[dns-operations] peacecorps.gov: large NXDOMAIN replies and no TCP service
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Aug 2 17:42:03 UTC 2021
The peacecorps.gov domain has two active 1024-bit RSA ZSKs, and uses
NSEC3, so signed NXDOMAIN replies often carry 8 RRSIGs for 1KiB of just
signature payload, and an overall response size just south of 1800 bytes.
With DNS over TCP not supported, email to peacecorps.gov from DANE-enabled
MTAs with sensible resolver EDNS buffer sizes always fails over to the
secondary MX hosts. [ FWIW, iphmx.com has a "malformed" SOA rname:
iphmx.com. IN SOA ns1-93.akam.net. stbu-hostmaster\@cisco.com. ...
which should be stbu-hostmaster.cisco.com. ]
https://dnsviz.net/d/_25._tcp.mailmx.peacecorps.gov/YQY6hw/dnssec/
; <<>> DiG 9.16.13 <<>> +norecur +dnssec +nocl +nottl +nosplit -t tlsa _25._tcp.mailmx.peacecorps.gov @ns1.peacecorps.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40616
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 12, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 54342d3ea9b2b9400e4f9a06610828121f23b37f6164b513 (good)
;; QUESTION SECTION:
;_25._tcp.mailmx.peacecorps.gov. IN TLSA
;; AUTHORITY SECTION:
peacecorps.gov. SOA ns0-int.peacecorps.gov. dnsadmin.peacecorps.gov. 2013402259 10800 1080 1814400 900
; <<>> DiG 9.16.13 <<>> +norecur +dnssec +nocl +nottl +nosplit -t tlsa _25._tcp.mailmx.peacecorps.gov @ns1.peacecorps.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40616
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 12, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 54342d3ea9b2b9400e4f9a06610828121f23b37f6164b513 (good)
;; QUESTION SECTION:
;_25._tcp.mailmx.peacecorps.gov. IN TLSA
;; AUTHORITY SECTION:
peacecorps.gov. SOA ns0-int.peacecorps.gov. dnsadmin.peacecorps.gov. 2013402259 10800 1080 1814400 900
peacecorps.gov. RRSIG SOA 7 2 28800 20210806165640 20210802155640 20870 peacecorps.gov. uG+Bsjjp2oYzfVyESYMBSIe8/5aP8U/3ulgZ2Taqf7mwYSDcCUKcF+sKf+s/gKwZZkh3Pfi3IflqcPT1/33af7zb0dblaWOQD5EGBuEu5RaXsRw1cBlMvWZrdaD/m6GFkhaGL6Di/8IBBBgWtCZe2RhQGVJxXhGVzGySPyLwfqE=
peacecorps.gov. RRSIG SOA 7 2 28800 20210806165640 20210802155640 59747 peacecorps.gov. rvPs/1HwtyRDU7MkwPs/zRaq/fvRZR2HhKn7UUyoMj8uFQGyrtx4xC3CWwbbQjuwZtC1e+1N1Qk3I2lFPUkE/s8EGoS6F2P9Hex27AZsD5+MZbzOqVWcCba40ocHA6oapxAjk9A/veTtsIaRboPaBOR70ymAIqZD/AWUbp8Z+cY=
T5UNIRETAH3ME8O60IFB67N5ERACN2BE.peacecorps.gov. NSEC3 1 0 10 49FE3216 T8GUU4078P9D5LN5ISNIMTTM7LRUPHBQ A RRSIG
T5UNIRETAH3ME8O60IFB67N5ERACN2BE.peacecorps.gov. RRSIG NSEC3 7 3 900 20210806101133 20210802092257 20870 peacecorps.gov. VAbt2M6IKOAVvf1iuYBm8hwBQBw2Qut6Fj++XgREIWR/P6DtXLuxXl8gkhVEkh3LkvvicmkW4tMH4DayOVBzdPl9YEwk7+04tCeC0k2sMis/roDSW0Q+WnU9aRRLBC6UpAZWcMLss6SV7ytxYxUg/gKczB227fEjfTgU/JfpsZE=
T5UNIRETAH3ME8O60IFB67N5ERACN2BE.peacecorps.gov. RRSIG NSEC3 7 3 900 20210806101133 20210802092257 59747 peacecorps.gov. HHQaMRHoJcQ5UTtO7z6l37FG5Kz7tWasVBM+vg/tnviIJ7AmoMHx7fb3DN/MKtKVjRAp9Uc9HkkELIkGGmsFDGLyvRt+D+9l4WXfRailI809Rj5Ufjc+S6LS4aRxoCIr/5+rqZFV0VDW01x57O7xnyXjTkN3uMA8U4FM0XMqupY=
SN1S6OOQMAN7JJ9OAAHLAK9R49Q9JJFB.peacecorps.gov. NSEC3 1 0 10 49FE3216 SNK0EO0AGG4EQKUOBMKRSP1HDERVSM69 CNAME RRSIG
SN1S6OOQMAN7JJ9OAAHLAK9R49Q9JJFB.peacecorps.gov. RRSIG NSEC3 7 3 900 20210806074147 20210802073332 20870 peacecorps.gov. MsHCCobu2q8fdNo7kceHpMTmnvwv5rztdi2Sy6NrQs6jqsYjYB43vNpgMVTc01yFzveLu3fX4Nozi7Mo48fcu1UGdijCH02XpN6WbFCmapWSE3Cgkkz0pp+biKIFSz/WcmvTHqMF9vL2mO3hRF3K0a5PnHYWHxC+u6MGWpUjvDs=
SN1S6OOQMAN7JJ9OAAHLAK9R49Q9JJFB.peacecorps.gov. RRSIG NSEC3 7 3 900 20210806074147 20210802073332 59747 peacecorps.gov. Tzb5lN0w1JgdPlg3rOSt2CjyeuICD3r5NcEkV9RvcnX0fZNCKvZ25gBOU6w0UUCrFs4JxhG+MT5aWWpKX2gTJAsbWesNwu/JRi4h5ve5Hx7OO8dJVDjz3HDBSVIiokPgVc6PS283G5ZLOnlLt/uvRy46JZ3OSJHT8lIn454Nprw=
IS8SJ4SHOJC72U3UHF7MKC3O43J62GU2.peacecorps.gov. NSEC3 1 0 10 49FE3216 J5JOIIE4DSH3H8P6AAB6RK07VOSDLA0E
IS8SJ4SHOJC72U3UHF7MKC3O43J62GU2.peacecorps.gov. RRSIG NSEC3 7 3 900 20210806081650 20210802080614 20870 peacecorps.gov. SWiZSs1U2opaq7+rTytqG7S0zH5LViubRAZQOSL63sPCTJDHKRyXTjReg4XgpLzPjW3Q2RiiGEa4zA9qzpu4Z907gDCqtDl4rUdShPMCGStOl6quIUmqapCmpUairhNPFDQRzpjw53dMd0bg58kU9IRWDOB/5St3oghKWhJPEkU=
IS8SJ4SHOJC72U3UHF7MKC3O43J62GU2.peacecorps.gov. RRSIG NSEC3 7 3 900 20210806081650 20210802080614 59747 peacecorps.gov. B/9PdJl4KBTrJtNRlKl893nw5px/4PU6hKM+vUhOd0zWSA5Nucmrnd2gf9VhYIdQ1YcYatdK4hmQf307N3NrOSmLSOMKTL9DsnRefJ8B5fvTOo0r7PYpD40Is8Y127Y5PkMScR6vZ4eIpVMzbs22Kvd/mPwz7HyrySUnk5Nux+c=
;; Query time: 15 msec
;; SERVER: 65.205.231.223#53(65.205.231.223)
;; WHEN: Mon Aug 02 13:14:58 EDT 2021
;; MSG SIZE rcvd: 1773
Resolvers that set best-practice EDNS buffer sizes of < 1500 bytes,
get a TC response with just an OPT RR:
$ dig +ignore +bufsize=1400 +norecur +dnssec +nocl +nottl +nosplit -t tlsa _25._tcp.mailmx.peacecorps.gov @ns1.peacecorps.gov
; <<>> DiG 9.16.13 <<>> +ignore +bufsize +norecur +dnssec +nocl +nottl +nosplit -t tlsa _25._tcp.mailmx.peacecorps.gov @ns1.peacecorps.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23901
;; flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: cfce40ff5f290de4250eecc861082a409e20fe44de450e93 (good)
;; QUESTION SECTION:
;_25._tcp.mailmx.peacecorps.gov. IN TLSA
;; Query time: 13 msec
;; SERVER: 65.205.231.223#53(65.205.231.223)
;; WHEN: Mon Aug 02 13:24:16 EDT 2021
;; MSG SIZE rcvd: 87
while TCP retries time out. The news that TCP is not optional has not
yet reached some distant lands...
--
Viktor.
More information about the dns-operations
mailing list