[dns-operations] Cloudflare TYPE65283

Petr Špaček pspacek at isc.org
Mon Mar 27 14:24:08 UTC 2023 

On 27. 03. 23 16:00, Emmanuel Fusté wrote:
> Le 27/03/2023 à 15:38, Petr Špaček a écrit :
>> On 27. 03. 23 15:27, Emmanuel Fusté wrote:
>>> Le 27/03/2023 à 14:34, Petr Špaček a écrit :
>>>> On 27. 03. 23 13:31, Emmanuel Fusté wrote:
>>>>> Le 27/03/2023 à 12:37, Emmanuel Fusté a écrit :
>>>>>> Le 27/03/2023 à 12:14, Joe Abley a écrit :
>>>>>>> Hi Emmanuel,
>>>>>>>
>>>>>>> On Mon, Mar 27, 2023 at 10:51, Emmanuel Fusté 
>>>>>>> <manu.fuste at gmail.com> wrote:
>>>>>>>> Cloudflare start to return TYPE65283 in their NSEC records for 
>>>>>>>> "compact
>>>>>>>> DNSSEC denial of existence"/"minimal lies" for NXDOMAINs.
>>>>>>>> It actually break "minimal lies" NXDOMAIN established decoding
>>>>>>>> implementations.
>>>>>>>> Does someone know the TYPE65283 usage/purpose in this context ?
>>>>>>>
>>>>>>> If a compact negative response includes an NSEC RR whose type 
>>>>>>> bitmap only includes NSEC and RRSIG, the response is is 
>>>>>>> indistuishable from the case where the name exists but is an 
>>>>>>> empty non-terminal. Adding a special entry in the type bitmap 
>>>>>>> avoids that ambiguity and as a bonus provides an NXDOMAINish 
>>>>>>> signal as a kind of compromise to those consumers who are all 
>>>>>>> pitchforky about the RCODE. The spec currently calls that special 
>>>>>>> type NXNAME.
>>>>>>>
>>>>>>> https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt <https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt>
>>>>>>>
>>>>>>> The spec is still a work in progress and the NXNAME type does not 
>>>>>>> have a codepoint. I believe TYPE65283 is being used as a 
>>>>>>> placeholder. I think Christian made a comment to that effect on 
>>>>>>> this list last week, although I think he may not have mentioned 
>>>>>>> the specific RRTYPE that was to be used.
>>>>>>>
>>>>>>> If this has caused something to break, more details would be good 
>>>>>>> to hear! 
>>> ......
>>>>> Ok, replying to myself.
>>>>> TYPE65283 is as you stated the place holder for a future NXNAME.
>>>>> So they silently break their previous implementation to implement 
>>>>> half of this this draft.
>>>>> Their previous NXDOMAIN implementation correspond to draft ENT 
>>>>> case, but they still implement their old way for ENT.
>>>>> Thank you for the pointer.
>>>>
>>>> Could you elaborate on the type of breakage you mentioned?
>>>>
>>>> What got broken, specifically?
>>>>
>>> Client side previous draft NXDOMAIN status decoding as originally 
>>> encoded by Cloudflare.
>>> Having application relying on the NXDOMAIN status passed by the API, 
>>> we where forced to add simple minimal lies decoding on the stub 
>>> resolver (we don't want to disable DNSSEC validation on our trusted 
>>> resolver or do special treatments on it for theses clients).
>>> The decoding is based on exactly the presence of RRSIG and NSEC in 
>>> the NSEC record.
>>> The NS1 extension for restoring simple ENT identification is 
>>> compatible with this scheme as for ENT you get RRSIG NSEC and TYPE65281.
>>>
>>> Now I need to explicitly strip (or special case) TYPE65283 to restore 
>>> NXDOMAIN identification from Cloudflare and still identify NXDOMAIN 
>>> on NS1 and NXDOMAIN or ENT on Route53.
>>> If Cloudflare switch to this draft for the ENT case too, it will 
>>> became as worse as Route53 and only NS1 will give distinguishable 
>>> real NXDOMAIN.
>>> Or ALL compact lies response implementer should switch to this new 
>>> draft and be known to have switched.
>>
>> Thank you, that explains it!
>>
>> I simply did not expect changes to draft implementations to be called 
>> "breakage".
>>
> Yes, I perfectly understand this position toward drafts in the common 
> IETF sense/usage.
> But as these drafts where and are imposed to us unilaterally on the 
> whole Internet since years by majors DNS service providers they are 
> sadly de-facto standards.

You got me curious: What is the use-case depending on this? I mean, from 
reading the DNS spec _alone_ it's not clear why any of variants in use 
should cause serious problems if it's done correctly.

-- 
Petr Špaček
Internet Systems Consortium

More information about the dns-operations mailing list