[dns-operations] Google (formerly also CF) public DNS sometimes forwards incomplete subset of NSEC RRs

Mark Andrews marka at isc.org
Sun Sep 20 21:52:34 UTC 2020 

The no qname proof is the closest enclosure proof with NSEC. A seperate proof may be needed with NSEC3. 

-- 
Mark Andrews

> On 21 Sep 2020, at 04:53, Brian Somers <bsomers at opendns.com> wrote:
> 
> This is an interesting behaviour from google.  It’s not wrong…
> I struggled with this when doing the negative proof stuff in the
> OpenDNS code.
> 
> The issue is around providing the closest encloser when that
> closest enclosure is the zone apex.  Is it necessary?  A validator
> can reliably imply the closest encloser if it “falls off the top” when
> looking for it.  So if this zone was NSEC3 signed and only presented
> the *.runbox.com, the validator should be able to suspect that the
> *.runbox.com NSEC3’s parent is at the zone apex, then prove it.
> 
> In this case however, the presentation of *.runbox.com as an RR
> also implies that runbox.com has an NSEC.  As that NSEC is not
> otherwise required, that’s enough.  One record supplies the
> closest encloser and the proof that an applicable wildcard exists
> that doesn’t include the TLSA type.
> 
>> Brian
> 
>> On Sep 16, 2020, at 1:31 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>> 
>>> On Wed, Sep 16, 2020 at 11:50:31AM -0700, Marek Vavruša wrote:
>>> Hi Viktor, I forgot to update this thread, but this should be fixed.
>> 
>> Thanks!  Looks much better now.  Now it is Google's turn.  I still see
>> an incomplete NSEC3 RRset from 8.8.8.8:
>> 
>>   $ hsdig -n8.8.8.8 -D -t tlsa _25._tcp.mx.runbox.com
>>   _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
>>   runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008499 14400 3600 1296000 3600
>>   runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 runbox.com. <sig>
>>   *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
>>   *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
>> 
>> but the NSEC establishing the zone apex as the closest encloser (now
>> present in the CF responses):
>> 
>>   $ hsdig -n1.0.0.1 -D -t tlsa _25._tcp.mx.runbox.com
>>   _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
>>   runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008499 14400 3600 1296000 3600
>>   runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 runbox.com. <sig>
>>   munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
>>   munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
>>   *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
>>   *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
>> 
>> is missing from the GOOG responses.
>> 
>> -- 
>>   Viktor.
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list