[dns-operations] Cloudflare public DNS, ongoing incomplete NSEC responses

[Viktor Dukhovni]

The TLSA query below elicits an incomplete NSEC response, with just one
of the two required records present.  The return NSEC record covers the
qname but not the wildcard:

    _25._tcp.fotobehang24.nl. IN TLSA ? ; NXDomain AD=1
    fotobehang24.nl. IN SOA ns.zxcs.nl. hostmas...@zxcs.nl. 2020070913 ...
    fotobehang24.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    _domainkey.fotobehang24.nl. IN NSEC ftp.fotobehang24.nl. TXT RRSIG NSEC
    _domainkey.fotobehang24.nl. IN RRSIG NSEC 13 3 3600 20201112000000 
20201022000000 ...

a more complete response is observed from e.g. Google DNS:

    _25._tcp.fotobehang24.nl. IN TLSA ? ; NXDomain AD=1
    fotobehang24.nl. IN SOA ns.zxcs.nl. hostmas...@zxcs.nl. 2020070913 ...
    fotobehang24.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    _domainkey.fotobehang24.nl. IN NSEC ftp.fotobehang24.nl. TXT RRSIG NSEC
    _domainkey.fotobehang24.nl. IN RRSIG NSEC 13 3 3600 20201112000000 
20201022000000 ...
    fotobehang24.nl. IN NSEC _dmarc.fotobehang24.nl. A NS SOA TXT AAAA RRSIG 
NSEC DNSKEY
    fotobehang24.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...

Similar results for a few more domains below my signature, which are but
a fraction of the full set.

-- 
    Viktor.

CloudFlare:

    _25._tcp.commonisme.nl. IN TLSA ? ; NXDomain AD=1
    commonisme.nl. IN SOA ns.zxcs.nl. hostmas...@zxcs.nl. 2020060413 ...
    commonisme.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    _domainkey.commonisme.nl. IN NSEC ftp.commonisme.nl. TXT RRSIG NSEC
    _domainkey.commonisme.nl. IN RRSIG NSEC 13 3 3600 20201112000000 
20201022000000 ...

    _25._tcp.highbrunch.nl. IN TLSA ? ; NXDomain AD=1
    highbrunch.nl. IN SOA ns1.zxcs.nl. hostmas...@zxcs.nl. 2018061112 ...
    highbrunch.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    x._domainkey.highbrunch.nl. IN NSEC ftp.highbrunch.nl. TXT RRSIG NSEC
    x._domainkey.highbrunch.nl. IN RRSIG NSEC 13 4 3600 20201112000000 
20201022000000 ...

    _25._tcp.houtindefamilie.nl. IN TLSA ? ; NXDomain AD=1
    houtindefamilie.nl. IN SOA ns1.zxcs.nl. hostmas...@zxcs.nl. 2018031712 ...
    houtindefamilie.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    x._domainkey.houtindefamilie.nl. IN NSEC ftp.houtindefamilie.nl. TXT RRSIG 
NSEC
    x._domainkey.houtindefamilie.nl. IN RRSIG NSEC 13 4 3600 20201112000000 
20201022000000 ...

    _25._tcp.culturedbeef.nl. IN TLSA ? ; NXDomain AD=1
    culturedbeef.nl. IN SOA ns1.zxcs.nl. ns1.zxcs.nl. 2017101200 ...
    culturedbeef.nl. IN RRSIG SOA 13 2 86400 20201112000000 20201022000000 ...
    x._domainkey.culturedbeef.nl. IN NSEC ftp.culturedbeef.nl. TXT RRSIG NSEC
    x._domainkey.culturedbeef.nl. IN RRSIG NSEC 13 4 86400 20201112000000 
20201022000000 ...

    _25._tcp.kiddemon.nl. IN TLSA ? ; NXDomain AD=1
    kiddemon.nl. IN SOA ns1.zxcs.nl. hostmas...@zxcs.nl. 2020040301 ...
    kiddemon.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    _domainkey.kiddemon.nl. IN NSEC ftp.kiddemon.nl. TXT RRSIG NSEC
    _domainkey.kiddemon.nl. IN RRSIG NSEC 13 3 3600 20201112000000 
20201022000000 ...

Google:

    _25._tcp.commonisme.nl. IN TLSA ? ; NXDomain AD=1
    commonisme.nl. IN SOA ns.zxcs.nl. hostmas...@zxcs.nl. 2020060413 ...
    commonisme.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    commonisme.nl. IN NSEC _dmarc.commonisme.nl. A NS SOA TXT AAAA RRSIG NSEC 
DNSKEY
    commonisme.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...
    _domainkey.commonisme.nl. IN NSEC ftp.commonisme.nl. TXT RRSIG NSEC
    _domainkey.commonisme.nl. IN RRSIG NSEC 13 3 3600 20201112000000 
20201022000000 ...

    _25._tcp.houtindefamilie.nl. IN TLSA ? ; NXDomain AD=1
    houtindefamilie.nl. IN SOA ns1.zxcs.nl. hostmas...@zxcs.nl. 2018031712 ...
    houtindefamilie.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    x._domainkey.houtindefamilie.nl. IN NSEC ftp.houtindefamilie.nl. TXT RRSIG 
NSEC
    x._domainkey.houtindefamilie.nl. IN RRSIG NSEC 13 4 3600 20201112000000 
20201022000000 ...
    houtindefamilie.nl. IN NSEC _dmarc.houtindefamilie.nl. A NS SOA MX TXT AAAA 
RRSIG NSEC DNSKEY
    houtindefamilie.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 
...

    _25._tcp.highbrunch.nl. IN TLSA ? ; NXDomain AD=1
    highbrunch.nl. IN SOA ns1.zxcs.nl. hostmas...@zxcs.nl. 2018061112 ...
    highbrunch.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    x._domainkey.highbrunch.nl. IN NSEC ftp.highbrunch.nl. TXT RRSIG NSEC
    x._domainkey.highbrunch.nl. IN RRSIG NSEC 13 4 3600 20201112000000 
20201022000000 ...
    highbrunch.nl. IN NSEC _dmarc.highbrunch.nl. A NS SOA MX TXT AAAA RRSIG 
NSEC DNSKEY
    highbrunch.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...

    _25._tcp.culturedbeef.nl. IN TLSA ? ; NXDomain AD=1
    culturedbeef.nl. IN SOA ns1.zxcs.nl. ns1.zxcs.nl. 2017101200 ...
    culturedbeef.nl. IN RRSIG SOA 13 2 86400 20201112000000 20201022000000 ...
    x._domainkey.culturedbeef.nl. IN NSEC ftp.culturedbeef.nl. TXT RRSIG NSEC
    x._domainkey.culturedbeef.nl. IN RRSIG NSEC 13 4 86400 20201112000000 
20201022000000 ...
    culturedbeef.nl. IN NSEC _dmarc.culturedbeef.nl. A NS SOA MX TXT AAAA RRSIG 
NSEC DNSKEY
    culturedbeef.nl. IN RRSIG NSEC 13 2 86400 20201112000000 20201022000000 ...

    _25._tcp.kiddemon.nl. IN TLSA ? ; NXDomain AD=1
    kiddemon.nl. IN SOA ns1.zxcs.nl. hostmas...@zxcs.nl. 2020040301 ...
    kiddemon.nl. IN RRSIG SOA 13 2 3600 20201112000000 20201022000000 ...
    _domainkey.kiddemon.nl. IN NSEC ftp.kiddemon.nl. TXT RRSIG NSEC
    _domainkey.kiddemon.nl. IN RRSIG NSEC 13 3 3600 20201112000000 
20201022000000 ...
    kiddemon.nl. IN NSEC _dmarc.kiddemon.nl. A NS SOA TXT AAAA RRSIG NSEC DNSKEY
    kiddemon.nl. IN RRSIG NSEC 13 2 3600 20201112000000 20201022000000 ...
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations