Le 27/03/2023 à 13:31, Emmanuel Fusté a écrit :
Le 27/03/2023 à 12:37, Emmanuel Fusté a écrit :
Le 27/03/2023 à 12:14, Joe Abley a écrit :
Hi Emmanuel,
On Mon, Mar 27, 2023 at 10:51, Emmanuel Fusté <manu.fu...@gmail.com>
wrote:
Cloudflare start to return TYPE65283 in their NSEC records for
"compact
DNSSEC denial of existence"/"minimal lies" for NXDOMAINs.
It actually break "minimal lies" NXDOMAIN established decoding
implementations.
Does someone know the TYPE65283 usage/purpose in this context ?
If a compact negative response includes an NSEC RR whose type bitmap
only includes NSEC and RRSIG, the response is is indistuishable from
the case where the name exists but is an empty non-terminal. Adding
a special entry in the type bitmap avoids that ambiguity and as a
bonus provides an NXDOMAINish signal as a kind of compromise to
those consumers who are all pitchforky about the RCODE. The spec
currently calls that special type NXNAME.
https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt
<https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt>
The spec is still a work in progress and the NXNAME type does not
have a codepoint. I believe TYPE65283 is being used as a
placeholder. I think Christian made a comment to that effect on this
list last week, although I think he may not have mentioned the
specific RRTYPE that was to be used.
If this has caused something to break, more details would be good to
hear!
Yes, I know about the draft to unbreak ENT. Thank you for the updated
link with the latest version witch superset
draft-huque-dnsop-blacklies-ent-01.
NS1 use TYPE65281 for ENT.
But in the observed case, the entry is not an ENT:
; <<>> DiG 9.18.13-1-Debian <<>> +norecurse @ns3.cloudflare.com
+dnssec albertoooo.ns.cloudflare.com.
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19880
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;albertoooo.ns.cloudflare.com. IN A
;; AUTHORITY SECTION:
cloudflare.com. 300 IN SOA ns3.cloudflare.com.
dns.cloudflare.com. 2304565806 10000 2400 604800 300
albertoooo.ns.cloudflare.com. 300 IN NSEC
\000.albertoooo.ns.cloudflare.com. RRSIG NSEC TYPE65283
albertoooo.ns.cloudflare.com. 300 IN RRSIG NSEC 13 4 300
20230328112618 20230326092618 34505 cloudflare.com.
vNF+qAaZUSSreKRLhYHfg5sn7qoP1SV+fZgmivg3qmJecz7Cvp69A/8I
Ew0XPOuG8CPQGA5doswZdnOk9cfLRw==
cloudflare.com. 300 IN RRSIG SOA 13 2 300
20230328112618 20230326092618 34505 cloudflare.com.
fD4t5hWnE7js8/gRqJn2G833NCmjcyFqW+WJZnPqHX3SiKBlwUlX2wh8
UFj0ajbwuTVQpiJxZSb5hUNs9+KErQ==
;; Query time: 8 msec
;; SERVER: 162.159.0.33#53(ns3.cloudflare.com) (UDP)
;; WHEN: Mon Mar 27 12:26:18 CEST 2023
;; MSG SIZE rcvd: 376
And for ENT, the response did not change from previous Cloudflaire
implementation : all Cloudflare known types are added instead of
RRSIG and NSEC.
Ok, replying to myself.
TYPE65283 is as you stated the place holder for a future NXNAME.
So they silently break their previous implementation to implement half
of this this draft.
Their previous NXDOMAIN implementation correspond to draft ENT case,
but they still implement their old way for ENT.
Thank you for the pointer.
Last word on the subject.
Adding brain-damage to brain-damage and now we have a total mess.
Only implementation using synthesized NXNAME and synthetized ENT
distinguisher could be identified.
Considering a NSEC record with only RRSIG and NSEC:
Is it an old draft minimal response NXDOMAIN ?
Is it a new draft minimal response ENT without ENT distinguisher ?
To be not worse than the previous draft, the ENT distinguisher usage
must be mandatory.
Emmanuel.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
