[dns-operations] 8.8.8.8 not supporting removing DS

[Karl Dyson]

On Thu, Nov 21, 2024 at 01:19:33PM -0300, Robert Martin-Legene wrote:
> Google's recursive DNS seems to dislike a registry operator removing DS for
> some of their zones in parent zones, while still signing parent and child
> properly. Even the now absence of DS is properly signed.
> 
> The response is SERVFAIL even though the TTL has long since expired in all
> caches.  Also, there is no DS in their cache when queried about DS.
> 
> All other known open recursive providers seem to adhere to the expected
> behaviour.
> 
> Is this a bug, Google?
> 
> Feel free to contact me directly if you need specific zone names.
> 
> -- 
> Robert Martin-Legene

Hello,

This prompted me to add a test for this scenario to a domain I run for
the purpose of having a bunch of both working and expected broken scenarios.

The DS record for the child zone is added to the parent zone on
minutes 0 and 30 of each hour with a 300 TTL, and then removed on
minutes 15 and 45.

The SOA minimum is also 300 so the negative caching of the absence of
the DS should have the same behaviour as the cached presence of the
record.

Both the parent and child are signed, and the change to add and remove
the DS is performed via a dynamic update. So the presence or absence of
the record should always be correctly reflected in the NSEC chain.

flapping-ds-child.flapping-ds-parent.nsec3.uk

I've not yet observed the scenario you outline above with this test,
and so I don't know if the behaviour is somehow specific to (some?)
TLDs/TLD zones, or whether my test is not representative in some way.

The website at https://nsec3.uk outlines the other testable scenarios.

Suggestions and corrections are very welcome.

-- 
Karl Dyson