IETF Logo Mail Archive

Re: [dane] DNSSEC debug advice (TLSA lookup problem).

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 05 September 2014 18:45 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 996421A014E for <dane@ietfa.amsl.com>; Fri, 5 Sep 2014 11:45:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cxeue1A9pdym for <dane@ietfa.amsl.com>; Fri, 5 Sep 2014 11:45:30 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 360B91A0149 for <dane@ietf.org>; Fri, 5 Sep 2014 11:45:30 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 7711C2AB2C4; Fri, 5 Sep 2014 18:45:28 +0000 (UTC)
Date: Fri, 05 Sep 2014 18:45:28 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140905184528.GT26920@mournblade.imrryr.org>
References: <20140904202137.GD26920@mournblade.imrryr.org> <20140904210017.09E4D1E6A231@rock.dv.isc.org> <20140904213730.GE26920@mournblade.imrryr.org> <20140904230533.ED33E1E6D2FC@rock.dv.isc.org> <20140905151149.GO26920@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20140905151149.GO26920@mournblade.imrryr.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/9gCWYbNzrwmDQux0AhvRPl9eq3s
Subject: Re: [dane] DNSSEC debug advice (TLSA lookup problem).
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Sep 2014 18:45:31 -0000

On Fri, Sep 05, 2014 at 03:11:49PM +0000, Viktor Dukhovni wrote:

> Thanks.  I wrote to the operators of the DNS servers, and they are
> planning to fix the bug, but implemented a short-term work-around,
> where the wildcard CNAME was replaced by wildcard A record.  However
> the work-around is not working to the satisfaction of my resolver,
> any idea why?

OK, now I understand.  The response is "NODATA", but is should be
"NXDOMAIN".  All that the change did was prevent the wildcard CNAME
being returned incorrectly, but the wildcard record is still
incorrectly processed for the query in question, and incorrectly
returns "NODATA", rather than "NXDOMAIN".

So the work-around is not sufficient.  The real fix is to get the
nameserver to not apply wildcards to subdomains of existent siblings.

I'll try to find out what nameserer software this is, and if
something mainstream, try to let operators know to avoid it.

-- 
	Viktor.

v2.31.3 | Report a Bug | By Email | System Status