[dns-operations] Cloudflare TYPE65283

Emmanuel Fusté manu.fuste at gmail.com
Mon Mar 27 11:31:10 UTC 2023


Le 27/03/2023 à 12:37, Emmanuel Fusté a écrit :
> Le 27/03/2023 à 12:14, Joe Abley a écrit :
>> Hi Emmanuel,
>>
>> On Mon, Mar 27, 2023 at 10:51, Emmanuel Fusté <manu.fuste at gmail.com> 
>> wrote:
>>> Cloudflare start to return TYPE65283 in their NSEC records for "compact
>>> DNSSEC denial of existence"/"minimal lies" for NXDOMAINs.
>>> It actually break "minimal lies" NXDOMAIN established decoding
>>> implementations.
>>> Does someone know the TYPE65283 usage/purpose in this context ?
>>
>> If a compact negative response includes an NSEC RR whose type bitmap 
>> only includes NSEC and RRSIG, the response is is indistuishable from 
>> the case where the name exists but is an empty non-terminal. Adding a 
>> special entry in the type bitmap avoids that ambiguity and as a bonus 
>> provides an NXDOMAINish signal as a kind of compromise to those 
>> consumers who are all pitchforky about the RCODE. The spec currently 
>> calls that special type NXNAME.
>>
>> https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt 
>> <https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt>
>>
>> The spec is still a work in progress and the NXNAME type does not 
>> have a codepoint. I believe TYPE65283 is being used as a placeholder. 
>> I think Christian made a comment to that effect on this list last 
>> week, although I think he may not have mentioned the 
>> specific RRTYPE that was to be used.
>>
>> If this has caused something to break, more details would be good to 
>> hear!
>
> Yes, I know about the draft to unbreak ENT. Thank you for the updated 
> link with the latest version witch superset 
> draft-huque-dnsop-blacklies-ent-01.
> NS1 use TYPE65281 for ENT.
>
> But in the observed case, the entry is not an ENT:
>
>
> ; <<>> DiG 9.18.13-1-Debian <<>> +norecurse @ns3.cloudflare.com 
> +dnssec albertoooo.ns.cloudflare.com.
> ; (4 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19880
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1232
> ;; QUESTION SECTION:
> ;albertoooo.ns.cloudflare.com.  IN      A
>
> ;; AUTHORITY SECTION:
> cloudflare.com.         300     IN      SOA ns3.cloudflare.com. 
> dns.cloudflare.com. 2304565806 10000 2400 604800 300
> albertoooo.ns.cloudflare.com. 300 IN    NSEC 
> \000.albertoooo.ns.cloudflare.com. RRSIG NSEC TYPE65283
> albertoooo.ns.cloudflare.com. 300 IN    RRSIG   NSEC 13 4 300 
> 20230328112618 20230326092618 34505 cloudflare.com. 
> vNF+qAaZUSSreKRLhYHfg5sn7qoP1SV+fZgmivg3qmJecz7Cvp69A/8I 
> Ew0XPOuG8CPQGA5doswZdnOk9cfLRw==
> cloudflare.com.         300     IN      RRSIG   SOA 13 2 300 
> 20230328112618 20230326092618 34505 cloudflare.com. 
> fD4t5hWnE7js8/gRqJn2G833NCmjcyFqW+WJZnPqHX3SiKBlwUlX2wh8 
> UFj0ajbwuTVQpiJxZSb5hUNs9+KErQ==
>
> ;; Query time: 8 msec
> ;; SERVER: 162.159.0.33#53(ns3.cloudflare.com) (UDP)
> ;; WHEN: Mon Mar 27 12:26:18 CEST 2023
> ;; MSG SIZE  rcvd: 376
>
> And for ENT, the response did not change from previous Cloudflaire 
> implementation : all Cloudflare known types are added instead of RRSIG 
> and NSEC.
>

Ok, replying to myself.
TYPE65283 is as you stated the place holder for a future NXNAME.
So they silently break their previous implementation to implement half 
of this this draft.
Their previous NXDOMAIN implementation correspond to draft ENT case, but 
they still implement their old way for ENT.
Thank you for the pointer.

Regards,
Emmanuel.




More information about the dns-operations mailing list