Re: [DNSOP] How Slack didn't turn on DNSSEC

Mark Andrews <> Wed, 01 December 2021 12:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5D7063A080D for <>; Wed, 1 Dec 2021 04:43:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=lzF6dD/w; dkim=pass (1024-bit key) header.b=ciumpBkf
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id r2V7LfpEXrb5 for <>; Wed, 1 Dec 2021 04:43:41 -0800 (PST)
Received: from ( [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A45573A0805 for <>; Wed, 1 Dec 2021 04:43:41 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPS id 5095443593D; Wed, 1 Dec 2021 12:43:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=ostpay; t=1638362619; bh=Lo5txG0M7dkIkmJnwflOau5pHLx+2saLNa63poHESVI=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=lzF6dD/wYIUPheqLfuh/vbmOzdBeWPdmNNDPAcMOvLTu9MZwggFWslrmAUo++ubDd ajQqJZ7RUhHjICQwJ4jXyL3SHKwfaZxeJiGfAZWqJrV2Y4mx41zHQZjmX+ZygUU6NO t9PfVseqf1/yqPtCLVfE6pgf3m3q8DWD6D4wuuFg=
Received: from (localhost.localdomain []) by (Postfix) with ESMTPS id 44703F0385E; Wed, 1 Dec 2021 12:43:39 +0000 (UTC)
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id 177D2F04682; Wed, 1 Dec 2021 12:43:39 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 177D2F04682
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1638362619; bh=UoUpbAKFsi78/i6Vj72Vr/ynKqtOIkHXd2HeM7PtAzU=; h=Mime-Version:From:Date:Message-Id:To; b=ciumpBkfjmAp8XXOpI/+TV5exfUY6VASfbKJBFmx5IbVxthKohP40vPS3EKEdSR/0 CXiKHgl9C4RZYAbfrdg+SmaZdrl7FrKvzTeOMQWgnl0vZRhYoE/Q4IoxJHw5KtBC2U 1WnAbJRuagwhOYOTOVdTqQoDrN5c8YV1ZLsVdvX0=
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id v_G8iv-msP_b; Wed, 1 Dec 2021 12:43:38 +0000 (UTC)
Received: from ( []) by (Postfix) with ESMTPSA id 5BFF3F0385E; Wed, 1 Dec 2021 12:43:38 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Mark Andrews <>
In-Reply-To: <>
Date: Wed, 01 Dec 2021 23:43:36 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Vladimír Čunát <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [DNSOP] How Slack didn't turn on DNSSEC
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 Dec 2021 12:43:47 -0000

> On 1 Dec 2021, at 19:54, Vladimír Čunát <> wrote:
> On 01/12/2021 09.35, Mark Andrews wrote:
>> Also stop hiding this breakage. Knot and unbound ignore the NSEC records which trigger this when synthesising.
> Knot Resolver stopped treating minimally-covering NSEC* aggressively, but there are *two* different reasons.
> 1) breakages like this.  We hard-enabled aggressivity for NSEC and NSEC3 in 2018; at that point we felt very much in minority, and it was hard to convince others that it's them who's doing it wrong (say, F5 customers).
> 2) low benefits of aggressive caching in this case.  When the range covers basically a single name, the possible positive effect is very limited.  There are negative non-breaking effects as well, e.g. caching of approaches like [black-lies].  You also need to weight the (negligible) benefits against (small-ish) costs of aggressive cache-searching.
> [black-lies]

Accepting 'QNAME NSEC \000.QNAME NSEC RRSIG’ (and other type maps) protects you from random QTYPE attacks.  It also makes 'black lies' work as intended.

The existing synth-from-dnssec code in BIND doesn’t treat this pattern as special.  I’m arguing that special code for this isn’t needed and if it put in it would be removed in the next production release cycle.

As for F5 we had been reporting issues like this as well.  That said I believe they now have published work around instructions for the old servers (add A and/or AAAA records to the backing zones to generate the correct NSEC typemap) and the new code you specify the type list for NSEC / NSEC3.  Presumably F5 add A and AAAA as appropriate
to this if they are missing.  Hopefully HTTPS soon.

The issues with zone enumeration have been grossly exaggerated.  For most zones on the Internet there is no benefit in preventing enumeration and only costs as you leave yourself exposed to reflected random subdomain attacks.

> --Vladimir

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: