[dns-operations] Cloudflare TYPE65283
Emmanuel Fusté
manu.fuste at gmail.com
Mon Mar 27 10:37:43 UTC 2023
Le 27/03/2023 à 12:14, Joe Abley a écrit :
> Hi Emmanuel,
>
> On Mon, Mar 27, 2023 at 10:51, Emmanuel Fusté <manu.fuste at gmail.com>
> wrote:
>> Cloudflare start to return TYPE65283 in their NSEC records for "compact
>> DNSSEC denial of existence"/"minimal lies" for NXDOMAINs.
>> It actually break "minimal lies" NXDOMAIN established decoding
>> implementations.
>> Does someone know the TYPE65283 usage/purpose in this context ?
>
> If a compact negative response includes an NSEC RR whose type bitmap
> only includes NSEC and RRSIG, the response is is indistuishable from
> the case where the name exists but is an empty non-terminal. Adding a
> special entry in the type bitmap avoids that ambiguity and as a bonus
> provides an NXDOMAINish signal as a kind of compromise to those
> consumers who are all pitchforky about the RCODE. The spec currently
> calls that special type NXNAME.
>
> https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt
> <https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt>
>
> The spec is still a work in progress and the NXNAME type does not have
> a codepoint. I believe TYPE65283 is being used as a placeholder. I
> think Christian made a comment to that effect on this list last week,
> although I think he may not have mentioned the specific RRTYPE that
> was to be used.
>
> If this has caused something to break, more details would be good to hear!
Yes, I know about the draft to unbreak ENT. Thank you for the updated
link with the latest version witch superset
draft-huque-dnsop-blacklies-ent-01.
NS1 use TYPE65281 for ENT.
But in the observed case, the entry is not an ENT:
; <<>> DiG 9.18.13-1-Debian <<>> +norecurse @ns3.cloudflare.com +dnssec
albertoooo.ns.cloudflare.com.
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19880
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;albertoooo.ns.cloudflare.com. IN A
;; AUTHORITY SECTION:
cloudflare.com. 300 IN SOA ns3.cloudflare.com.
dns.cloudflare.com. 2304565806 10000 2400 604800 300
albertoooo.ns.cloudflare.com. 300 IN NSEC
\000.albertoooo.ns.cloudflare.com. RRSIG NSEC TYPE65283
albertoooo.ns.cloudflare.com. 300 IN RRSIG NSEC 13 4 300
20230328112618 20230326092618 34505 cloudflare.com.
vNF+qAaZUSSreKRLhYHfg5sn7qoP1SV+fZgmivg3qmJecz7Cvp69A/8I
Ew0XPOuG8CPQGA5doswZdnOk9cfLRw==
cloudflare.com. 300 IN RRSIG SOA 13 2 300
20230328112618 20230326092618 34505 cloudflare.com.
fD4t5hWnE7js8/gRqJn2G833NCmjcyFqW+WJZnPqHX3SiKBlwUlX2wh8
UFj0ajbwuTVQpiJxZSb5hUNs9+KErQ==
;; Query time: 8 msec
;; SERVER: 162.159.0.33#53(ns3.cloudflare.com) (UDP)
;; WHEN: Mon Mar 27 12:26:18 CEST 2023
;; MSG SIZE rcvd: 376
And for ENT, the response did not change from previous Cloudflaire
implementation : all Cloudflare known types are added instead of RRSIG
and NSEC.
Regards,
Emmanuel.
More information about the dns-operations
mailing list