[dns-operations] Google (formerly also CF) public DNS sometimes forwards incomplete subset of NSEC RRs

Brian Somers bsomers at opendns.com
Sun Sep 20 18:41:31 UTC 2020


This is an interesting behaviour from google.  It’s not wrong…
I struggled with this when doing the negative proof stuff in the
OpenDNS code.

The issue is around providing the closest encloser when that
closest enclosure is the zone apex.  Is it necessary?  A validator
can reliably imply the closest encloser if it “falls off the top” when
looking for it.  So if this zone was NSEC3 signed and only presented
the *.runbox.com, the validator should be able to suspect that the
*.runbox.com NSEC3’s parent is at the zone apex, then prove it.

In this case however, the presentation of *.runbox.com as an RR
also implies that runbox.com has an NSEC.  As that NSEC is not
otherwise required, that’s enough.  One record supplies the
closest encloser and the proof that an applicable wildcard exists
that doesn’t include the TLSA type.

—
Brian

> On Sep 16, 2020, at 1:31 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> On Wed, Sep 16, 2020 at 11:50:31AM -0700, Marek Vavruša wrote:
>> Hi Viktor, I forgot to update this thread, but this should be fixed.
> 
> Thanks!  Looks much better now.  Now it is Google's turn.  I still see
> an incomplete NSEC3 RRset from 8.8.8.8:
> 
>    $ hsdig -n8.8.8.8 -D -t tlsa _25._tcp.mx.runbox.com
>    _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
>    runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008499 14400 3600 1296000 3600
>    runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 runbox.com. <sig>
>    *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
>    *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
> 
> but the NSEC establishing the zone apex as the closest encloser (now
> present in the CF responses):
> 
>    $ hsdig -n1.0.0.1 -D -t tlsa _25._tcp.mx.runbox.com
>    _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
>    runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008499 14400 3600 1296000 3600
>    runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 runbox.com. <sig>
>    munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
>    munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
>    *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
>    *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
> 
> is missing from the GOOG responses.
> 
> -- 
>    Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations





More information about the dns-operations mailing list