[dns-operations] Incomplete type bitmaps in NSEC(3) records and aggressive use of DNSSEC validated cache

Petr Špaček pspacek at isc.org
Wed Sep 8 12:04:03 UTC 2021


On 08. 09. 21 11:12, Ruben van Staveren via dns-operations wrote:
> Last month or so I saw two domains, postnl.nl <http://postnl.nl> and 
> minjenv.nl <http://minjenv.nl>, return incomplete NSEC3 records where 
> existing records where omitted from the Type Bit Maps.
> 
> This caused strange intermittent failures when a resolver was used that 
> implements aggressive use of DNSSEC validated cache (RFC8198, 4 years 
> old), e.g powerdns recursor 4.5.x.
> 
> 
> e.g., the minjenv has a mx record, but it is not listed in the NSEC3 
> you’ll get if you query for the non existent A/AAAA record (only NS SOA 
> RRSIG DNSKEY NSEC3PARAM) causing mail delivery failures until the TTL 
> expires. postnl.nl <http://postnl.nl> has A/AAAA, but the NSEC3 seen for 
> a nonexistent query only has NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM
> 
> It is not as such to contact the dns operators and persuade them to 
> upgrade/fix their software used for DNSSEC signing, but more as should 
> we do more analysis of this phenomenon and even have a dns flag day 
> before even more resolvers and operators are going to implement RFC8198? 
> There might be an issue by deliberately exploiting this and make 
> websites/mail unreachable.

Your estimate is correct, it's an old issue with F5 load balancers:
https://support.f5.com/csp/article/K00724442
It's an security issue and affected parties should patch their systems.

Detailed description of the problem can be found e.g. here:
https://en.blog.nic.cz/2019/07/10/error-in-dnssec-implementation-on-f5-big-ip-load-balancers/


-- 
Petr Špaček



More information about the dns-operations mailing list