[dns-operations] Ultra DNS responding with NXDOMAIN for "www.uber.com"

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Aug 8 04:50:00 UTC 2021 

On Sat, Aug 07, 2021 at 03:02:41PM -0400, Viktor Dukhovni wrote:
>     $ dig +norecur +noall +nocl +nottl +comment +ans +auth +nosplit @edns126.ultradns.com. -t a frontends-cloud.uber.com.
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37512
>     ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> 
>     ;; OPT PSEUDOSECTION:
>     ; EDNS: version: 0, flags:; udp: 4096
>     ;; ANSWER SECTION:
>     frontends-cloud.uber.com. CNAME cn-ecg.cfe.uber.com.
> 
>     ;; AUTHORITY SECTION:
>     uber.com.               SOA     edns126.ultradns.com. serviceproviders.uber.com. 2019057840 3600 180 604800 900

On Sat, Aug 07, 2021 at 11:25:48PM -0400, Dave Lawrence wrote:
> I agree with Viktor that the parent should have delegation records for
> the same-server child, but note that response with the rcode NXDOMAIN
> for a CNAME chain shouldn't be causing a problem for a modern
> resolver.  A resolver should restart query processing with the target
> of each CNAME in the chain, and ultimately come to its own conclusion
> about whether the target at the end of the chain exists.

On Sun, Aug 08, 2021 at 02:36:14PM +1000, Mark Andrews wrote:
> All it requires for the cache to learn that the delegation doesn’t exist
> is to ask for the DS record at the delegation.  This is done all the time
> by validating resolvers.  Depending on query order for “correct” behaviour
> is not a good idea.
> 
> Note named hides the DS/NXDOMAIN response from queries for types other than
> DS because there are too many instances of these broken delegations but there
> is no RFC requirement to do this.  If you want a delegation to work with
> all resolvers the delegating NS RRset needs to be present.

We're all in violent agreement.

  - There's enough data for the resolver to notice that the SOA for the
    NXDOMAIN is from the parent zone, and that "cfe.uber.com" appears to
    be delegated (by asking for NS), and therefore drop the NXDOMAIN as
    non-authoritative.  Since the parent zone is not signed, most
    resolvers don't ask for DS and resolution works.

  - But, there's also enough data to conclude that "cfe.uber.com" does
    not exist and cache that (ia a prior explicit DS query, despite the
    parent zone being unsigned).

So the setup is both mostly working and fragile, the missing delegation
records are needed to make it reliable.

-- 
    Viktor.

More information about the dns-operations mailing list