[dns-operations] Cloudflare TYPE65283
Emmanuel Fusté
manu.fuste at gmail.com
Mon Mar 27 14:00:54 UTC 2023
Le 27/03/2023 à 15:38, Petr Špaček a écrit :
> On 27. 03. 23 15:27, Emmanuel Fusté wrote:
>> Le 27/03/2023 à 14:34, Petr Špaček a écrit :
>>> On 27. 03. 23 13:31, Emmanuel Fusté wrote:
>>>> Le 27/03/2023 à 12:37, Emmanuel Fusté a écrit :
>>>>> Le 27/03/2023 à 12:14, Joe Abley a écrit :
>>>>>> Hi Emmanuel,
>>>>>>
>>>>>> On Mon, Mar 27, 2023 at 10:51, Emmanuel Fusté
>>>>>> <manu.fuste at gmail.com> wrote:
>>>>>>> Cloudflare start to return TYPE65283 in their NSEC records for
>>>>>>> "compact
>>>>>>> DNSSEC denial of existence"/"minimal lies" for NXDOMAINs.
>>>>>>> It actually break "minimal lies" NXDOMAIN established decoding
>>>>>>> implementations.
>>>>>>> Does someone know the TYPE65283 usage/purpose in this context ?
>>>>>>
>>>>>> If a compact negative response includes an NSEC RR whose type
>>>>>> bitmap only includes NSEC and RRSIG, the response is is
>>>>>> indistuishable from the case where the name exists but is an
>>>>>> empty non-terminal. Adding a special entry in the type bitmap
>>>>>> avoids that ambiguity and as a bonus provides an NXDOMAINish
>>>>>> signal as a kind of compromise to those consumers who are all
>>>>>> pitchforky about the RCODE. The spec currently calls that special
>>>>>> type NXNAME.
>>>>>>
>>>>>> https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt
>>>>>> <https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt>
>>>>>>
>>>>>> The spec is still a work in progress and the NXNAME type does not
>>>>>> have a codepoint. I believe TYPE65283 is being used as a
>>>>>> placeholder. I think Christian made a comment to that effect on
>>>>>> this list last week, although I think he may not have mentioned
>>>>>> the specific RRTYPE that was to be used.
>>>>>>
>>>>>> If this has caused something to break, more details would be good
>>>>>> to hear!
>> ......
>>>> Ok, replying to myself.
>>>> TYPE65283 is as you stated the place holder for a future NXNAME.
>>>> So they silently break their previous implementation to implement
>>>> half of this this draft.
>>>> Their previous NXDOMAIN implementation correspond to draft ENT
>>>> case, but they still implement their old way for ENT.
>>>> Thank you for the pointer.
>>>
>>> Could you elaborate on the type of breakage you mentioned?
>>>
>>> What got broken, specifically?
>>>
>> Client side previous draft NXDOMAIN status decoding as originally
>> encoded by Cloudflare.
>> Having application relying on the NXDOMAIN status passed by the API,
>> we where forced to add simple minimal lies decoding on the stub
>> resolver (we don't want to disable DNSSEC validation on our trusted
>> resolver or do special treatments on it for theses clients).
>> The decoding is based on exactly the presence of RRSIG and NSEC in
>> the NSEC record.
>> The NS1 extension for restoring simple ENT identification is
>> compatible with this scheme as for ENT you get RRSIG NSEC and TYPE65281.
>>
>> Now I need to explicitly strip (or special case) TYPE65283 to restore
>> NXDOMAIN identification from Cloudflare and still identify NXDOMAIN
>> on NS1 and NXDOMAIN or ENT on Route53.
>> If Cloudflare switch to this draft for the ENT case too, it will
>> became as worse as Route53 and only NS1 will give distinguishable
>> real NXDOMAIN.
>> Or ALL compact lies response implementer should switch to this new
>> draft and be known to have switched.
>
> Thank you, that explains it!
>
> I simply did not expect changes to draft implementations to be called
> "breakage".
>
Yes, I perfectly understand this position toward drafts in the common
IETF sense/usage.
But as these drafts where and are imposed to us unilaterally on the
whole Internet since years by majors DNS service providers they are
sadly de-facto standards.
Emmanuel.
More information about the dns-operations
mailing list