[dns-operations] SOA rname breakage (first label split on internal dots) from Verisign public DNS

Viktor Dukhovni Mon, 23 Mar 2020 23:51:08 -0700

The podotrack.nl domain has two authoritative servers: 

    podotrack.nl. IN NS ns1.exsilia.net.
    podotrack.nl. IN NS ns2.exsilia.net.


Both return the same SOA RR with a escaped "." in the first label of the SOA 
"rname":

    $ dig +norecur +dnssec -t SOA +noall +ans podotrack.nl @ns1.exsilia.net
    podotrack.nl.           86400   IN      RRSIG   SOA 8 2 86400 
20200402000000 20200312000000 16285 podotrack.nl. 
QaAaTslfbdObE8V2vsPtN9j3VEiW5rb1Rq/K7xb9IlDShj06tw3ruRfx 
wmeyaKEqiD+HmXwERervVbx+ilgIcNwD8emqJ+BfZxv4lyhwyVnmPpIW 
/ggeijP4L7EywS7lsO0zs2nwB/Bhv/f5KwFIQy4Cm+hj99zbvULaNuNf ibw=
    podotrack.nl.           86400   IN      SOA     ns2.exsilia.net. 
j\.deklein.lijnco.nl. 2019111101 10800 3600 604800 10800

    $ dig +norecur +dnssec -t SOA +noall +ans podotrack.nl @ns2.exsilia.net
    podotrack.nl.           86400   IN      SOA     ns2.exsilia.net. 
j\.deklein.lijnco.nl. 2019111101 10800 3600 604800 10800
    podotrack.nl.           86400   IN      RRSIG   SOA 8 2 86400 
20200402000000 20200312000000 16285 podotrack.nl. 
QaAaTslfbdObE8V2vsPtN9j3VEiW5rb1Rq/K7xb9IlDShj06tw3ruRfx 
wmeyaKEqiD+HmXwERervVbx+ilgIcNwD8emqJ+BfZxv4lyhwyVnmPpIW 
/ggeijP4L7EywS7lsO0zs2nwB/Bhv/f5KwFIQy4Cm+hj99zbvULaNuNf ibw=

But that is *not* what I see from Verisign public DNS:

    $ dig +dnssec -t SOA +noall +ans podotrack.nl @64.6.64.6
    podotrack.nl.           86400   IN      SOA     ns2.exsilia.net. 
j.deklein.lijnco.nl. 2019111101 10800 3600 604800 10800
    podotrack.nl.           86400   IN      RRSIG   SOA 8 2 86400 
20200402000000 20200312000000 16285 podotrack.nl. 
QaAaTslfbdObE8V2vsPtN9j3VEiW5rb1Rq/K7xb9IlDShj06tw3ruRfx 
wmeyaKEqiD+HmXwERervVbx+ilgIcNwD8emqJ+BfZxv4lyhwyVnmPpIW 
/ggeijP4L7EywS7lsO0zs2nwB/Bhv/f5KwFIQy4Cm+hj99zbvULaNuNf ibw=

Even though the serial number and RRSIG are the same, the first label is
not escaped!  The answer has a TTL of 86400 and looks fresh (!cached).
This breaks the SOA RRSIG and denial of existence of TLSA RRs, ...

The remaining usual suspects all return the expected rname:

    $ dig +dnssec -t SOA +noall +ans podotrack.nl @8.8.8.8
    podotrack.nl.           21599   IN      RRSIG   SOA 8 2 86400 
20200402000000 20200312000000 16285 podotrack.nl. 
QaAaTslfbdObE8V2vsPtN9j3VEiW5rb1Rq/K7xb9IlDShj06tw3ruRfx 
wmeyaKEqiD+HmXwERervVbx+ilgIcNwD8emqJ+BfZxv4lyhwyVnmPpIW 
/ggeijP4L7EywS7lsO0zs2nwB/Bhv/f5KwFIQy4Cm+hj99zbvULaNuNf ibw=
    podotrack.nl.           21599   IN      SOA     ns2.exsilia.net. 
j\.deklein.lijnco.nl. 2019111101 10800 3600 604800 10800

    $ dig +dnssec -t SOA +noall +ans podotrack.nl @1.1.1.1
    podotrack.nl.           10596   IN      SOA     ns2.exsilia.net. 
j\.deklein.lijnco.nl. 2019111101 10800 3600 604800 10800
    podotrack.nl.           10596   IN      RRSIG   SOA 8 2 86400 
20200402000000 20200312000000 16285 podotrack.nl. 
QaAaTslfbdObE8V2vsPtN9j3VEiW5rb1Rq/K7xb9IlDShj06tw3ruRfx 
wmeyaKEqiD+HmXwERervVbx+ilgIcNwD8emqJ+BfZxv4lyhwyVnmPpIW 
/ggeijP4L7EywS7lsO0zs2nwB/Bhv/f5KwFIQy4Cm+hj99zbvULaNuNf ibw=

    $ dig +dnssec -t SOA +noall +ans podotrack.nl @9.9.9.10
    podotrack.nl.           43200   IN      SOA     ns2.exsilia.net. 
j\.deklein.lijnco.nl. 2019111101 10800 3600 604800 10800
    podotrack.nl.           43200   IN      RRSIG   SOA 8 2 86400 
20200402000000 20200312000000 16285 podotrack.nl. 
QaAaTslfbdObE8V2vsPtN9j3VEiW5rb1Rq/K7xb9IlDShj06tw3ruRfx 
wmeyaKEqiD+HmXwERervVbx+ilgIcNwD8emqJ+BfZxv4lyhwyVnmPpIW 
/ggeijP4L7EywS7lsO0zs2nwB/Bhv/f5KwFIQy4Cm+hj99zbvULaNuNf ibw=

Checking army.mil (lots of dots in the first rname label), I find the
same symptoms:

    $ dig +dnssec -t soa +noall +ans +add army.mil @64.6.64.6
    army.mil.               1700    IN      SOA     ns01.army.mil. 
usarmy.huachuca.netcom.mesg.epdns-global.mail.mil. 2007040001 900 90 2419200 300
    army.mil.               1700    IN      RRSIG   SOA 8 2 3600 20200328054853 
20200324044853 51378 army.mil. 
gKsZWexzUD9tYM09JQnF/5pnd1ZKwxtBd9FjWtRTIimQRqldhMwFdALV 
3vg4UGde6iSS1xH0jmXLeBPlk0ETNLtXwGRl7ywko8Q12eVy7XgUASwM 
OM3Sv6XEfaNglTHbqmeJo987BSlkNqwUFIlCnvI0OFiboLX9le+xl6eI 
bw2GsGrd+/Q+XU37JvDAQ55X9mECMM1jHjraBD2NKfcPGRP700Myie+q 
WgUuQrs40YGR8jFLrxk5/R/A4uPK0hlXVpjHv6cmrlAW00BS7LlP+5Ha 
H+oh10/0hQkofrjhQWINXUKCSHI4mMSO6liubK74cjS5fxg07BnvaMKJ OtoIuQ==

    $ dig +dnssec -t soa +noall +ans +add army.mil @8.8.8.8
    army.mil.               2830    IN      SOA     ns01.army.mil. 
usarmy\.huachuca\.netcom\.mesg\.epdns-global.mail.mil. 2007040004 900 90 
2419200 300
    army.mil.               2830    IN      RRSIG   SOA 8 2 3600 20200328061900 
20200324051900 51378 army.mil. 
WVAHvrkjdrq4Z1QShUec3xqGT3DSPJIx6vABFUVlO+mQfI4w9ZclXYqP 
iAVr0VP/erA2aztQp6qaLEYo3TXMlPG5iIpC6Abay3N0mmdndsfwl78v 
5kveVZ1CiKoMD8jzT67x6CCU053vTtQAbOm0PR153D9DD1ObGj3kTx8n 
hKbDGQzmbWiQybguAjOGoSZ+jDcjjrtFcXyrzhpUYndrddsSYpA1RjA1 
mJIK/AYPESTLZ1/SnNgyLBtP3CxBKsyBftqhpHLcLaUMHiSgjNExqDGI 
aM4FearWrfAm0lB95OtX3AjWgFbhcPR7KTFOCO1JHs9hmvYE2q+UgYYU 20er6g==

Looks like some sort of systemic issue.

-- 
    Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] SOA rname breakage (first label split on internal dots) from Verisign public DNS

Reply via email to