[dns-operations] Cloudflare TYPE65283

Petr Špaček pspacek at isc.org
Mon Mar 27 12:34:31 UTC 2023 

On 27. 03. 23 13:31, Emmanuel Fusté wrote:
> Le 27/03/2023 à 12:37, Emmanuel Fusté a écrit :
>> Le 27/03/2023 à 12:14, Joe Abley a écrit :
>>> Hi Emmanuel,
>>>
>>> On Mon, Mar 27, 2023 at 10:51, Emmanuel Fusté <manu.fuste at gmail.com> 
>>> wrote:
>>>> Cloudflare start to return TYPE65283 in their NSEC records for "compact
>>>> DNSSEC denial of existence"/"minimal lies" for NXDOMAINs.
>>>> It actually break "minimal lies" NXDOMAIN established decoding
>>>> implementations.
>>>> Does someone know the TYPE65283 usage/purpose in this context ?
>>>
>>> If a compact negative response includes an NSEC RR whose type bitmap 
>>> only includes NSEC and RRSIG, the response is is indistuishable from 
>>> the case where the name exists but is an empty non-terminal. Adding a 
>>> special entry in the type bitmap avoids that ambiguity and as a bonus 
>>> provides an NXDOMAINish signal as a kind of compromise to those 
>>> consumers who are all pitchforky about the RCODE. The spec currently 
>>> calls that special type NXNAME.
>>>
>>> https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt 
>>> <https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt>
>>>
>>> The spec is still a work in progress and the NXNAME type does not 
>>> have a codepoint. I believe TYPE65283 is being used as a placeholder. 
>>> I think Christian made a comment to that effect on this list last 
>>> week, although I think he may not have mentioned the 
>>> specific RRTYPE that was to be used.
>>>
>>> If this has caused something to break, more details would be good to 
>>> hear!
>>
>> Yes, I know about the draft to unbreak ENT. Thank you for the updated 
>> link with the latest version witch superset 
>> draft-huque-dnsop-blacklies-ent-01.
>> NS1 use TYPE65281 for ENT.
>>
>> But in the observed case, the entry is not an ENT:
>>
>>
>> ; <<>> DiG 9.18.13-1-Debian <<>> +norecurse @ns3.cloudflare.com 
>> +dnssec albertoooo.ns.cloudflare.com.
>> ; (4 servers found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19880
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 1232
>> ;; QUESTION SECTION:
>> ;albertoooo.ns.cloudflare.com.  IN      A
>>
>> ;; AUTHORITY SECTION:
>> cloudflare.com.         300     IN      SOA ns3.cloudflare.com. 
>> dns.cloudflare.com. 2304565806 10000 2400 604800 300
>> albertoooo.ns.cloudflare.com. 300 IN    NSEC 
>> \000.albertoooo.ns.cloudflare.com. RRSIG NSEC TYPE65283
>> albertoooo.ns.cloudflare.com. 300 IN    RRSIG   NSEC 13 4 300 
>> 20230328112618 20230326092618 34505 cloudflare.com. 
>> vNF+qAaZUSSreKRLhYHfg5sn7qoP1SV+fZgmivg3qmJecz7Cvp69A/8I 
>> Ew0XPOuG8CPQGA5doswZdnOk9cfLRw==
>> cloudflare.com.         300     IN      RRSIG   SOA 13 2 300 
>> 20230328112618 20230326092618 34505 cloudflare.com. 
>> fD4t5hWnE7js8/gRqJn2G833NCmjcyFqW+WJZnPqHX3SiKBlwUlX2wh8 
>> UFj0ajbwuTVQpiJxZSb5hUNs9+KErQ==
>>
>> ;; Query time: 8 msec
>> ;; SERVER: 162.159.0.33#53(ns3.cloudflare.com) (UDP)
>> ;; WHEN: Mon Mar 27 12:26:18 CEST 2023
>> ;; MSG SIZE  rcvd: 376
>>
>> And for ENT, the response did not change from previous Cloudflaire 
>> implementation : all Cloudflare known types are added instead of RRSIG 
>> and NSEC.
>>
> 
> Ok, replying to myself.
> TYPE65283 is as you stated the place holder for a future NXNAME.
> So they silently break their previous implementation to implement half 
> of this this draft.
> Their previous NXDOMAIN implementation correspond to draft ENT case, but 
> they still implement their old way for ENT.
> Thank you for the pointer.

Could you elaborate on the type of breakage you mentioned?

What got broken, specifically?

-- 
Petr Špaček
Internet Systems Consortium

More information about the dns-operations mailing list