Hi Viktor, On Thu, 3 Oct 2019 at 00:45, Viktor Dukhovni <[email protected]> wrote: > > My DNSSEC/DANE survey host unbound resolver forwards lookups for > some domains to four of the major public DNS providers (Cloudflare, > Google, Quad9 and Verisign). > > Lately I am seeing unexpected failures resolving axc.nl MX host > TLSA records when Cloudflare happens to be used to resolve the > query. > > Can anyone from Cloudflare offer an explanation? Is this is a > feature or a bug? Anyone else seeing different results?
This was a NTA added for https://github.com/dns-violations/dns-violations/blob/f93c7477098da82ab39626a0ed8de07970bb0570/2017/DVE-2017-0009.md It seems like this was fixed. I've removed the NTA, so it should be validating again. > This creates false positives for denial of existence issues at > axc.nl. The other providers, DNSViz and direct validation via > "unbound-host -D" see no issues. > > For example: > > 1. Reply from Cloudflare (request flags: RD=1, AD=1, DO=1): > > _25._tcp.mail.axc.nl. IN TLSA ? ; NXDomain AD=0 > axc.nl. IN SOA nsi1.axc.nl. [email protected]. 2019100301 28800 7200 > 2419200 86400 ; AD=0 > > 2. Identical replies from each of Google, Quad8 and Verisign: > > _25._tcp.mail.axc.nl. IN TLSA ? ; NXDomain AD=1 > axc.nl. IN SOA nsi1.axc.nl. [email protected]. 2019100301 28800 7200 > 2419200 86400 ; AD=1 > axc.nl. IN RRSIG SOA 8 2 14400 20191017000000 20190926000000 23340 > axc.nl. > N7n7WT6Pz83Vq4ikTdHzWQP6y1Hqa0x+8TWHnVmgOQ2WsyliqMjzc7wydB1Qcw6kbcRiPX/JBS7iAeeMJW4aEL5iLWi0i/KdQZ0V/1ccChUYdHNfeqzLgGF8RRzjkPL1VIySNqdp4DrBMpZr7UbrRP7IjgxR30COCrAdEyaOH2A= > ; AD=1 > mail.axc.nl. IN NSEC mail-in.axc.nl. A RRSIG NSEC ; AD=1 > mail.axc.nl. IN RRSIG NSEC 8 3 86400 20191017000000 20190926000000 > 23340 axc.nl. > DWWMGBX9fX6yk6+lJoY7AKuxRd8kwbHkKBwTpdHcQsuwsiZrInbqjSKDch74ptlfTGrTMQrrnz8GC35ffsNg9XVTjfje6tXJiNPa3W1Q49031Xlz4WfJJPDVBbG5zK6YcVQtrVc7yBVEFj1UgGGfyB8X658+VZ9cgbdpf4i8Qhw= > ; AD=1 > > I also observe the same results when the query is sent from > "dane.sys4.de" in Germany, rather than my server in NYC. > > $ dig +dnssec +nsid +nocl +nottl @1.0.0.1 -t tlsa _25._tcp.mail.axc.nl. > ; <<>> DiG 9.11.1-P3 <<>> +dnssec +nsid +nocl +nottl @1.0.0.1 -t tlsa > _25._tcp.mail.axc.nl. > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36081 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1452 > ;; QUESTION SECTION: > ;_25._tcp.mail.axc.nl. IN TLSA > > ;; AUTHORITY SECTION: > axc.nl. SOA nsi1.axc.nl. hostmaster.axc.nl. > 2019100301 28800 7200 2419200 86400 > > ;; Query time: 95 msec > ;; SERVER: 1.0.0.1#53(1.0.0.1) > ;; WHEN: Thu Oct 03 09:16:21 CEST 2019 > ;; MSG SIZE rcvd: 101 > > -- > Viktor. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
