[dns-operations] CNAME at the apex breaks DNSSEC DS lookups from caches

Mark Andrews marka at isc.org
Thu Apr 21 01:15:48 UTC 2022



> On 15 Apr 2022, at 09:00, Mark Andrews <marka at isc.org> wrote:
> 
> We had a report on bind-users that DNSSEC validation through a forwarder was failing.
> 
> On investigation it turns out that the failing zones had CNAME records at the zone
> apex and the DS lookup was returning the cached instance of that instead of the signed
> non-existence of the DS RRset from the parent zone.  For zones that don’t break the
> prohibition against CNAME and other data this does not happen.  DS is not a record that
> is supposed to co-exist with CNAME and implementing the simple workaround of not match
> DS lookups against CNAMEs is likely to have other consequences as returning CNAME is the
> correct response for non-apex names with a CNAME record.
> 
> Bring on HTTPS support in browsers as then this CNAME at the apex idiocy can go away.
> 
> Mark
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> 

My main worry is this, correct, cache behaviour breaks DNSSEC validation through a recursive
server.  This really should be stopped at data entry / zone load time.

Note: I am not blaming Cloudfront here.  Their documentation says “don’t add a CNAME at top
of zone.

Mark

% dig cybr.club
;; BADCOOKIE, retrying.

; <<>> DiG 9.17.22 <<>> cybr.club
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14961
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0cb7e2a725062f97010000006260ad31adf951f9f52ef50c (good)
;; QUESTION SECTION:
;cybr.club.			IN	A

;; ANSWER SECTION:
cybr.club.		1799	IN	CNAME	d2vd625ao8btyl.cloudfront.net.
d2vd625ao8btyl.cloudfront.net. 60 IN	A	52.85.75.35
d2vd625ao8btyl.cloudfront.net. 60 IN	A	52.85.75.94
d2vd625ao8btyl.cloudfront.net. 60 IN	A	52.85.75.72
d2vd625ao8btyl.cloudfront.net. 60 IN	A	52.85.75.47

;; Query time: 3195 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Thu Apr 21 11:02:41 AEST 2022
;; MSG SIZE  rcvd: 173

% dig cybr.club ds
;; BADCOOKIE, retrying.

; <<>> DiG 9.17.22 <<>> cybr.club ds
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48656
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bb216fe591a66b1e010000006260ad36dd87e2eb361476f9 (good)
;; QUESTION SECTION:
;cybr.club.			IN	DS

;; AUTHORITY SECTION:
club.			52	IN	SOA	ns1.dns.nic.club. admin.tldns.godaddy. 1650502363 1800 300 604800 1800

;; Query time: 0 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Thu Apr 21 11:02:46 AEST 2022
;; MSG SIZE  rcvd: 137

% sleep 60
% dig cybr.club ds
;; BADCOOKIE, retrying.

; <<>> DiG 9.17.22 <<>> cybr.club ds
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53549
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: db1ab08d465d66ca010000006260ad81b94c0e06a45a6ac6 (good)
;; QUESTION SECTION:
;cybr.club.			IN	DS

;; ANSWER SECTION:
cybr.club.		1716	IN	CNAME	d2vd625ao8btyl.cloudfront.net.

;; AUTHORITY SECTION:
cloudfront.net.		60	IN	SOA	ns-418.awsdns-52.com. hostmaster.cloudfront.net. 1377556270 16384 2048 1048576 60

;; Query time: 64 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Thu Apr 21 11:04:01 AEST 2022
;; MSG SIZE  rcvd: 176

% 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org





More information about the dns-operations mailing list