[dns-operations] Cloudflare TYPE65283

Emmanuel Fusté manu.fuste at gmail.com
Mon Mar 27 10:37:43 UTC 2023


Le 27/03/2023 à 12:14, Joe Abley a écrit :
> Hi Emmanuel,
>
> On Mon, Mar 27, 2023 at 10:51, Emmanuel Fusté <manu.fuste at gmail.com> 
> wrote:
>> Cloudflare start to return TYPE65283 in their NSEC records for "compact
>> DNSSEC denial of existence"/"minimal lies" for NXDOMAINs.
>> It actually break "minimal lies" NXDOMAIN established decoding
>> implementations.
>> Does someone know the TYPE65283 usage/purpose in this context ?
>
> If a compact negative response includes an NSEC RR whose type bitmap 
> only includes NSEC and RRSIG, the response is is indistuishable from 
> the case where the name exists but is an empty non-terminal. Adding a 
> special entry in the type bitmap avoids that ambiguity and as a bonus 
> provides an NXDOMAINish signal as a kind of compromise to those 
> consumers who are all pitchforky about the RCODE. The spec currently 
> calls that special type NXNAME.
>
> https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt 
> <https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt>
>
> The spec is still a work in progress and the NXNAME type does not have 
> a codepoint. I believe TYPE65283 is being used as a placeholder. I 
> think Christian made a comment to that effect on this list last week, 
> although I think he may not have mentioned the specific RRTYPE that 
> was to be used.
>
> If this has caused something to break, more details would be good to hear!

Yes, I know about the draft to unbreak ENT. Thank you for the updated 
link with the latest version witch superset 
draft-huque-dnsop-blacklies-ent-01.
NS1 use TYPE65281 for ENT.

But in the observed case, the entry is not an ENT:


; <<>> DiG 9.18.13-1-Debian <<>> +norecurse @ns3.cloudflare.com +dnssec 
albertoooo.ns.cloudflare.com.
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19880
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;albertoooo.ns.cloudflare.com.  IN      A

;; AUTHORITY SECTION:
cloudflare.com.         300     IN      SOA     ns3.cloudflare.com. 
dns.cloudflare.com. 2304565806 10000 2400 604800 300
albertoooo.ns.cloudflare.com. 300 IN    NSEC 
\000.albertoooo.ns.cloudflare.com. RRSIG NSEC TYPE65283
albertoooo.ns.cloudflare.com. 300 IN    RRSIG   NSEC 13 4 300 
20230328112618 20230326092618 34505 cloudflare.com. 
vNF+qAaZUSSreKRLhYHfg5sn7qoP1SV+fZgmivg3qmJecz7Cvp69A/8I 
Ew0XPOuG8CPQGA5doswZdnOk9cfLRw==
cloudflare.com.         300     IN      RRSIG   SOA 13 2 300 
20230328112618 20230326092618 34505 cloudflare.com. 
fD4t5hWnE7js8/gRqJn2G833NCmjcyFqW+WJZnPqHX3SiKBlwUlX2wh8 
UFj0ajbwuTVQpiJxZSb5hUNs9+KErQ==

;; Query time: 8 msec
;; SERVER: 162.159.0.33#53(ns3.cloudflare.com) (UDP)
;; WHEN: Mon Mar 27 12:26:18 CEST 2023
;; MSG SIZE  rcvd: 376

And for ENT, the response did not change from previous Cloudflaire 
implementation : all Cloudflare known types are added instead of RRSIG 
and NSEC.

Regards,
Emmanuel.




More information about the dns-operations mailing list