[dns-operations] Google public DNS sometimes forwards incomplete subset of NSEC RRs

[Puneet Sood]

Viktor, dnsop community,

If there additional missing NSEC|NSEC3 RR issues with Google Public
DNS you are aware of, please respond here or file a ticket
(https://developers.google.com/speed/public-dns/groups#issue_tracker).

On Sat, Feb 6, 2021 at 1:17 AM Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> > On Sep 16, 2020, at 6:31 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> >
> > Now it is Google's turn.  I still see an incomplete NSEC3 RRset from 8.8.8.8:
> >
> >    $ hsdig -n8.8.8.8 -D -t tlsa _25._tcp.mx.runbox.com
> >    _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
> >    runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008499 14400 3600 1296000 3600
> >    runbox.com. IN RRSIG SOA 13 2 86400 20200930104345 20200916091345 18202 runbox.com. <sig>
> >    *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
> >    *.runbox.com. IN RRSIG NSEC 13 2 3600 20200930104345 20200916091345 18202 runbox.com. <sig>
>
> I am seeing this issue again, intermittently from various Google
> DNS servers.  Here's an example from 8.8.4.4:
>
>   _25._tcp.mx.runbox.com. IN TLSA ? ; NoError AD=1
>   runbox.com. IN SOA dns61.copyleft.no. hostmaster at copyleft.no. 3000008714 14400 3600 1296000 3600
>   runbox.com. IN RRSIG SOA 13 2 86400 20210219161924 20210205144924 12629 runbox.com. <sig>
>   *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC
>   *.runbox.com. IN RRSIG NSEC 13 2 3600 20210219161924 20210205144924 12629 runbox.com. <sig>

I can reproduce the issue internally. A fix should be coming in the near future.

>
> Or DNSViz (3 of the four public IPs):
>
>   https://dnsviz.net/d/_25._tcp.mx.runbox.com/e/437682/dnssec/
>
> --
>         Viktor.
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations