[dane] Problem with hosting2go.nl nameservers and DANE TLSA

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 23 November 2014 22:03 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99C961A1B1A for <dane@ietfa.amsl.com>; Sun, 23 Nov 2014 14:03:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hciQT5nG5AzC for <dane@ietfa.amsl.com>; Sun, 23 Nov 2014 14:02:58 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACD211A1B14 for <dane@ietf.org>; Sun, 23 Nov 2014 14:02:58 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 25C81282FCF; Sun, 23 Nov 2014 22:02:57 +0000 (UTC)
Date: Sun, 23 Nov 2014 22:02:57 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: postmaster@hosting2go.nl
Message-ID: <20141123220256.GK922@mournblade.imrryr.org>
References: <e78b811d7c054a1bb1ced93b38109be7@forpsi.com> <20140908123910.GU26920@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140908123910.GU26920@mournblade.imrryr.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/Nh1zeLtpmV9x32isBeSuYiR1-Ms
Cc: "Deccio, Casey" <cdeccio@verisign.com>, dane@ietf.org
Subject: [dane] Problem with hosting2go.nl nameservers and DANE TLSA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Nov 2014 22:03:00 -0000

[ Cc: to the dane WG list, in the hope that some here might be
  able to assist, if they have direct contacts at the provider.
  Please don't Cc: any follow-up list discussion to the ISP contact
  address. ]

Many hosting2go.nl domains emit incorrect denial of existence NSEC
records for DANE TLSA queries.  This will cause email delivery
problems to your customers' domains if not resolved by fixing the
nameserver software.  My (surely incomplete) list of affected
domains is below.

For example, the nameservers for albertplatje.nl return NODATA
instead of NXDMAIN for the query below:

    $ dig +cd +dnssec -t tlsa _25._tcp.albertplatje.nl. +nocl +nottl |
	pcregrep 'status:|^;; flags|\.\s+NSEC'
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20796
    ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
    *.albertplatje.nl.      NSEC    _autodiscover._tcp.albertplatje.nl. A RRSIG NSEC

The NSEC record proves the presence of "_tcp.albertplatje.nl", and
the absence of both "_25._tcp.albertplatje.nl" and "*._tcp.albertplatje.nl"
which lie between the NSEC pair endpoints.  Therefore, this record should
be an NXDOMAIN, not NOERROR (aka NODATA when the answer count is 0).

In this case I believe we have a bug in dnsviz, which fails to note
that NSEC the record proves the existence of the empty non-terminal
"_tcp", and thus the relevant closest encloser is "_tcp" and so
the wildcard RRset is out of scope, and hence the RCODE should be
NXDOMAIN.

    http://dnsviz.net/d/_25._tcp.albertplatje.nl/dnssec/?rr=52&ds=all&a=all&doe=on&ta=p;doe=on&ta=.

Queries for the TLSA records of all the MX hosts below similarly
fail validation.  What and when might be done to fully address this
issue?

Domain                             _25._tcp.mx-host. IN TLSA ?
---------------------------------  ---------------------------
albertplatje.nl.                   _25._tcp.albertplatje.nl. IN TLSA ?
azie4y.nl.                         _25._tcp.azie4y.nl. IN TLSA ?
delta-hardware.nl.                 _25._tcp.delta-hardware.nl. IN TLSA ?
digistrip.nl.                      _25._tcp.digistrip.nl. IN TLSA ?
edwords.nl.                        _25._tcp.edwords.nl. IN TLSA ?
flashpatterns.nl.                  _25._tcp.flashpatterns.nl. IN TLSA ?
informatieplatform.nl.             _25._tcp.informatieplatform.nl. IN TLSA ?
kenney.nl.                         _25._tcp.kenney.nl. IN TLSA ?
locdepot.nl.                       _25._tcp.locdepot.nl. IN TLSA ?
mc4e.nl.                           _25._tcp.mc4e.nl. IN TLSA ?
mega-save.nl.                      _25._tcp.mega-save.nl. IN TLSA ?
netspecialist.nl.                  _25._tcp.netspecialist.nl. IN TLSA ?
parfumsector.nl.                   _25._tcp.parfumsector.nl. IN TLSA ?
portraitsbyrhalda.nl.              _25._tcp.portraitsbyrhalda.nl. IN TLSA ?
premiumsecurity.nl.                _25._tcp.premiumsecurity.nl. IN TLSA ?
rijschoolnaz.nl.                   _25._tcp.rijschoolnaz.nl. IN TLSA ?
schaakzone.nl.                     _25._tcp.schaakzone.nl. IN TLSA ?
straxlive.nl.                      _25._tcp.straxlive.nl. IN TLSA ?
we12travel.nl.                     _25._tcp.we12travel.nl. IN TLSA ?
winkelsector.nl.                   _25._tcp.winkelsector.nl. IN TLSA ?

-- 
	Viktor.