14 Bře
2024
14 Bře
'24
20:20
I got a report of an NSEC error from someone who tried to connect to a
mistyped hostname. I've done a bit of poking, and it looks like we're
seeing a missing wildcard NSEC for domain names that are two subdomains
down from the apex, but not for subdomains of the apex. Though, I admit I
can't see the problem myself. Querying by hand I see what looks like an
identical response, but resolvers and DNSViz report problems with the
deeper name.
For example, nonexistent.dns-oarc.net and nonexistent.sjc.dns-oarc.net (
sjc.dns-oarc.net is a real subdomain with hosts in it, not an ENT)... kdig
output and DNSViz results below.
We're running knot/unknown,now 3.3.5-cznic.1~bullseye from deb.knot-dns.cz,
and this is the relevant policy statement for the zone:
policy:
- id: ecdsa
algorithm: ecdsap256sha256
ksk-lifetime: 365d
ksk-submission: parent_zone_sbm
zsk-lifetime: 30d
rrsig-lifetime: 14d
rrsig-refresh: 7d
We are mid-KSK-roll, waiting on the DS submission check.
Have I misconfigured something here, or is there a signing bug, or is this
something else?
Thanks!
Matt
---
nonexistent.sjc.dns-oarc.net: DNSviz reports this is fine.
<https://dnsviz.net/d/nonexistent.dns-oarc.net/ZfNH1w/dnssec/>
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 9380
;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; nonexistent.dns-oarc.net. IN A
;; AUTHORITY SECTION:
dns-oarc.net. 3600 IN SOA ns1.dns-oarc.net. hostmaster.dns-oarc.net.
2024031400 300 60 604800 3600
nfsen.dns-oarc.net. 3600 IN NSEC ns.dns-oarc.net. A AAAA RRSIG NSEC
dns-oarc.net. 3600 IN NSEC fs1.10g.dns-oarc.net. A NS SOA MX TXT AAAA
RRSIG NSEC DNSKEY CDS CDNSKEY CAA
dns-oarc.net. 3600 IN RRSIG SOA 13 2 14400 20240328021935
20240314004935 6048 dns-oarc.net. [omitted]
nfsen.dns-oarc.net. 3600 IN RRSIG NSEC 13 3 3600 20240326215132
20240312202132 6048 dns-oarc.net. [omitted]
dns-oarc.net. 3600 IN RRSIG NSEC 13 2 3600 20240322045130
20240308032130 6048 dns-oarc.net. [omitted]
;; Received 518 B
;; Time 2024-03-14 18:57:33 UTC
;; From 64.191.0.128@53(UDP) in 0.3 ms
nonexistent.sjc.dns-oarc.net: resolvers and DNSViz report a missing
wildcard NSEC
<https://dnsviz.net/d/nonexistent.sjc.dns-oarc.net/ZfNH6w/dnssec/>
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 660
;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; nonexistent.sjc.dns-oarc.net. IN A
;; AUTHORITY SECTION:
dns-oarc.net. 3600 IN SOA ns1.dns-oarc.net. hostmaster.dns-oarc.net.
2024031400 300 60 604800 3600
newmail.sjc.dns-oarc.net. 3600 IN NSEC pdu-7301.sjc.dns-oarc.net. A AAAA
RRSIG NSEC
shin-cubes.dns-oarc.net. 3600 IN NSEC an1.10g.sjc.dns-oarc.net. A AAAA
RRSIG NSEC
dns-oarc.net. 3600 IN RRSIG SOA 13 2 14400 20240328021935
20240314004935 6048 dns-oarc.net. [omitted]
newmail.sjc.dns-oarc.net. 3600 IN RRSIG NSEC 13 4 3600 20240326215132
20240312202132 6048 dns-oarc.net. [omitted]
shin-cubes.dns-oarc.net. 3600 IN RRSIG NSEC 13 3 3600 20240326215132
20240312202132 6048 dns-oarc.net. [omitted]
;; Received 544 B
;; Time 2024-03-14 18:57:33 UTC
;; From 64.191.0.128@53(UDP) in 0.3 ms
15 Bře
15 Bře
8:28
Hi Matt,
Could you please send me the zone file?
Thanks!
On 3/14/24 20:20, Matthew Pounsett wrote:
I got a report of an NSEC error from someone who tried to connect to a mistyped
hostname. I've done a bit of poking, and it looks like we're seeing a missing
wildcard NSEC for domain names that are
two subdomains down from the apex, but not for subdomains of the apex. Though, I admit I
can't see the problem myself. Querying by hand I see what looks like an identical
response, but resolvers and
DNSViz report problems with the deeper name.
For example, nonexistent.dns-oarc.net <http://nonexistent.dns-oarc.net> and
nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net> (sjc.dns-oarc.net
<http://sjc.dns-oarc.net> is a real
subdomain with hosts in it, not an ENT)... kdig output and DNSViz results below.
We're running knot/unknown,now 3.3.5-cznic.1~bullseye from deb.knot-dns.cz
<http://deb.knot-dns.cz>, and this is the relevant policy statement for the zone:
policy:
- id: ecdsa
algorithm: ecdsap256sha256
ksk-lifetime: 365d
ksk-submission: parent_zone_sbm
zsk-lifetime: 30d
rrsig-lifetime: 14d
rrsig-refresh: 7d
We are mid-KSK-roll, waiting on the DS submission check.
Have I misconfigured something here, or is there a signing bug, or is this something
else?
Thanks!
Matt
---
nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>: DNSviz reports
this is fine.
<https://dnsviz.net/d/nonexistent.dns-oarc.net/ZfNH1w/dnssec/
<https://dnsviz.net/d/nonexistent.dns-oarc.net/ZfNH1w/dnssec/>>
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 9380
;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; nonexistent.dns-oarc.net <http://nonexistent.dns-oarc.net>. IN A
;; AUTHORITY SECTION:
dns-oarc.net <http://dns-oarc.net>. 3600 IN SOA ns1.dns-oarc.net
<http://ns1.dns-oarc.net>. hostmaster.dns-oarc.net
<http://hostmaster.dns-oarc.net>. 2024031400 300 60 604800 3600
nfsen.dns-oarc.net <http://nfsen.dns-oarc.net>. 3600 IN NSEC ns.dns-oarc.net
<http://ns.dns-oarc.net>. A AAAA RRSIG NSEC
dns-oarc.net <http://dns-oarc.net>. 3600 IN NSEC fs1.10g.dns-oarc.net
<http://fs1.10g.dns-oarc.net>. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CDS CDNSKEY
CAA
dns-oarc.net <http://dns-oarc.net>. 3600 IN RRSIG SOA 13 2 14400
20240328021935 20240314004935 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
nfsen.dns-oarc.net <http://nfsen.dns-oarc.net>. 3600 IN RRSIG NSEC 13 3 3600
20240326215132 20240312202132 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
dns-oarc.net <http://dns-oarc.net>. 3600 IN RRSIG NSEC 13 2 3600
20240322045130 20240308032130 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
;; Received 518 B
;; Time 2024-03-14 18:57:33 UTC
;; From 64.191.0.128@53(UDP) in 0.3 ms
nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>: resolvers and
DNSViz report a missing wildcard NSEC
<https://dnsviz.net/d/nonexistent.sjc.dns-oarc.net/ZfNH6w/dnssec/
<https://dnsviz.net/d/nonexistent.sjc.dns-oarc.net/ZfNH6w/dnssec/>>
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 660
;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>. IN A
;; AUTHORITY SECTION:
dns-oarc.net <http://dns-oarc.net>. 3600 IN SOA ns1.dns-oarc.net
<http://ns1.dns-oarc.net>. hostmaster.dns-oarc.net
<http://hostmaster.dns-oarc.net>. 2024031400 300 60 604800 3600
newmail.sjc.dns-oarc.net <http://newmail.sjc.dns-oarc.net>. 3600 IN NSEC
pdu-7301.sjc.dns-oarc.net <http://pdu-7301.sjc.dns-oarc.net>. A AAAA RRSIG NSEC
shin-cubes.dns-oarc.net <http://shin-cubes.dns-oarc.net>. 3600 IN NSEC
an1.10g.sjc.dns-oarc.net <http://an1.10g.sjc.dns-oarc.net>. A AAAA RRSIG NSEC
dns-oarc.net <http://dns-oarc.net>. 3600 IN RRSIG SOA 13 2 14400
20240328021935 20240314004935 6048 dns-oarc.net <http://dns-oarc.net>. [omitted]
newmail.sjc.dns-oarc.net <http://newmail.sjc.dns-oarc.net>. 3600 IN RRSIG NSEC 13 4
3600 20240326215132 20240312202132 6048 dns-oarc.net <http://dns-oarc.net>.
[omitted]
shin-cubes.dns-oarc.net <http://shin-cubes.dns-oarc.net>. 3600 IN RRSIG NSEC 13 3
3600 20240326215132 20240312202132 6048 dns-oarc.net <http://dns-oarc.net>.
[omitted]
;; Received 544 B
;; Time 2024-03-14 18:57:33 UTC
;; From 64.191.0.128@53(UDP) in 0.3 ms
--
11:03
Hi Matt!
Thank you for your findings, this is really interesting.
First of all, your claim in parentheses "(sjc.dns-oarc.net
<http://sjc.dns-oarc.net> is a real subdomain with hosts in it, not an
ENT)" seems not to be true. It is proven by NSEC that this name is
indeed an ENT. But this of course does not affect the issue importance.
Secondly, from the responses that you attached, there is (the very
same!) NSEC present, which prooves the non-existence of wildcard
*.sjc.dns-oarc.net. : "shin-cubes.dns-oarc.net
<http://shin-cubes.dns-oarc.net>. 3600 IN NSEC an1.10g.sjc.dns-oarc.net
<http://an1.10g.sjc.dns-oarc.net>. A AAAA RRSIG NSEC"
I analyzed the DNSViz output in detail and it shows that while the name
servers ns1.dns-oarc.net. and ns2.dns-oarc.net, actually do answer
correctly, including the mentioned NSEC, the name servers
udns1.ultradns.net. and udns2.ultradns.net. answer incorrectly, not
including that NSEC.
I tried it by hand and indeed, the problem is solely at ultradns servers:
$ ./kdig @udns1.ultradns.net. -t A +dnssec nonexistent.sjc.dns-oarc.net.
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 21796
;; Flags: qr aa rd; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; nonexistent.sjc.dns-oarc.net. IN A
;; AUTHORITY SECTION:
dns-oarc.net. 3600 IN SOA ns1.dns-oarc.net.
hostmaster.dns-oarc.net. 2024031500 300 60 604800 3600
newmail.sjc.dns-oarc.net. 3600 IN NSEC
pdu-7301.sjc.dns-oarc.net. A AAAA RRSIG NSEC
dns-oarc.net. 3600 IN NSEC fs1.10g.dns-oarc.net. A
NS SOA MX TXT AAAA RRSIG NSEC DNSKEY CDS CDNSKEY CAA
dns-oarc.net. 3600 IN RRSIG SOA 13 2 14400
20240329045130 20240315032130 6048 dns-oarc.net.
mooeiWYo96QhMUnUHFbxsCPPetvwigYqDrcKQnofMZHY3w1X3zyTyHPEXlHcEfI7B+vRuiCTtc2gVcQEMLdW8Q==
dns-oarc.net. 3600 IN RRSIG NSEC 13 2 3600
20240329045130 20240315032130 6048 dns-oarc.net.
oJiyyHoAXYshxxqPstU7hdORX9hZWno8hDJb/akGMM3zqbqdMbJElOpKb75Ep03j0uhDUUl4c3xc1ZC9TkSTDw==
newmail.sjc.dns-oarc.net. 3600 IN RRSIG NSEC 13 4 3600
20240326215132 20240312202132 6048 dns-oarc.net.
AVZ2iArP4AJxXwQKn0FADp5E6htN/2t8IS7l9W1S+z/SszwJ4wSAUXfmqAlq8QFpnq+HJG/ov+ibVEnJQjymbQ==
;; Received 534 B
;; Time 2024-03-15 10:34:01 CET
;; From 2001:502:f3ff::d@53(UDP) in 7.4 ms
Looking at the output, there is a (redundant) NSEC proving the
non-existence of the wildcard *.dns-oarc.net. instead(!): dns-oarc.net.
3600 IN NSEC fs1.10g.dns-oarc.net. A NS SOA MX TXT
AAAA RRSIG NSEC DNSKEY CDS CDNSKEY CA
This remind me of a similar issue that we have fixed in Knot DNS some
years ago, but I con't find it at the moment, it seems that what we have
fixed is wildcard answers in connection with CNAMEs/DNAMEs and stuff,
but not this straightforward situation...
In any case, you should probably tell UltraDNS to use recent versions of
whatever software they use.
Please let us know when you have any additional clues, thanks!
Libor
Dne 14. 03. 24 v 20:20 Matthew Pounsett napsal(a):
I got a report of an NSEC error from someone who tried to connect to a
mistyped hostname. I've done a bit of poking, and it looks like we're
seeing a missing wildcard NSEC for domain names that are two
subdomains down from the apex, but not for subdomains of the apex.
Though, I admit I can't see the problem myself. Querying by hand I
see what looks like an identical response, but resolvers and DNSViz
report problems with the deeper name.
For example, nonexistent.dns-oarc.net
<http://nonexistent.dns-oarc.net> and nonexistent.sjc.dns-oarc.net
<http://nonexistent.sjc.dns-oarc.net> (sjc.dns-oarc.net
<http://sjc.dns-oarc.net> is a real subdomain with hosts in it, not an
ENT)... kdig output and DNSViz results below.
We're running knot/unknown,now 3.3.5-cznic.1~bullseye from
deb.knot-dns.cz <http://deb.knot-dns.cz>, and this is the relevant
policy statement for the zone:
policy:
- id: ecdsa
algorithm: ecdsap256sha256
ksk-lifetime: 365d
ksk-submission: parent_zone_sbm
zsk-lifetime: 30d
rrsig-lifetime: 14d
rrsig-refresh: 7d
We are mid-KSK-roll, waiting on the DS submission check.
Have I misconfigured something here, or is there a signing bug, or is
this something else?
Thanks!
Matt
---
nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>:
DNSviz reports this is fine.
<https://dnsviz.net/d/nonexistent.dns-oarc.net/ZfNH1w/dnssec/>
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 9380
;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; nonexistent.dns-oarc.net <http://nonexistent.dns-oarc.net>. IN A
;; AUTHORITY SECTION:
dns-oarc.net <http://dns-oarc.net>. 3600 IN SOA ns1.dns-oarc.net
<http://ns1.dns-oarc.net>. hostmaster.dns-oarc.net
<http://hostmaster.dns-oarc.net>. 2024031400 300 60 604800 3600
nfsen.dns-oarc.net <http://nfsen.dns-oarc.net>. 3600 IN NSEC
ns.dns-oarc.net <http://ns.dns-oarc.net>. A AAAA RRSIG NSEC
dns-oarc.net <http://dns-oarc.net>. 3600 IN NSEC
fs1.10g.dns-oarc.net <http://fs1.10g.dns-oarc.net>. A NS SOA MX TXT
AAAA RRSIG NSEC DNSKEY CDS CDNSKEY CAA
dns-oarc.net <http://dns-oarc.net>. 3600 IN RRSIG SOA 13 2 14400
20240328021935 20240314004935 6048 dns-oarc.net <http://dns-oarc.net>.
[omitted]
nfsen.dns-oarc.net <http://nfsen.dns-oarc.net>. 3600 IN RRSIG NSEC 13
3 3600 20240326215132 20240312202132 6048 dns-oarc.net
<http://dns-oarc.net>. [omitted]
dns-oarc.net <http://dns-oarc.net>. 3600 IN RRSIG NSEC 13 2 3600
20240322045130 20240308032130 6048 dns-oarc.net <http://dns-oarc.net>.
[omitted]
;; Received 518 B
;; Time 2024-03-14 18:57:33 UTC
;; From 64.191.0.128@53(UDP) in 0.3 ms
nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>:
resolvers and DNSViz report a missing wildcard NSEC
<https://dnsviz.net/d/nonexistent.sjc.dns-oarc.net/ZfNH6w/dnssec/>
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 660
;; Flags: qr aa; QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; nonexistent.sjc.dns-oarc.net <http://nonexistent.sjc.dns-oarc.net>.
IN A
;; AUTHORITY SECTION:
dns-oarc.net <http://dns-oarc.net>. 3600 IN SOA ns1.dns-oarc.net
<http://ns1.dns-oarc.net>. hostmaster.dns-oarc.net
<http://hostmaster.dns-oarc.net>. 2024031400 300 60 604800 3600
newmail.sjc.dns-oarc.net <http://newmail.sjc.dns-oarc.net>. 3600 IN
NSEC pdu-7301.sjc.dns-oarc.net <http://pdu-7301.sjc.dns-oarc.net>. A
AAAA RRSIG NSEC
shin-cubes.dns-oarc.net <http://shin-cubes.dns-oarc.net>. 3600 IN NSEC
an1.10g.sjc.dns-oarc.net <http://an1.10g.sjc.dns-oarc.net>. A AAAA
RRSIG NSEC
dns-oarc.net <http://dns-oarc.net>. 3600 IN RRSIG SOA 13 2 14400
20240328021935 20240314004935 6048 dns-oarc.net <http://dns-oarc.net>.
[omitted]
newmail.sjc.dns-oarc.net <http://newmail.sjc.dns-oarc.net>. 3600 IN
RRSIG NSEC 13 4 3600 20240326215132 20240312202132 6048 dns-oarc.net
<http://dns-oarc.net>. [omitted]
shin-cubes.dns-oarc.net <http://shin-cubes.dns-oarc.net>. 3600 IN
RRSIG NSEC 13 3 3600 20240326215132 20240312202132 6048 dns-oarc.net
<http://dns-oarc.net>. [omitted]
;; Received 544 B
;; Time 2024-03-14 18:57:33 UTC
;; From 64.191.0.128@53(UDP) in 0.3 ms
--
16:47
On Fri, Mar 15, 2024 at 6:03 AM libor.peltan <libor.peltan(a)nic.cz> wrote:
Hi Matt!
Thank you for your findings, this is really interesting.
First of all, your claim in parentheses "(sjc.dns-oarc.net
<http://sjc.dns-oarc.net> is a real subdomain with hosts in it, not an
ENT)" seems not to be true. It is proven by NSEC that this name is
indeed an ENT. But this of course does not affect the issue importance.
Ugh.. I have no idea what I was thinking when I wrote that. Yes, clearly
sjc.dns-oarc.net owns no records.
I analyzed the DNSViz output in detail and it shows
that while the name
servers ns1.dns-oarc.net. and ns2.dns-oarc.net, actually do answer
correctly, including the mentioned NSEC, the name servers
udns1.ultradns.net. and udns2.ultradns.net. answer incorrectly, not
including that NSEC.
Ah! It looks like I overlooked some of the detail in the hover text on the
graph view. I saw the absence of the necessary NSEC, but missed that it
was limited to only some servers. Thanks for pointing that out.
I tried it by hand and indeed, the problem is solely at ultradns servers:
Looking at the output, there is a (redundant) NSEC proving the
non-existence of the wildcard *.dns-oarc.net. instead(!): dns-oarc.net.
3600 IN NSEC fs1.10g.dns-oarc.net. A NS SOA MX TXT
AAAA RRSIG NSEC DNSKEY CDS CDNSKEY CA
This remind me of a similar issue that we have fixed in Knot DNS some
years ago, but I con't find it at the moment, it seems that what we have
fixed is wildcard answers in connection with CNAMEs/DNAMEs and stuff,
but not this straightforward situation...
In any case, you should probably tell UltraDNS to use recent versions of
whatever software they use.
I'm fairly sure they're still using their own in-house server software.
I'll report this to their support and see what happens.
Thanks Libor!
18:25
On Mar 15, 2024, at 11:47 AM, Matthew Pounsett
<matt(a)conundrum.com> wrote:
On Fri, Mar 15, 2024 at 6:03 AM libor.peltan <libor.peltan(a)nic.cz
<mailto:libor.peltan@nic.cz>> wrote:
We will investigate. Thanks for the heads-up!
dave
UltraDNS
I tried it by hand and indeed, the problem is solely at ultradns servers:
Looking at the output, there is a (redundant) NSEC proving the
non-existence of the wildcard *.dns-oarc.net <http://dns-oarc.net/>. instead(!):
dns-oarc.net <http://dns-oarc.net/>.
3600 IN NSEC fs1.10g.dns-oarc.net
<http://fs1.10g.dns-oarc.net/>. A NS SOA MX TXT
AAAA RRSIG NSEC DNSKEY CDS CDNSKEY CA
This remind me of a similar issue that we have fixed in Knot DNS some
years ago, but I con't find it at the moment, it seems that what we have
fixed is wildcard answers in connection with CNAMEs/DNAMEs and stuff,
but not this straightforward situation...
In any case, you should probably tell UltraDNS to use recent versions of
whatever software they use.
I'm fairly sure they're still using their own in-house server software. I'll
report this to their support and see what happens.
251
days inactive
252
days old
4 comments
4 participants
participants (4)
-
Daniel Salzman -
Dave Knight -
libor.peltan -
Matthew Pounsett