Le 27/03/2023 à 12:37, Emmanuel Fusté a écrit :
Le 27/03/2023 à 12:14, Joe Abley a écrit :
Hi Emmanuel,
On Mon, Mar 27, 2023 at 10:51, Emmanuel Fusté <[email protected]>
wrote:
Cloudflare start to return TYPE65283 in their NSEC records for "compact
DNSSEC denial of existence"/"minimal lies" for NXDOMAINs.
It actually break "minimal lies" NXDOMAIN established decoding
implementations.
Does someone know the TYPE65283 usage/purpose in this context ?
If a compact negative response includes an NSEC RR whose type bitmap
only includes NSEC and RRSIG, the response is is indistuishable from
the case where the name exists but is an empty non-terminal. Adding a
special entry in the type bitmap avoids that ambiguity and as a bonus
provides an NXDOMAINish signal as a kind of compromise to those
consumers who are all pitchforky about the RCODE. The spec currently
calls that special type NXNAME.
https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt
<https://www.ietf.org/archive/id/draft-huque-dnsop-compact-lies-01.txt>
The spec is still a work in progress and the NXNAME type does not
have a codepoint. I believe TYPE65283 is being used as a placeholder.
I think Christian made a comment to that effect on this list last
week, although I think he may not have mentioned the
specific RRTYPE that was to be used.
If this has caused something to break, more details would be good to
hear!
Yes, I know about the draft to unbreak ENT. Thank you for the updated
link with the latest version witch superset
draft-huque-dnsop-blacklies-ent-01.
NS1 use TYPE65281 for ENT.
But in the observed case, the entry is not an ENT:
; <<>> DiG 9.18.13-1-Debian <<>> +norecurse @ns3.cloudflare.com
+dnssec albertoooo.ns.cloudflare.com.
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19880
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;albertoooo.ns.cloudflare.com. IN A
;; AUTHORITY SECTION:
cloudflare.com. 300 IN SOA ns3.cloudflare.com.
dns.cloudflare.com. 2304565806 10000 2400 604800 300
albertoooo.ns.cloudflare.com. 300 IN NSEC
\000.albertoooo.ns.cloudflare.com. RRSIG NSEC TYPE65283
albertoooo.ns.cloudflare.com. 300 IN RRSIG NSEC 13 4 300
20230328112618 20230326092618 34505 cloudflare.com.
vNF+qAaZUSSreKRLhYHfg5sn7qoP1SV+fZgmivg3qmJecz7Cvp69A/8I
Ew0XPOuG8CPQGA5doswZdnOk9cfLRw==
cloudflare.com. 300 IN RRSIG SOA 13 2 300
20230328112618 20230326092618 34505 cloudflare.com.
fD4t5hWnE7js8/gRqJn2G833NCmjcyFqW+WJZnPqHX3SiKBlwUlX2wh8
UFj0ajbwuTVQpiJxZSb5hUNs9+KErQ==
;; Query time: 8 msec
;; SERVER: 162.159.0.33#53(ns3.cloudflare.com) (UDP)
;; WHEN: Mon Mar 27 12:26:18 CEST 2023
;; MSG SIZE rcvd: 376
And for ENT, the response did not change from previous Cloudflaire
implementation : all Cloudflare known types are added instead of RRSIG
and NSEC.
Ok, replying to myself.
TYPE65283 is as you stated the place holder for a future NXNAME.
So they silently break their previous implementation to implement half
of this this draft.
Their previous NXDOMAIN implementation correspond to draft ENT case, but
they still implement their old way for ENT.
Thank you for the pointer.
Regards,
Emmanuel.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
