[dns-operations] Google (formerly also CF) public DNS sometimes forwards incomplete subset of NSEC RRs

Puneet Sood puneets at google.com
Thu Jul 29 02:04:23 UTC 2021 

The problem has been fixed for a couple of months now. Thanks for reporting.

$ dig @8.8.8.8 _4._tcp.mx.runbox.com. IN TLSA +dnssec +nocomment +nocrypto

; <<>> DiG 9.10.6 <<>> @8.8.8.8 _4._tcp.mx.runbox.com. IN TLSA +dnssec
+nocomment +nocrypto
; (1 server found)
;; global options: +cmd
;_4._tcp.mx.runbox.com. IN TLSA
runbox.com. 1204 IN SOA dns61.copyleft.no. hostmaster.copyleft.no.
3000008995 14400 3600 1296000 3600
runbox.com. 1204 IN RRSIG SOA 13 2 86400 20210809115838 20210726102838
7485 runbox.com. [omitted]
mx.runbox.com. 3003 IN NSEC _25._tcp.mx.runbox.com. A RRSIG NSEC
mx.runbox.com. 3003 IN RRSIG NSEC 13 3 3600 20210809115838
20210726102838 7485 runbox.com. [omitted]
_25._tcp.mx.runbox.com. 3003 IN NSEC ipmi.mysql01.runbox.com. CNAME RRSIG NSEC
_25._tcp.mx.runbox.com. 3003 IN RRSIG NSEC 13 5 3600 20210809115838
20210726102838 7485 runbox.com. [omitted]
;; Query time: 57 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 28 22:03:46 EDT 2021
;; MSG SIZE  rcvd: 525

Cheers,
Puneet

On Wed, Sep 16, 2020 at 4:35 PM Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> On Wed, Sep 16, 2020 at 11:50:31AM -0700, Marek Vavruša wrote:
> > Hi Viktor, I forgot to update this thread, but this should be fixed.
>
> Thanks!  Looks much better now.  Now it is Google's turn.  I still see
> an incomplete NSEC3 RRset from 8.8.8.8:
>
>     $ hsdig -n8.8.8.8 -D -t tlsa _25._tcp.mx.runbox.com
>     _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
>     runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008499 14400 3600 1296000 3600
>     runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 runbox.com. <sig>
>     *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
>     *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
>
> but the NSEC establishing the zone apex as the closest encloser (now
> present in the CF responses):
>
>     $ hsdig -n1.0.0.1 -D -t tlsa _25._tcp.mx.runbox.com
>     _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
>     runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008499 14400 3600 1296000 3600
>     runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 runbox.com. <sig>
>     munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC
>     munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
>     *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
>     *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
>
> is missing from the GOOG responses.
>
> --
>     Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list