[dns-operations] Cloudflare TYPE65283

Petr Špaček pspacek at isc.org
Mon Mar 27 13:38:48 UTC 2023 

On 27. 03. 23 15:27, Emmanuel Fusté wrote:
> Le 27/03/2023 à 14:34, Petr Špaček a écrit :
>> On 27. 03. 23 13:31, Emmanuel Fusté wrote:
>>> Le 27/03/2023 à 12:37, Emmanuel Fusté a écrit :
>>>> Le 27/03/2023 à 12:14, Joe Abley a écrit :
>>>>> Hi Emmanuel,
>>>>>
>>>>> On Mon, Mar 27, 2023 at 10:51, Emmanuel Fusté 
>>>>> <manu.fuste at gmail.com> wrote:
>>>>>> Cloudflare start to return TYPE65283 in their NSEC records for 
>>>>>> "compact
>>>>>> DNSSEC denial of existence"/"minimal lies" for NXDOMAINs.
>>>>>> It actually break "minimal lies" NXDOMAIN established decoding
>>>>>> implementations.
>>>>>> Does someone know the TYPE65283 usage/purpose in this context ?
>>>>>
>>>>> If a compact negative response includes an NSEC RR whose type 
>>>>> bitmap only includes NSEC and RRSIG, the response is is 
>>>>> indistuishable from the case where the name exists but is an empty 
>>>>> non-terminal. Adding a special entry in the type bitmap avoids that 
>>>>> ambiguity and as a bonus provides an NXDOMAINish signal as a kind 
>>>>> of compromise to those consumers who are all pitchforky about the 
>>>>> RCODE. The spec currently calls that special type NXNAME.
>>>>>
>>>>> https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt <https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt>
>>>>>
>>>>> The spec is still a work in progress and the NXNAME type does not 
>>>>> have a codepoint. I believe TYPE65283 is being used as a 
>>>>> placeholder. I think Christian made a comment to that effect on 
>>>>> this list last week, although I think he may not have mentioned the 
>>>>> specific RRTYPE that was to be used.
>>>>>
>>>>> If this has caused something to break, more details would be good 
>>>>> to hear! 
> ......
>>> Ok, replying to myself.
>>> TYPE65283 is as you stated the place holder for a future NXNAME.
>>> So they silently break their previous implementation to implement 
>>> half of this this draft.
>>> Their previous NXDOMAIN implementation correspond to draft ENT case, 
>>> but they still implement their old way for ENT.
>>> Thank you for the pointer.
>>
>> Could you elaborate on the type of breakage you mentioned?
>>
>> What got broken, specifically?
>>
> Client side previous draft NXDOMAIN status decoding as originally 
> encoded by Cloudflare.
> Having application relying on the NXDOMAIN status passed by the API, we 
> where forced to add simple minimal lies decoding on the stub resolver 
> (we don't want to disable DNSSEC validation on our trusted resolver or 
> do special treatments on it for theses clients).
> The decoding is based on exactly the presence of RRSIG and NSEC in the 
> NSEC record.
> The NS1 extension for restoring simple ENT identification is compatible 
> with this scheme as for ENT you get RRSIG NSEC and TYPE65281.
> 
> Now I need to explicitly strip (or special case) TYPE65283 to restore 
> NXDOMAIN identification from Cloudflare and still identify NXDOMAIN on 
> NS1 and NXDOMAIN or ENT on Route53.
> If Cloudflare switch to this draft for the ENT case too, it will became 
> as worse as Route53 and only NS1 will give distinguishable real NXDOMAIN.
> Or ALL compact lies response implementer should switch to this new draft 
> and be known to have switched.

Thank you, that explains it!

I simply did not expect changes to draft implementations to be called 
"breakage".

-- 
Petr Špaček
Internet Systems Consortium

More information about the dns-operations mailing list