[dns-operations] At least 3 CloudFlare DNS-hosted domains with oddball TLSA lookup ServFail

Sun, 19 Apr 2020 00:07:16 -0700 

The CloudFlare auth servers return ServFail for the TLSA lookup of:

    https://dnsviz.net/d/_25._tcp.mx01.mx-hosting.ch/XpvvXg/dnssec/
    https://dnsviz.net/d/_25._tcp.mail.markleenen.eu/Xpvvcg/dnssec/
    https://dnsviz.net/d/_25._tcp.box.nobodyghost.net/Xpvvow/dnssec/

For all three, "A" lookups for the same qname return valid denial of
existence:

    _25._tcp.mx01.mx-hosting.ch. IN A ?
    mx-hosting.ch. IN SOA alla.ns.cloudflare.com. [email protected]. 
2033851210 10000 2400 604800 3600
    mx-hosting.ch. IN RRSIG SOA 13 2 3600 20200420074057 20200418054057 34505 
mx-hosting.ch. 
/UdtXD25WrZSBniBBtO+i3HSJaqJgeGf/xIt/NVRKjvBTjDdn8u1lf1L1nHxA4SnX25MseCt+rvzUsn0Qk40dA==
    _25._tcp.mx01.mx-hosting.ch. IN NSEC \000._25._tcp.mx01.mx-hosting.ch. 
HINFO MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF CAA
    _25._tcp.mx01.mx-hosting.ch. IN RRSIG NSEC 13 5 3600 20200420074057 
20200418054057 34505 mx-hosting.ch. 
ZielhuDJf3hD4fxBfgXSAYVD8TvgkLL1swZPiWGDsTodwgM4U0A7D27i/UBhxRsV6BnCGco3UuRtBuI2frLKlw==

    _25._tcp.mail.markleenen.eu. IN A ?
    markleenen.eu. IN SOA darl.ns.cloudflare.com. [email protected]. 
2033859863 10000 2400 604800 3600 
    markleenen.eu. IN RRSIG SOA 13 2 3600 20200420074525 20200418054525 34505 
markleenen.eu. 
ifsayHev5tJ4baUIwUR9b+HiFBc0aHsPbPxi4fOkV15lIKOxzyioxoT11pg5TTzMzlOwfmASo2hAMIjPVtaJQg==
    _25._tcp.mail.markleenen.eu. IN NSEC \000._25._tcp.mail.markleenen.eu. 
HINFO MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF CAA
    _25._tcp.mail.markleenen.eu. IN RRSIG NSEC 13 5 3600 20200420074525 
20200418054525 34505 markleenen.eu. 
e1V94BttXUGsBQLQq9cEJD/lqoeTzA+Z/d0RFgeJR3i5qoAa1jOpTRldxHSQnJUcb95S6f9qOZ85BLbrZ3Bzbw==

    _25._tcp.box.nobodyghost.net. IN A ?
    nobodyghost.net. IN SOA ernest.ns.cloudflare.com. [email protected]. 
2033875276 10000 2400 604800 3600
    nobodyghost.net. IN RRSIG SOA 13 2 3600 20200420074525 20200418054525 34505 
nobodyghost.net. 
9aH2tAT34IFLVuQNcFcGxzA6bjSPs6BLAAf4atFTUSpWp590UCkvYHs80gN05WbtmBPFoLSNo5GSYbWwk13JHA==
    _25._tcp.box.nobodyghost.net. IN NSEC \000._25._tcp.box.nobodyghost.net. 
HINFO MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF CAA
    _25._tcp.box.nobodyghost.net. IN RRSIG NSEC 13 5 3600 20200420074525 
20200418054525 34505 nobodyghost.net. 
igoW77YIYQvEm2iJ/JmMtgTuBfmVv4wL/6aw2J50JWY+4DEDdWZXsmWUI0xG9L7DfYCVonv5Xp/h2QwYM28PpA==

but, the NSEC RR promises TLSA records, among a rather oddball mix of
other rrtypes:

    HINFO MX TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF CAA

that one would not expect to see associated with the qname in question.
My guess is that none of these are actually present, hence the ServFail.

-- 
    Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Reply via email to