Re: [dns-operations] Cloudflare public DNS sometimes forwards incomplete subset of NSEC RRs
Hi Viktor, I forgot to update this thread, but this should be fixed. Best, Marek On Tue, 1 Sep 2020 at 10:19, Marek Vavruša wrote: > > Thanks Viktor, this looks like a bug in writing NSECs to the final response. > > On Mon, 31 Aug 2020 at 23:09, Viktor Dukhovni wrote: > > > > > > My validating resolver downstream of CF 1.1.1.1 (among others) at times > > sees "bogus" denial of existence for: > > > > _25._tcp.mx.runbox.com IN TLSA ? > > > > This is because the set of NSEC records forwarded by Cloudflare for this > > domain is not complete. Looking across the major public DNS services: > > > > * All return AD=1 > > * I see the same zone apex SOA and signature for all > > * The same NSEC record and signature for "munin01" for all > > * The apex wildcard record and signature identically ONLY from > > Google, Verisign and Quad9. From CloudFlare, I get the munin01 > > NSEC record and signature twice, but this alone fails to validate the > > NODATA response. > > > > CF -> @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +dnssec > > runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. > > 308471 14400 3600 1296000 3600 > > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > > 38438 runbox.com. > > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > > 20200831142225 38438 runbox.com. > > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > > 20200831142225 38438 runbox.com. > > > > GOOG -> @ 8.8.8.8 _25._tcp.mx.runbox.com. IN TLSA ? > > runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. > > 308471 14400 3600 1296000 3600 > > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > > 38438 runbox.com. > > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 > > 38438 runbox.com. > > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > > 20200831142225 38438 runbox.com. > > > > VRSN -> @ 64.6.64.6 _25._tcp.mx.runbox.com. IN TLSA ? > > runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. > > 308471 14400 3600 1296000 3600 > > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > > 38438 runbox.com. > > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 > > 38438 runbox.com. > > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > > 20200831142225 38438 runbox.com. > > > > Q9 -> @ 9.9.9.10 _25._tcp.mx.runbox.com. IN TLSA ? > > runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. > > 308471 14400 3600 1296000 3600 > > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > > 38438 runbox.com. > > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 > > 38438 runbox.com. > > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > > 20200831142225 38438 runbox.com. > > > > The same incomplete/redundant response comes back from 1.1.1.1 when > > queried from California, New York and Germany, presumably different > > instances, with fresh uncached results. Oddly enough, if I send the > > same query to CF with also the "CD" bit set, I get a better answer, > > be it this time with "AD=0": > > > > @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +cd +dnssec > > runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. > > 308471 14400 3600 1296000 3600 > > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > > 38438 runbox.com. > > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 > > 38438 runbox.com. > > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > > 20200831142225 38438 runbox.com. > > > > Asking again without "cd" brings back the original incomplete answer. > > > > -- > > Viktor. > > ___ > > dns-operations mailing list > > dns-operations@lists.dns-oarc.net > > https://lists.dns-oarc.net/mailman/listinfo/dns-operations ___ dns-operations mailing list
Re: [dns-operations] Cloudflare public DNS sometimes forwards incomplete subset of NSEC RRs
Thanks Viktor, this looks like a bug in writing NSECs to the final response. On Mon, 31 Aug 2020 at 23:09, Viktor Dukhovni wrote: > > > My validating resolver downstream of CF 1.1.1.1 (among others) at times > sees "bogus" denial of existence for: > > _25._tcp.mx.runbox.com IN TLSA ? > > This is because the set of NSEC records forwarded by Cloudflare for this > domain is not complete. Looking across the major public DNS services: > > * All return AD=1 > * I see the same zone apex SOA and signature for all > * The same NSEC record and signature for "munin01" for all > * The apex wildcard record and signature identically ONLY from > Google, Verisign and Quad9. From CloudFlare, I get the munin01 > NSEC record and signature twice, but this alone fails to validate the > NODATA response. > > CF -> @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +dnssec > runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. > 308471 14400 3600 1296000 3600 > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > 38438 runbox.com. > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > 20200831142225 38438 runbox.com. > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > 20200831142225 38438 runbox.com. > > GOOG -> @ 8.8.8.8 _25._tcp.mx.runbox.com. IN TLSA ? > runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. > 308471 14400 3600 1296000 3600 > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > 38438 runbox.com. > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 > 38438 runbox.com. > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > 20200831142225 38438 runbox.com. > > VRSN -> @ 64.6.64.6 _25._tcp.mx.runbox.com. IN TLSA ? > runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. > 308471 14400 3600 1296000 3600 > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > 38438 runbox.com. > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 > 38438 runbox.com. > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > 20200831142225 38438 runbox.com. > > Q9 -> @ 9.9.9.10 _25._tcp.mx.runbox.com. IN TLSA ? > runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. > 308471 14400 3600 1296000 3600 > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > 38438 runbox.com. > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 > 38438 runbox.com. > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > 20200831142225 38438 runbox.com. > > The same incomplete/redundant response comes back from 1.1.1.1 when > queried from California, New York and Germany, presumably different > instances, with fresh uncached results. Oddly enough, if I send the > same query to CF with also the "CD" bit set, I get a better answer, > be it this time with "AD=0": > > @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +cd +dnssec > runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. > 308471 14400 3600 1296000 3600 > runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 > 38438 runbox.com. > *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC > munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC > *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 > 38438 runbox.com. > munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 > 20200831142225 38438 runbox.com. > > Asking again without "cd" brings back the original incomplete answer. > > -- > Viktor. > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Cloudflare public DNS sometimes forwards incomplete subset of NSEC RRs
On 9/1/20 9:58 AM, Stephane Bortzmeyer wrote: > AFAIK, Cloudflare uses Knot Resolver. I tested with another Knot > resolver and it works: I think they originally started the service quite close Knot Resolver code, but they've apparently diverged quite a bit since then (I don't know). To be sure, I had tested this report today and failed to get any problem with our current code. A related difference between 1.1.1.1 and Knot Resolver I now noticed: they don't seem to be doing aggressive NSEC caching, whereas Knot Resolver has it since January 2018 (it it could never be turned off on signed names). --Vladimir (Knot Resolver) ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Cloudflare public DNS sometimes forwards incomplete subset of NSEC RRs
On Tue, Sep 01, 2020 at 01:48:17AM -0400, Viktor Dukhovni wrote a message of 71 lines which said: > * The apex wildcard record and signature identically ONLY from > Google, Verisign and Quad9. From CloudFlare, I get the munin01 > NSEC record and signature twice, but this alone fails to validate the > NODATA response. AFAIK, Cloudflare uses Knot Resolver. I tested with another Knot resolver and it works: Local Knot resolver (+dnssec in .digrc): % dig _25._tcp.mx.runbox.com TLSA ; <<>> DiG 9.16.6-Debian <<>> _25._tcp.mx.runbox.com TLSA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9840 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;_25._tcp.mx.runbox.com.IN TLSA ;; AUTHORITY SECTION: runbox.com. 3600 IN SOA dns61.copyleft.no. hostmaster.copyleft.no. ( 308471 ; serial 14400 ; refresh (4 hours) 3600 ; retry (1 hour) 1296000; expire (2 weeks 1 day) 3600 ; minimum (1 hour) ) *.runbox.com. 3600 IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC munin01.runbox.com. 3600 IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC runbox.com. 3600 IN RRSIG SOA 13 2 86400 ( 20200914155225 20200831142225 38438 runbox.com. W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2 AYQzWGTxV1fKTN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw== ) *.runbox.com. 3600 IN RRSIG NSEC 13 2 3600 ( 20200914155225 20200831142225 38438 runbox.com. 3VVEU97k3XDgYtHFscg3EUC/PpiwitKEjpgJDPBFSfu5 rSg165gENRgIMnYNtPhm11IqHSO7yY62C2l6PvnlrA== ) munin01.runbox.com. 3600 IN RRSIG NSEC 13 3 3600 ( 20200914155225 20200831142225 38438 runbox.com. 4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIa lDkYrl3uLycX+K+HKLUiSjAphBiSzDo/JQMx1WjRhg== ) ;; Query time: 250 msec ;; SERVER: 192.168.2.254#53(192.168.2.254) ;; WHEN: Tue Sep 01 07:54:35 UTC 2020 ;; MSG SIZE rcvd: 546 Cloudflare : % dig @1.1.1.1 _25._tcp.mx.runbox.com TLSA ; <<>> DiG 9.16.6-Debian <<>> @1.1.1.1 _25._tcp.mx.runbox.com TLSA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11561 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;_25._tcp.mx.runbox.com.IN TLSA ;; AUTHORITY SECTION: runbox.com. 3600 IN SOA dns61.copyleft.no. hostmaster.copyleft.no. ( 308471 ; serial 14400 ; refresh (4 hours) 3600 ; retry (1 hour) 1296000; expire (2 weeks 1 day) 3600 ; minimum (1 hour) ) runbox.com. 3600 IN RRSIG SOA 13 2 86400 ( 20200914155225 20200831142225 38438 runbox.com. W8mB29w0BTau0mRPcduMsOJIkRFgTn8DKhBskr7pYJe2 AYQzWGTxV1fKTN0dWKpVj5ewIdUPuKl3KSSxmJ9lNw== ) munin01.runbox.com. 3600 IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC munin01.runbox.com. 3600 IN RRSIG NSEC 13 3 3600 ( 20200914155225 20200831142225 38438 runbox.com. 4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIa lDkYrl3uLycX+K+HKLUiSjAphBiSzDo/JQMx1WjRhg== ) munin01.runbox.com. 3600 IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC munin01.runbox.com. 3600 IN RRSIG NSEC 13 3 3600 ( 20200914155225 20200831142225 38438 runbox.com. 4gSQplps2UJsbpD6qVCrxl9njcu3jjWWMrQN8fx83AIa lDkYrl3uLycX+K+HKLUiSjAphBiSzDo/JQMx1WjRhg== ) ;; Query time: 80 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Tue Sep 01 07:56:00 UTC 2020 ;; MSG SIZE rcvd: 541 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] Cloudflare public DNS sometimes forwards incomplete subset of NSEC RRs
My validating resolver downstream of CF 1.1.1.1 (among others) at times sees "bogus" denial of existence for: _25._tcp.mx.runbox.com IN TLSA ? This is because the set of NSEC records forwarded by Cloudflare for this domain is not complete. Looking across the major public DNS services: * All return AD=1 * I see the same zone apex SOA and signature for all * The same NSEC record and signature for "munin01" for all * The apex wildcard record and signature identically ONLY from Google, Verisign and Quad9. From CloudFlare, I get the munin01 NSEC record and signature twice, but this alone fails to validate the NODATA response. CF -> @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +dnssec runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. 308471 14400 3600 1296000 3600 runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. GOOG -> @ 8.8.8.8 _25._tcp.mx.runbox.com. IN TLSA ? runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. 308471 14400 3600 1296000 3600 *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. VRSN -> @ 64.6.64.6 _25._tcp.mx.runbox.com. IN TLSA ? runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. 308471 14400 3600 1296000 3600 runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. Q9 -> @ 9.9.9.10 _25._tcp.mx.runbox.com. IN TLSA ? runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. 308471 14400 3600 1296000 3600 runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. The same incomplete/redundant response comes back from 1.1.1.1 when queried from California, New York and Germany, presumably different instances, with fresh uncached results. Oddly enough, if I send the same query to CF with also the "CD" bit set, I get a better answer, be it this time with "AD=0": @ 1.1.1.1 _25._tcp.mx.runbox.com. IN TLSA ? ; +cd +dnssec runbox.com. IN SOA dns61.copyleft.no. hostmas...@copyleft.no. 308471 14400 3600 1296000 3600 runbox.com. IN RRSIG SOA 13 2 86400 20200914155225 20200831142225 38438 runbox.com. *.runbox.com. IN NSEC _acme-challenge.runbox.com. A MX RRSIG NSEC munin01.runbox.com. IN NSEC ipmi.mysql01.runbox.com. A RRSIG NSEC *.runbox.com. IN RRSIG NSEC 13 2 3600 20200914155225 20200831142225 38438 runbox.com. munin01.runbox.com. IN RRSIG NSEC 13 3 3600 20200914155225 20200831142225 38438 runbox.com. Asking again without "cd" brings back the original incomplete answer. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations