[knot-dns-users] Re: Possible signing bug? Missing wildcard NSEC for RCODE 3 subdomains

[libor.peltan via knot-dns-users]

Hi Matt!

Thank you for your findings, this is really interesting.
First of all, your claim in parentheses "(sjc.dns-oarc.net 
<http://sjc.dns-oarc.net> is a real subdomain with hosts in it, not an 
ENT)" seems not to be true. It is proven by NSEC that this name is 
indeed an ENT. But this of course does not affect the issue importance.

Secondly, from the responses that you attached, there is (the very 
same!) NSEC present, which prooves the non-existence of wildcard 
*.sjc.dns-oarc.net. : "shin-cubes.dns-oarc.net 
<http://shin-cubes.dns-oarc.net>. 3600 IN NSEC an1.10g.sjc.dns-oarc.net 
<http://an1.10g.sjc.dns-oarc.net>. A AAAA RRSIG NSEC"

I analyzed the DNSViz output in detail and it shows that while the name 
servers ns1.dns-oarc.net. and ns2.dns-oarc.net, actually do answer 
correctly, including the mentioned NSEC, the name servers 
udns1.ultradns.net. and udns2.ultradns.net. answer incorrectly, not 
including that NSEC.

I tried it by hand and indeed, the problem is solely at ultradns servers:

$ ./kdig @udns1.ultradns.net. -t A +dnssec nonexistent.sjc.dns-oarc.net.
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 21796
;; Flags: qr aa rd; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; nonexistent.sjc.dns-oarc.net.                IN      A

;; AUTHORITY SECTION:
dns-oarc.net.           3600    IN      SOA     ns1.dns-oarc.net. 
hostmaster.dns-oarc.net. 2024031500 300 60 604800 3600
newmail.sjc.dns-oarc.net.       3600    IN      NSEC 
   pdu-7301.sjc.dns-oarc.net. A AAAA RRSIG NSEC
dns-oarc.net.           3600    IN      NSEC    fs1.10g.dns-oarc.net. A 
NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CDS CDNSKEY CAA
dns-oarc.net.           3600    IN      RRSIG   SOA 13 2 14400 
20240329045130 20240315032130 6048 dns-oarc.net. 
mooeiWYo96QhMUnUHFbxsCPPetvwigYqDrcKQnofMZHY3w1X3zyTyHPEXlHcEfI7B+vRuiCTtc2gVcQEMLdW8Q==
dns-oarc.net.           3600    IN      RRSIG   NSEC 13 2 3600 
20240329045130 20240315032130 6048 dns-oarc.net. 
oJiyyHoAXYshxxqPstU7hdORX9hZWno8hDJb/akGMM3zqbqdMbJElOpKb75Ep03j0uhDUUl4c3xc1ZC9TkSTDw==
newmail.sjc.dns-oarc.net.       3600    IN      RRSIG   NSEC 13 4 3600 
20240326215132 20240312202132 6048 dns-oarc.net. 
AVZ2iArP4AJxXwQKn0FADp5E6htN/2t8IS7l9W1S+z/SszwJ4wSAUXfmqAlq8QFpnq+HJG/ov+ibVEnJQjymbQ==

;; Received 534 B
;; Time 2024-03-15 10:34:01 CET
;; From 2001:502:f3ff::d@53(UDP) in 7.4 ms

Looking at the output, there is a (redundant) NSEC proving the 
non-existence of the wildcard *.dns-oarc.net. instead(!): dns-oarc.net. 
          3600    IN      NSEC    fs1.10g.dns-oarc.net. A NS SOA MX TXT 
AAAA RRSIG NSEC DNSKEY CDS CDNSKEY CA

This remind me of a similar issue that we have fixed in Knot DNS some 
years ago, but I con't find it at the moment, it seems that what we have 
fixed is wildcard answers in connection with CNAMEs/DNAMEs and stuff, 
but not this straightforward situation...

In any case, you should probably tell UltraDNS to use recent versions of 
whatever software they use.

Please let us know when you have any additional clues, thanks!

Libor


Dne 14. 03. 24 v 20:20 Matthew Pounsett napsal(a):

I got a report of an NSEC error from someone who tried to connect to a 
mistyped hostname.  I've done a bit of poking, and it looks like we're 
seeing a missing wildcard NSEC for domain names that are two 
subdomains down from the apex, but not for subdomains of the apex.  
Though, I admit I can't see the problem myself.  Querying by hand I 
see what looks like an identical response, but resolvers and DNSViz 
report problems with the deeper name.

For example, nonexistent.dns-oarc.net 
<http://nonexistent.dns-oarc.net> and nonexistent.sjc.dns-oarc.net 
<http://nonexistent.sjc.dns-oarc.net> (sjc.dns-oarc.net 
<http://sjc.dns-oarc.net> is a real subdomain with hosts in it, not an 
ENT)... kdig output and DNSViz results below.
We're running knot/unknown,now 3.3.5-cznic.1~bullseye from 
deb.knot-dns.cz <http://deb.knot-dns.cz>, and this is the relevant 
policy statement for the zone:

policy:
  - id: ecdsa
    algorithm: ecdsap256sha256
    ksk-lifetime: 365d
    ksk-submission: parent_zone_sbm
    zsk-lifetime: 30d
    rrsig-lifetime: 14d
    rrsig-refresh: 7d

We are mid-KSK-roll, waiting on the DS submission check.

Have I misconfigured something here, or is there a signing bug, or is 
this something else?

Thanks!
  Matt

---

nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>: 
DNSviz reports this is fine.
<https://dnsviz.net/d/nonexistent.dns-oarc.net/ZfNH1w/dnssec/>

;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 9380
;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; nonexistent.dns-oarc.net <http://nonexistent.dns-oarc.net>. IN A

;; AUTHORITY SECTION:
dns-oarc.net <http://dns-oarc.net>.       3600 IN SOA ns1.dns-oarc.net 
<http://ns1.dns-oarc.net>. hostmaster.dns-oarc.net 
<http://hostmaster.dns-oarc.net>. 2024031400 300 60 604800 3600
nfsen.dns-oarc.net <http://nfsen.dns-oarc.net>. 3600 IN NSEC 
ns.dns-oarc.net <http://ns.dns-oarc.net>. A AAAA RRSIG NSEC
dns-oarc.net <http://dns-oarc.net>.       3600 IN NSEC 
fs1.10g.dns-oarc.net <http://fs1.10g.dns-oarc.net>. A NS SOA MX TXT 
AAAA RRSIG NSEC DNSKEY CDS CDNSKEY CAA
dns-oarc.net <http://dns-oarc.net>.       3600 IN RRSIG SOA 13 2 14400 
20240328021935 20240314004935 6048 dns-oarc.net <http://dns-oarc.net>. 
[omitted]
nfsen.dns-oarc.net <http://nfsen.dns-oarc.net>. 3600 IN RRSIG NSEC 13 
3 3600 20240326215132 20240312202132 6048 dns-oarc.net 
<http://dns-oarc.net>. [omitted]
dns-oarc.net <http://dns-oarc.net>.       3600 IN RRSIG NSEC 13 2 3600 
20240322045130 20240308032130 6048 dns-oarc.net <http://dns-oarc.net>. 
[omitted]

;; Received 518 B
;; Time 2024-03-14 18:57:33 UTC
;; From 64.191.0.128@53(UDP) in 0.3 ms


nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>: 
resolvers and DNSViz report a missing wildcard NSEC
<https://dnsviz.net/d/nonexistent.sjc.dns-oarc.net/ZfNH6w/dnssec/>


;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 660
;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>. 
IN A

;; AUTHORITY SECTION:
dns-oarc.net <http://dns-oarc.net>.       3600 IN SOA ns1.dns-oarc.net 
<http://ns1.dns-oarc.net>. hostmaster.dns-oarc.net 
<http://hostmaster.dns-oarc.net>. 2024031400 300 60 604800 3600
newmail.sjc.dns-oarc.net <http://newmail.sjc.dns-oarc.net>. 3600 IN 
NSEC pdu-7301.sjc.dns-oarc.net <http://pdu-7301.sjc.dns-oarc.net>. A 
AAAA RRSIG NSEC
shin-cubes.dns-oarc.net <http://shin-cubes.dns-oarc.net>. 3600 IN NSEC 
an1.10g.sjc.dns-oarc.net <http://an1.10g.sjc.dns-oarc.net>. A AAAA 
RRSIG NSEC
dns-oarc.net <http://dns-oarc.net>.       3600 IN RRSIG SOA 13 2 14400 
20240328021935 20240314004935 6048 dns-oarc.net <http://dns-oarc.net>. 
[omitted]
newmail.sjc.dns-oarc.net <http://newmail.sjc.dns-oarc.net>. 3600 IN 
RRSIG NSEC 13 4 3600 20240326215132 20240312202132 6048 dns-oarc.net 
<http://dns-oarc.net>. [omitted]
shin-cubes.dns-oarc.net <http://shin-cubes.dns-oarc.net>. 3600 IN 
RRSIG NSEC 13 3 3600 20240326215132 20240312202132 6048 dns-oarc.net 
<http://dns-oarc.net>. [omitted]

;; Received 544 B
;; Time 2024-03-14 18:57:33 UTC
;; From 64.191.0.128@53(UDP) in 0.3 ms

--
--