[dane] Problem with ns0.nl nameservers and DANE TLSA

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 23 November 2014 22:20 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 342BB1A1B27 for <dane@ietfa.amsl.com>; Sun, 23 Nov 2014 14:20:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.8
X-Spam-Level:
X-Spam-Status: No, score=-0.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_45=0.6, URI_NOVOWEL=0.5] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AbRAcL0xIZoO for <dane@ietfa.amsl.com>; Sun, 23 Nov 2014 14:20:09 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E073F1A1B14 for <dane@ietf.org>; Sun, 23 Nov 2014 14:20:08 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 3B72C282FCF; Sun, 23 Nov 2014 22:20:08 +0000 (UTC)
Date: Sun, 23 Nov 2014 22:20:08 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: hostmaster@ns0.nl
Message-ID: <20141123222007.GL922@mournblade.imrryr.org>
References: <e78b811d7c054a1bb1ced93b38109be7@forpsi.com> <20140908123910.GU26920@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140908123910.GU26920@mournblade.imrryr.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/pL70qqi71zND3DrxbnXKaBB-iC8
Cc: "Deccio, Casey" <cdeccio@verisign.com>, dane@ietf.org
Subject: [dane] Problem with ns0.nl nameservers and DANE TLSA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Nov 2014 22:20:10 -0000

[ Cc: to the dane WG list, in the hope that some here might be
  able to assist, if they have direct contacts at the provider.
  Please don't Cc: any follow-up list discussion to the ISP contact
  address.  This is the final report!  Just 5 DNS hosting providers
  appear to account for all the non-sporadic failures of TLSA
  lookups. ]

Many ns0.nl domains emit incorrect denial of existence NSEC3 records
for DANE TLSA queries.  This will cause email delivery problems to
your customers' domains if not resolved by fixing the nameserver
software.  My (surely incomplete) list of affected domains is below.

The newly updated (thanks Casey!) dnsviz.net site now gives a very
clear picture of the problem (just "mouse over" the NSEC3 record
box).  The NODATA response is not accompanied by any NSEC3 records
that match the hash of the Qname, rather the NSEC3 records prove
NXDOMAIN, but the RCODE is incorrectly NOERROR:

    http://dnsviz.net/d/_25._tcp.mail.photoshoplayerstyle.com/dnssec/?rr=52&a=all&ds=all&doe=on&ta=.&tk=

The closest encloser is "mail.photoshoplayerstyle.com", and the
NSEC3 records return exclude the presence of "*mail.photoshoplayerstyle.com":

    $ dig +cd +dnssec -t tlsa _25._tcp.mail.photoshoplayerstyle.com. +nocl +nottl |
	pcregrep 'status:|^;; flags|\.\s+NSEC'
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43917
    ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
    s65rgcpqslu0ftooro2f1su7nd7ve67b.photoshoplayerstyle.com. NSEC3 1 0 100 57AE8C5E617F9173 40EEHCT3600L9LLE0HTHM25UKF4AKVPJ A NS SOA MX RRSIG DNSKEY NSEC3PARAM
    40eehct3600l9lle0hthm25ukf4akvpj.photoshoplayerstyle.com. NSEC3 1 0 100 57AE8C5E617F9173 5DKJRL27ESVU3IV4EJR83HBJPPURER2K A RRSIG
    qn0r3962bhci2jsktqa29urqefoql1jk.photoshoplayerstyle.com. NSEC3 1 0 100 57AE8C5E617F9173 S65RGCPQSLU0FTOORO2F1SU7ND7VE67B A RRSIG

    $ ldns-nsec3-hash -t 100 -s 57AE8C5E617F9173 _25._tcp.mail.photoshoplayerstyle.com
    dr1og56r60uhgn6l1o81nmr1q71inas6.
    $ ldns-nsec3-hash -t 100 -s 57AE8C5E617F9173 _tcp.mail.photoshoplayerstyle.com
    3launk5llo6614jm12c5si3fbq6td7uh.
    $ ldns-nsec3-hash -t 100 -s 57AE8C5E617F9173 mail.photoshoplayerstyle.com
    40eehct3600l9lle0hthm25ukf4akvpj.
    $ ldns-nsec3-hash -t 100 -s 57AE8C5E617F9173 '*mail.photoshoplayerstyle.com'
    4bkj4e34gpijvjbdfhn6t6urpj4gsb85.
    $ ldns-nsec3-hash -t 100 -s 57AE8C5E617F9173 '*.photoshoplayerstyle.com'
    qn0r3962bhci2jsktqa29urqefoql1jk.

They do however prove the wildcard "*.photoshoplayerstyle.com" A
record, so it seems this is erroneasly reported here despite the
fact that mail.photoshoplayerstyle.com exists.

Queries for the TLSA records of all the MX hosts below similarly
fail validation.  What and when might be done to fully address this
issue?

Domain                             _25._tcp.mx-host. IN TLSA ?
---------------------------------  ---------------------------
photoshoplayerstyle.com.           _25._tcp.mail.photoshoplayerstyle.com. IN TLSA ?
badpunt.nl.                        _25._tcp.mail.badpunt.nl. IN TLSA ?
emij.nl.                           _25._tcp.emijx1.emij.nl. IN TLSA ?
getinteractive.nl.                 _25._tcp.x9.getinteractive.nl. IN TLSA ?
go4camp.nl.                        _25._tcp.mail.go4camp.nl. IN TLSA ?
imageserve.nl.                     _25._tcp.mail.imageserve.nl. IN TLSA ?
internet123.nl.                    _25._tcp.mail.internet123.nl. IN TLSA ?
orionvolleybal.nl.                 _25._tcp.mail.orionvolleybal.nl. IN TLSA ?
sollicitatiedokter.nl.             _25._tcp.mail.sollicitatiedokter.nl. IN TLSA ?
wpnet.nl.                          _25._tcp.mail01.wpnet.nl. IN TLSA ?

-- 
	Viktor.