[dns-operations] ag.gov not providing NXDOMAIN responses
David Zych
dmrz at illinois.edu
Fri Apr 12 19:04:18 UTC 2024
On 4/12/24 05:13, Petr Špaček wrote:
> On 11. 04. 24 6:15, Stephane Bortzmeyer wrote:
>> On Tue, Apr 09, 2024 at 01:09:20PM -0500,
>> David Zych <dmrz at illinois.edu> wrote:
>>
>>> The problem: when queried for a record underneath ag.gov. which does
>>> not exist, these nameservers do not return a proper NXDOMAIN
>>> response; instead, they don't answer at all.
>>
>> Funny enough, it depends on the QTYPE.
Answering QTYPE=NS queries may be a new development; thanks to Victor's
suggestion I was able to reach someone using the SOA RNAME address, and
their first reply on Apr 10 was "The reported issue of the domain
"www.[.]tucson[.]ars[.]ag[.]gov" (formatted to avoid url protection) not
resolving has been corrected." It might be that this is the thing they
changed; I'm not sure.
Our continued back-and-forth discussion about the importance of NXDOMAIN
responses in general is ongoing.
It's also funny to me that the exact same nameservers do answer `dig
+norec @ns1.usda.gov thissubdomaindoesnotexist.usda.gov a` (for usda.gov
instead of ag.gov)
>>> The practical trouble this causes has to do with an increasingly
>>> popular DNS privacy feature called QNAME Minimization, which depends
>>> upon authoritative DNS servers like yours responding in a
>>> standards-compliant way to queries like
>>>
>>> _.ag.gov IN A
>>> _.ars.ag.gov IN A
>>> _.tucson.ars.ag.gov IN A
>>
>> More fun: the previous version of QNAME minimisation used QTYPE=NS. It
>> then changed to QTYPE=A precisely to work around broken
>> middleboxes. (And also to avoid sticking out.)
>
> This is not only in violation of
> https://datatracker.ietf.org/doc/html/rfc8906 but it is an outright
> security issue because it allows attackers to mess up load balancing
> in resolvers. See
> https://indico.dns-oarc.net/event/47/contributions/1018/attachments/959/1802/pre-silence-not-golden-dns-orac.pdf
> I predict you have much better chance getting this fixed if you go
> through respective CERT team and point them to this presentation.
Thanks, that's a great link and I will be sure to include it in my next
reply to the authoritative nameserver operator. (It does appear that
someone considers the status quo posture a "security protocol", so
hopefully they will see this as a compelling argument.)
> Answering before some asks: No, we are not going to workaround this in
> BIND resolver. It has to be fixed on the auth side. This is not a
> security bug in BIND. See
> https://bind9.readthedocs.io/en/latest/chapter7.html#dns-resolvers
I certainly would never suggest that it was a bug in BIND, but FWIW: I
would see some value in being able to configure `|qname-minimization`
within a `server` block.|
Suppose I as the recursive nameserver operator hypothetically found
myself under pressure from non-technical people to "just make it work so
we can get to the website, this is embarrassing" (fortunately not the
case right now, but it's not hard to imagine in a higher profile
scenario). I could accomplish that right now using either
`|qname-minimization disabled;` or in this case also (ironically)
`||qname-minimization strict;||`. However, a global setting of strict
might cause problems resolving other domains, so realistically my best
unilateral recourse would be to disable minimization completely, even
though that feels like a step backward. Given the choice, I'd much
rather disable it just for two known misbehaving servers and leave it on
for everything else (while in parallel still reaching out to the
authoritative server operator to address the root cause).
It seems to me that such a feature would likely also be helpful when
strict eventually does become the default, if a few authoritative
nameservers in the wild still aren't ready (preferable at that point for
recursive server operators to set relaxed or disabled just for problem
cases vs globally).
Thanks,
David
|
--
David Zych (he/him)
Lead Network Service Engineer
University of Illinois Urbana-Champaign
Office of the Chief Information Officer
Technology Services
Under the Illinois Freedom of Information Act any written communication to or from university employees regarding university business is a public record and may be subject to public disclosure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240412/a3f62353/attachment.html>
More information about the dns-operations
mailing list