[dns-operations] Quad9 DNSSEC Validation?
Scott Morizot
tmorizot at gmail.com
Sat Feb 27 20:54:20 UTC 2021
I submitted a report through their interface, but I was curious if anyone
had noticed other oddities about Quad9's operational implementation of
DNSSEC validation. I happened to notice today that their service resolved
the test subzone I've had set up for the past decade to test DNSSEC
validation. (The failure is straightforward. The DS record in irs.gov does
not match any of the DNSKEY records in the dnssec-failed.irs.gov RRSet and
thus fails to match the DNSKEY RRSIG.)
Resolution fails as expected on our recursive infrastructure. Resolution
fails through my personal Internet ISP's recursive nameservers (Suddenlink)
which are also validating. And 8.8.8.8 and 1.1.1.1 return the expected
SERVFAIL. But 9.9.9.9 does not.
C:\>dig @9.9.9.9 dnssec-failed.irs.gov ns
; <<>> DiG 9.12.1-P2 <<>> @9.9.9.9 dnssec-failed.irs.gov ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7807
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec-failed.irs.gov. IN NS
;; ANSWER SECTION:
dnssec-failed.irs.gov. 14400 IN NS ns5.irs.gov.
dnssec-failed.irs.gov. 14400 IN NS ns6.irs.gov.
dnssec-failed.irs.gov. 14400 IN NS ns1.irs.gov.
dnssec-failed.irs.gov. 14400 IN NS ns2.irs.gov.
dnssec-failed.irs.gov. 14400 IN NS ns3.irs.gov.
dnssec-failed.irs.gov. 14400 IN NS ns4.irs.gov.
;; Query time: 111 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sat Feb 27 14:47:52 Central Standard Time 2021
;; MSG SIZE rcvd: 158
When I set the adflag in the query for our second level domain, it's not
set in the reply. It is set in replies for other zones like comcast.net.
C:\>dig @9.9.9.9 irs.gov ns +dnssec +adflag
; <<>> DiG 9.12.1-P2 <<>> @9.9.9.9 irs.gov ns +dnssec +adflag
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9737
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;irs.gov. IN NS
;; ANSWER SECTION:
irs.gov. 7200 IN NS ns5.irs.gov.
irs.gov. 7200 IN NS ns3.irs.gov.
irs.gov. 7200 IN NS ns4.irs.gov.
irs.gov. 7200 IN NS ns1.irs.gov.
irs.gov. 7200 IN NS ns6.irs.gov.
irs.gov. 7200 IN NS ns2.irs.gov.
irs.gov. 7200 IN RRSIG NS 8 2 7200 20210306030006
20210227020006 14079 irs.gov.
UiKOASs3k/KJ7dom32117wBIyyQkXU7kk8cGqGyYw144+wczgIlPmx4V
uCk6CeXjlVJqDUPokeecsYDGjIy97CLH2ov88HTscEwjBepQR/c/QqU0
BB3onjVmcFCBdwc0zJhTG3MM0dR5JvLcgxw6Jj3IjP1w8C0A6Lmstesg
ojb6NOc97m50mzbUuNIHEnt1x2DZ7fTYMakQYFZLgHDCZmj8xFIlL5S3
mindmqVa8sRvaDEl5No2tQpACDnqOgIhUDie3dscMnVSM8f0avYisjkw
S6GBynWLhHZGkkTcDlPKYuNqf2VRcZRdQTezLZyk4jG8DBhQSRNaTZj/ iqyeGw==
;; Query time: 111 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sat Feb 27 14:47:45 Central Standard Time 2021
;; MSG SIZE rcvd: 439
C:\>dig @9.9.9.9 comcast.net ns +dnssec +adflag
; <<>> DiG 9.12.1-P2 <<>> @9.9.9.9 comcast.net ns +dnssec +adflag
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40387
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;comcast.net. IN NS
;; ANSWER SECTION:
comcast.net. 7200 IN NS dns101.comcast.net.
comcast.net. 7200 IN NS dns102.comcast.net.
comcast.net. 7200 IN NS dns105.comcast.net.
comcast.net. 7200 IN NS dns104.comcast.net.
comcast.net. 7200 IN NS dns103.comcast.net.
comcast.net. 7200 IN RRSIG NS 5 2 7200 20210314144427
20210225143927 26550 comcast.net.
Iot8H7kR1FmShx00Z6FkuqoVTQbcvyILTIeehw8GBqYCF8bBn/yklka+
AOtj7S0qQwINc4BTYdbGPKYZyA0n7OmXWddsZfmVhsf7/6g3mx5x9Vfd
BNhFk0fmudCERsvA3nmk8vyH7ngS46oHvT/zzLYgko2LxPZRBtq84Kxe peA=
;; Query time: 65 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sat Feb 27 14:47:38 Central Standard Time 2021
;; MSG SIZE rcvd: 316
Are there other inconsistencies about which I should be aware? The above
seems to indicate they have DNSSEC validation intentionally disabled for
our zone. That concerns me since we advertise DNSSEC secured authoritative
zones and anyone using a DNSSEC validating recursive service would
reasonably expect validated responses and failures enforced.
Thanks,
Scott Morizot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210227/5fa8ce56/attachment.html>
More information about the dns-operations
mailing list