Incomplete type bitmaps in NSEC(3) records and aggressive use of DNSSEC validated cache

Ruben van Staveren ruben at verweg.com
Wed Sep 8 09:12:19 UTC 2021


Hi,

Last month or so I saw two domains, postnl.nl <http://postnl.nl/> and minjenv.nl <http://minjenv.nl/>, return incomplete NSEC3 records where existing records where omitted from the Type Bit Maps.

This caused strange intermittent failures when a resolver was used that implements aggressive use of DNSSEC validated cache (RFC8198, 4 years old), e.g powerdns recursor 4.5.x. 


e.g., the minjenv has a mx record, but it is not listed in the NSEC3 you’ll get if you query for the non existent A/AAAA record (only NS SOA RRSIG DNSKEY NSEC3PARAM) causing mail delivery failures until the TTL expires. postnl.nl <http://postnl.nl/> has A/AAAA, but the NSEC3 seen for a nonexistent query only has NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM

It is not as such to contact the dns operators and persuade them to upgrade/fix their software used for DNSSEC signing, but more as should we do more analysis of this phenomenon and even have a dns flag day before even more resolvers and operators are going to implement RFC8198? There might be an issue by deliberately exploiting this and make websites/mail unreachable.

Best regards,
    Ruben

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210908/c384cebb/attachment.html>


More information about the dns-operations mailing list