[dns-operations] Cloudflare TYPE65283
Emmanuel Fusté
manu.fuste at gmail.com
Mon Mar 27 13:00:23 UTC 2023
Le 27/03/2023 à 13:31, Emmanuel Fusté a écrit :
> Le 27/03/2023 à 12:37, Emmanuel Fusté a écrit :
>> Le 27/03/2023 à 12:14, Joe Abley a écrit :
>>> Hi Emmanuel,
>>>
>>> On Mon, Mar 27, 2023 at 10:51, Emmanuel Fusté <manu.fuste at gmail.com>
>>> wrote:
>>>> Cloudflare start to return TYPE65283 in their NSEC records for
>>>> "compact
>>>> DNSSEC denial of existence"/"minimal lies" for NXDOMAINs.
>>>> It actually break "minimal lies" NXDOMAIN established decoding
>>>> implementations.
>>>> Does someone know the TYPE65283 usage/purpose in this context ?
>>>
>>> If a compact negative response includes an NSEC RR whose type bitmap
>>> only includes NSEC and RRSIG, the response is is indistuishable from
>>> the case where the name exists but is an empty non-terminal. Adding
>>> a special entry in the type bitmap avoids that ambiguity and as a
>>> bonus provides an NXDOMAINish signal as a kind of compromise to
>>> those consumers who are all pitchforky about the RCODE. The spec
>>> currently calls that special type NXNAME.
>>>
>>> https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt
>>> <https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt>
>>>
>>> The spec is still a work in progress and the NXNAME type does not
>>> have a codepoint. I believe TYPE65283 is being used as a
>>> placeholder. I think Christian made a comment to that effect on this
>>> list last week, although I think he may not have mentioned the
>>> specific RRTYPE that was to be used.
>>>
>>> If this has caused something to break, more details would be good to
>>> hear!
>>
>> Yes, I know about the draft to unbreak ENT. Thank you for the updated
>> link with the latest version witch superset
>> draft-huque-dnsop-blacklies-ent-01.
>> NS1 use TYPE65281 for ENT.
>>
>> But in the observed case, the entry is not an ENT:
>>
>>
>> ; <<>> DiG 9.18.13-1-Debian <<>> +norecurse @ns3.cloudflare.com
>> +dnssec albertoooo.ns.cloudflare.com.
>> ; (4 servers found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19880
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 1232
>> ;; QUESTION SECTION:
>> ;albertoooo.ns.cloudflare.com. IN A
>>
>> ;; AUTHORITY SECTION:
>> cloudflare.com. 300 IN SOA ns3.cloudflare.com.
>> dns.cloudflare.com. 2304565806 10000 2400 604800 300
>> albertoooo.ns.cloudflare.com. 300 IN NSEC
>> \000.albertoooo.ns.cloudflare.com. RRSIG NSEC TYPE65283
>> albertoooo.ns.cloudflare.com. 300 IN RRSIG NSEC 13 4 300
>> 20230328112618 20230326092618 34505 cloudflare.com.
>> vNF+qAaZUSSreKRLhYHfg5sn7qoP1SV+fZgmivg3qmJecz7Cvp69A/8I
>> Ew0XPOuG8CPQGA5doswZdnOk9cfLRw==
>> cloudflare.com. 300 IN RRSIG SOA 13 2 300
>> 20230328112618 20230326092618 34505 cloudflare.com.
>> fD4t5hWnE7js8/gRqJn2G833NCmjcyFqW+WJZnPqHX3SiKBlwUlX2wh8
>> UFj0ajbwuTVQpiJxZSb5hUNs9+KErQ==
>>
>> ;; Query time: 8 msec
>> ;; SERVER: 162.159.0.33#53(ns3.cloudflare.com) (UDP)
>> ;; WHEN: Mon Mar 27 12:26:18 CEST 2023
>> ;; MSG SIZE rcvd: 376
>>
>> And for ENT, the response did not change from previous Cloudflaire
>> implementation : all Cloudflare known types are added instead of
>> RRSIG and NSEC.
>>
>
> Ok, replying to myself.
> TYPE65283 is as you stated the place holder for a future NXNAME.
> So they silently break their previous implementation to implement half
> of this this draft.
> Their previous NXDOMAIN implementation correspond to draft ENT case,
> but they still implement their old way for ENT.
> Thank you for the pointer.
>
Last word on the subject.
Adding brain-damage to brain-damage and now we have a total mess.
Only implementation using synthesized NXNAME and synthetized ENT
distinguisher could be identified.
Considering a NSEC record with only RRSIG and NSEC:
Is it an old draft minimal response NXDOMAIN ?
Is it a new draft minimal response ENT without ENT distinguisher ?
To be not worse than the previous draft, the ENT distinguisher usage
must be mandatory.
Emmanuel.
More information about the dns-operations
mailing list