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. <apex-wildcard-sig>
> >         munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
> >         munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
> >
> > Q9 ->   @ 9.9.9.10 _25._tcp.mx.runbox.com. IN TLSA ?
> >         runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
> >         runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
> >         *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
> >         *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. <apex-wildcard-sig>
> >         munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
> >         munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
> >
> > The same incomplete/redundant response comes back from 1.1.1.1 when
> > queried from California, New York and Germany, presumably different
> > instances, with fresh uncached results.  Oddly enough, if I send the
> > same query to CF with also the "CD" bit set, I get a better answer,
> > be it this time with "AD=0":
> >
> >         @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +cd +dnssec
> >         runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008471 14400 3600 1296000 3600
> >         runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. <same SOA sig>
> >         *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
> >         munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
> >         *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. <apex-wildcard-sig>
> >         munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. <munin01-nsec-sig>
> >
> > Asking again without "cd" brings back the original incomplete answer.
> >
> > --
> >     Viktor.
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list