IETF Logo Mail Archive

[DNSOP] Real world examples that contain DNSSEC secure `Wildcard Answer` or `Wildcard No Data`

Joey Deng <qiaoyu_deng@apple.com> Fri, 22 October 2021 02:34 UTC

Return-Path: <qiaoyu_deng@apple.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F7D03A09BB for <dnsop@ietfa.amsl.com>; Thu, 21 Oct 2021 19:34:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.053
X-Spam-Level:
X-Spam-Status: No, score=-1.053 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_NOVOWEL=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SYagwKWQpksT for <dnsop@ietfa.amsl.com>; Thu, 21 Oct 2021 19:34:36 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp02.apple.com (ma1-aaemail-dr-lapp02.apple.com [17.171.2.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 811603A098A for <dnsop@ietf.org>; Thu, 21 Oct 2021 19:34:36 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp02.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp02.apple.com (8.16.0.42/8.16.0.42) with SMTP id 19M2YD6E023886 for <dnsop@ietf.org>; Thu, 21 Oct 2021 19:34:35 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : content-type : content-transfer-encoding : mime-version : subject : message-id : date : to; s=20180706; bh=STQb6kbZsS1fNWe8ysOrfKqhQylHL2iXSaXHf45duTE=; b=ewvc9Xvl6XKEQQHsST59Vj4WiAOWriPrheHjYhjz1HofuXpppzlko6Iwe0b905VU+N9C zmBzPC7tWtgxVkrCbbX3wbG0yK8qRhCdCNX34Z2zVondOFnIIRoBuMpZDn3Ugp4gAgm9 V64SyBm41KSry90agF6A7vfKc+QnZHnGa8ufmj1ReXGtK+OFMRYTjvpXrCCZIjPDNe/X CRtEdNJsZe5Coj1/1x02lWv2s0XujHWV0Zq/pLvlmTXnlDK2aJCikpNfwH3E86PMzc1K GEtjdqsrsVjb+NezctSCnLLRJHiehtLSnI1UBK/qy5TViIlo5O7piXrcZ6laQbiX0E2C EA==
Received: from rn-mailsvcp-mta-lapp04.rno.apple.com (rn-mailsvcp-mta-lapp04.rno.apple.com [10.225.203.152]) by ma1-aaemail-dr-lapp02.apple.com with ESMTP id 3bqudvvt60-12 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <dnsop@ietf.org>; Thu, 21 Oct 2021 19:34:35 -0700
Received: from rn-mailsvcp-mmp-lapp02.rno.apple.com (rn-mailsvcp-mmp-lapp02.rno.apple.com [17.179.253.15]) by rn-mailsvcp-mta-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) with ESMTPS id <0R1C00I19XTNW280@rn-mailsvcp-mta-lapp04.rno.apple.com> for dnsop@ietf.org; Thu, 21 Oct 2021 19:34:35 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp02.rno.apple.com by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) id <0R1C00D00XGCRG00@rn-mailsvcp-mmp-lapp02.rno.apple.com> for dnsop@ietf.org; Thu, 21 Oct 2021 19:34:35 -0700 (PDT)
X-Va-A:
X-Va-T-CD: f4439a1f3baad66c778bad7f442511f1
X-Va-E-CD: b1702a0e466f267e6b5187de25ad39fc
X-Va-R-CD: 1b66368ea425b4c574c468186f4fb35d
X-Va-CD: 0
X-Va-ID: ff6db22d-b6c0-4132-9397-e340bbd3b7a9
X-V-A:
X-V-T-CD: f4439a1f3baad66c778bad7f442511f1
X-V-E-CD: b1702a0e466f267e6b5187de25ad39fc
X-V-R-CD: 1b66368ea425b4c574c468186f4fb35d
X-V-CD: 0
X-V-ID: 4a9bdc26-f37d-4e86-be11-23df0947d849
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-10-21_07:2021-10-21, 2021-10-21 signatures=0
Received: from smtpclient.apple (unknown [17.192.170.224]) by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.12.20210903 64bit (built Sep 3 2021)) with ESMTPSA id <0R1C003F4XTMGP00@rn-mailsvcp-mmp-lapp02.rno.apple.com> for dnsop@ietf.org; Thu, 21 Oct 2021 19:34:34 -0700 (PDT)
From: Joey Deng <qiaoyu_deng@apple.com>
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: quoted-printable
MIME-version: 1.0 (Mac OS X Mail 15.0 \(3693.0.1.1.13\))
Message-id: <A2B60F90-20BC-47D7-A4B7-0381ADF569F6@apple.com>
Date: Thu, 21 Oct 2021 19:34:34 -0700
To: dnsop@ietf.org
X-Mailer: Apple Mail (2.3693.0.1.1.13)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-10-21_07:2021-10-21, 2021-10-21 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/k2GwAUzCY9W5VLZCNdJO_kU8ofg>
X-Mailman-Approved-At: Thu, 21 Oct 2021 19:48:59 -0700
Subject: [DNSOP] Real world examples that contain DNSSEC secure `Wildcard Answer` or `Wildcard No Data`
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2021 02:36:37 -0000

Hello folks,

On [RFC4035 3.1.3.  Including NSEC RRs in a Response](https://datatracker.ietf.org/doc/html/rfc4035#section-3.1.3), it describes four different cases when NSEC records should be included in a response:
1. No Data
2. Name Error
3. Wildcard Answer
4. Wildcard No Data.

I am trying to find real world examples to help me better understand the cases above, I found some examples for case 1 and case 2: 

1. No Data
```
dig www.ietf.org.cdn.cloudflare.net. MX +dnssec +cdflag +tcp

;; QUESTION SECTION:
;www.ietf.org.cdn.cloudflare.net. IN	MX

;; AUTHORITY SECTION:
www.ietf.org.cdn.cloudflare.net. 757 IN	RRSIG	NSEC 13 6 3600 20211023001635 20211020221635 34505 cloudflare.net. CivIamjPTC4Q9u8Qo6UpBh7x3f94ZMEZ7oxAU0ZEkzcnhMaJ8jEOQv+N e3md2JQEKTD01OKa0EGwdRTMb453ww==
www.ietf.org.cdn.cloudflare.net. 757 IN	NSEC	\000.www.ietf.org.cdn.cloudflare.net. A HINFO TXT AAAA LOC SRV NAPTR CERT SSHFP RRSIG NSEC TLSA SMIMEA HIP OPENPGPKEY TYPE64 TYPE65 SPF URI CAA
cloudflare.net.		757	IN	SOA	ns1.cloudflare.net. dns.cloudflare.com. 1634858195 10000 2400 604800 3600
cloudflare.net.		757	IN	RRSIG	SOA 13 2 3600 20211023001635 20211020221635 34505 cloudflare.net. 26pedBEBsFVlmfTuhLGYHOsu0Zzdv5yEqHRCliAF3iOG5GUXb6oTX99+ GtVJ8YcWYShwXdJzuMD7hkDvCVgD+Q==
```
The returned NSEC record shows that `www.ietf.org.cdn.cloudflare.net.` exist, but NSEC record does not cover MX type, therefore, there is no data for the MX record.

2. Name Error
```
dig wwwwwwww.ietf.org. AAAA +dnssec +cdflag +tcp

;; QUESTION SECTION:
;wwwwwwww.ietf.org.		IN	AAAA

;; AUTHORITY SECTION:
ietf.org.		770	IN	SOA	ns0.amsl.com. glen.amsl.com. 1200000537 1800 1800 604800 1800
ietf.org.		770	IN	RRSIG	SOA 5 2 1800 20221019014909 20211019005139 40452 ietf.org. GUaWdfXoPWOjb+/1w5Dtn8VoeemBYXdDIQui365JuuIBkEC4YKFLb+m+ u8YJ+cbnTzDb768HkTX8AbWaupZVR2FLn2r06hf6YruVi5jRjzExYLQ6 22Rn8TCvNpNRBZ7fyEcBd9m3aacGr+2iBXgYL9QRXag0tSAAW5oxjI8H CcQLLylwGKDvQv2sNIQLxZlkYFXa+swBOuFQdT8MmymOKjV1d+p3s+S0 1HdUb7JAR2vTK/UVib5zfyXGiQcpD6F3XOQNVTY2dgc2ywAqoudANVmz Rm9rql12MALn2hu5HwrfC0djzXxo6Ry8I0KLmRtAsDoz4ie95Oh1Bnt4 qUhJLA==
ietf.org.		770	IN	RRSIG	NSEC 5 2 1800 20221019015032 20211019005139 40452 ietf.org. PiCNEGBSBbC/ALNR5ebDwk1wQGMH/l6MtV5ZAGYl9M1wf43NrqHapDlU AP2E07FsPIyo9PcWui67PidLgVA4e0rRJbyHK2B92tEeprZbxSOCeIFi NWiLl1oCZt+IQCCnFlzJkbwk2MWOVRYxUdQfmWk0QZZZtRr1c/i4VwPU MAVqCORkGpc6W6LLiTITLphe7X0NHb7e41n8J06tPh1a6GmRYRJCy41c F26Bf6GcEJBpNTvlNuirimbhvjL4Ax+FHBe5MA/Tjp4K1AeUIA0ibBVI 20o14zUqSsph67/Snz9fdpJ/dsvP9QwTNLTKR6Jxofi/ArWEBEheXsm+ pkZTRA==
ietf.org.		770	IN	NSEC	_dmarc.ietf.org. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY SPF
wwwtest.ietf.org.	770	IN	RRSIG	NSEC 5 3 1800 20221019015021 20211019005139 40452 ietf.org. regwKawm6O9BAaHVyBICHjPlGiwDWoXO8OaqH4zJOOgAglrAMXajbEmx XHJsbq3DVEVGkU8NSQJxmGYjklyKzmMbIBpt7+RaXKT7WIGd/zRjSlnI gWSztB6gWTMQq98vQKeFgrt5X8a10p6C36gtJh5sGFq8FpiAvKoKuGO8 tyWKxux7pEQhlhTySr7ipRe8qmGDpy4H+8bkGqvJ7UJ0f3A366bZyD2Q XLdTG4DUrNWt8wKK0FiL2851PegU8FdQb0IXOlBHNF6qXiKCIhBLbK4W 3O3UYKsNLhYPBYuWNGZQ2mlEsfgUC9ddBU1trmMEObm3E+1tR/jemSYA uF+S7Q==
wwwtest.ietf.org.	770	IN	NSEC	xml2rfc.ietf.org. CNAME RRSIG NSEC
```
The returned NSEC records show that both `wwwwwwww.ietf.org.` and `*.ietf.org.` do not exist, therefore it is a name error.

---

However, it is very hard to find examples for case 3 and case 4:
3. Wildcard Answer
4. Wildcard No Data.

It requires the zone to be configured with the wildcard record, and the zone is signed with DNSSEC. One example I can find but not what I want is:
```
dig "*.cloudflare.com." NSEC +dnssec +cdflag +tcp
```

The response is
```
;; QUESTION SECTION:
;*.cloudflare.com.		IN	NSEC

;; ANSWER SECTION:
*.cloudflare.com.	300	IN	NSEC	\000.*.cloudflare.com. RRSIG NSEC
*.cloudflare.com.	300	IN	RRSIG	NSEC 13 2 300 20211023002134 20211020222134 34505 cloudflare.com. D06CbZi5aXMm55fhhqbQNKqGmE0euonIGE8hcVFvIbdqIbZ2d6JnkeWN k76JTLMphqS1KOGVIkI58xoChnxrMQ==
```

Which seems like a wildcard response. However, when I send query for some name I think that would match the wildcard, a non-wildcard response is sent back:

```
dig "IThinkItShouldNeverExist.cloudflare.com." NSEC +dnssec +cdflag +tcp

; <<>> DiG 9.10.6 <<>> IThinkItShouldNeverExist.cloudflare.com. NSEC +dnssec +cdflag +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19174
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;IThinkItShouldNeverExist.cloudflare.com. IN NSEC

;; ANSWER SECTION:
IThinkItShouldNeverExist.cloudflare.com. 300 IN	NSEC \000.ithinkitshouldneverexist.cloudflare.com. RRSIG NSEC
IThinkItShouldNeverExist.cloudflare.com. 300 IN	RRSIG NSEC 13 3 300 20211023002429 20211020222429 34505 cloudflare.com. FbjDF2mF4pQrGJTDS/Ylo3ObhmrQUN7Jw601m/hz2A9nO4ZzOXfTR5ue G1CKy37Q9NuX7zBm8qyCnQbntO/q6w==

;; Query time: 4 msec
```

Note that the `labels` field of RRSIG is 3 instead of 2 for the wildcard answer, which means this record is created by using online signing, I guess? Therefore it is not what I expect to see.

---

Could you give me some real world examples that contain DNSSEC Secure `Wildcard Answer` or `Wildcard No Data` as described by [RFC4035 3.1.3.  Including NSEC RRs in a Response](https://datatracker.ietf.org/doc/html/rfc4035#section-3.1.3)?

Thanks.

--
Joey Deng

v2.23.0 | Report a Bug | By Email