[dns-operations] Quad9 DNSSEC Validation?

Scott Morizot tmorizot at gmail.com
Sat Feb 27 20:54:20 UTC 2021


I submitted a report through their interface, but I was curious if anyone
had noticed other oddities about Quad9's operational implementation of
DNSSEC validation. I happened to notice today that their service resolved
the test subzone I've had set up for the past decade to test DNSSEC
validation. (The failure is straightforward. The DS record in irs.gov does
not match any of the DNSKEY records in the dnssec-failed.irs.gov RRSet and
thus fails to match the DNSKEY RRSIG.)

Resolution fails as expected on our recursive infrastructure. Resolution
fails through my personal Internet ISP's recursive nameservers (Suddenlink)
which are also validating. And 8.8.8.8 and 1.1.1.1 return the expected
SERVFAIL. But 9.9.9.9 does not.

C:\>dig @9.9.9.9 dnssec-failed.irs.gov ns

; <<>> DiG 9.12.1-P2 <<>> @9.9.9.9 dnssec-failed.irs.gov ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7807
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec-failed.irs.gov.         IN      NS

;; ANSWER SECTION:
dnssec-failed.irs.gov.  14400   IN      NS      ns5.irs.gov.
dnssec-failed.irs.gov.  14400   IN      NS      ns6.irs.gov.
dnssec-failed.irs.gov.  14400   IN      NS      ns1.irs.gov.
dnssec-failed.irs.gov.  14400   IN      NS      ns2.irs.gov.
dnssec-failed.irs.gov.  14400   IN      NS      ns3.irs.gov.
dnssec-failed.irs.gov.  14400   IN      NS      ns4.irs.gov.

;; Query time: 111 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sat Feb 27 14:47:52 Central Standard Time 2021
;; MSG SIZE  rcvd: 158

When I set the adflag in the query for our second level domain, it's not
set in the reply. It is set in replies for other zones like comcast.net.

C:\>dig @9.9.9.9 irs.gov ns +dnssec +adflag

; <<>> DiG 9.12.1-P2 <<>> @9.9.9.9 irs.gov ns +dnssec +adflag
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9737
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;irs.gov.                       IN      NS

;; ANSWER SECTION:
irs.gov.                7200    IN      NS      ns5.irs.gov.
irs.gov.                7200    IN      NS      ns3.irs.gov.
irs.gov.                7200    IN      NS      ns4.irs.gov.
irs.gov.                7200    IN      NS      ns1.irs.gov.
irs.gov.                7200    IN      NS      ns6.irs.gov.
irs.gov.                7200    IN      NS      ns2.irs.gov.
irs.gov.                7200    IN      RRSIG   NS 8 2 7200 20210306030006
20210227020006 14079 irs.gov.
UiKOASs3k/KJ7dom32117wBIyyQkXU7kk8cGqGyYw144+wczgIlPmx4V
uCk6CeXjlVJqDUPokeecsYDGjIy97CLH2ov88HTscEwjBepQR/c/QqU0
BB3onjVmcFCBdwc0zJhTG3MM0dR5JvLcgxw6Jj3IjP1w8C0A6Lmstesg
ojb6NOc97m50mzbUuNIHEnt1x2DZ7fTYMakQYFZLgHDCZmj8xFIlL5S3
mindmqVa8sRvaDEl5No2tQpACDnqOgIhUDie3dscMnVSM8f0avYisjkw
S6GBynWLhHZGkkTcDlPKYuNqf2VRcZRdQTezLZyk4jG8DBhQSRNaTZj/ iqyeGw==

;; Query time: 111 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sat Feb 27 14:47:45 Central Standard Time 2021
;; MSG SIZE  rcvd: 439

C:\>dig @9.9.9.9 comcast.net ns +dnssec +adflag

; <<>> DiG 9.12.1-P2 <<>> @9.9.9.9 comcast.net ns +dnssec +adflag
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40387
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;comcast.net.                   IN      NS

;; ANSWER SECTION:
comcast.net.            7200    IN      NS      dns101.comcast.net.
comcast.net.            7200    IN      NS      dns102.comcast.net.
comcast.net.            7200    IN      NS      dns105.comcast.net.
comcast.net.            7200    IN      NS      dns104.comcast.net.
comcast.net.            7200    IN      NS      dns103.comcast.net.
comcast.net.            7200    IN      RRSIG   NS 5 2 7200 20210314144427
20210225143927 26550 comcast.net.
Iot8H7kR1FmShx00Z6FkuqoVTQbcvyILTIeehw8GBqYCF8bBn/yklka+
AOtj7S0qQwINc4BTYdbGPKYZyA0n7OmXWddsZfmVhsf7/6g3mx5x9Vfd
BNhFk0fmudCERsvA3nmk8vyH7ngS46oHvT/zzLYgko2LxPZRBtq84Kxe peA=

;; Query time: 65 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sat Feb 27 14:47:38 Central Standard Time 2021
;; MSG SIZE  rcvd: 316

Are there other inconsistencies about which I should be aware? The above
seems to indicate they have DNSSEC validation intentionally disabled for
our zone. That concerns me since we advertise DNSSEC secured authoritative
zones and anyone using a DNSSEC validating recursive service would
reasonably expect validated responses and failures enforced.

Thanks,

Scott Morizot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210227/5fa8ce56/attachment.html>


More information about the dns-operations mailing list