1.1.1.1 incorrectly resolves a BOGUS domain

I have found another instance where Cloudflare incorrectly resolves a BOGUS domain, à la “1.1.1.1 BUG: fails validating basic DNSSEC [FIXED]”.
This is from the “Test your connection” on https://internet.nl/. The DNSSEC test fails for Cloudflare. After investigating I noticed that the domain used in the test xxxxxxxxxx.bogus.conn.test-ns-signed.internet.nl always resolves using Cloudflare, even though it’s BOGUS. DNSViz and DiG output can be found below for several other resolvers, which return a SERVFAIL. @mvavrusa could you check this one out as well?

DNSViz

27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl-2021-10-07-09_57_56-UTC1283×1596 139 KB

Cloudflare

[email protected] ~ % dig @1.1.1.1 27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl

; <<>> DiG 9.10.6 <<>> 27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28697
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl.	IN A

;; ANSWER SECTION:
27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl.	3600 IN	A 62.204.66.10

;; Query time: 28 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Oct 07 11:57:35 CEST 2021
;; MSG SIZE  rcvd: 115

Google

[email protected] ~ % dig @8.8.8.8 27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl

; <<>> DiG 9.10.6 <<>> 27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34354
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl.	IN A

;; Query time: 34 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 07 11:59:17 CEST 2021
;; MSG SIZE  rcvd: 99

Quad9

[email protected] ~ % dig @9.9.9.9 27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl 
; <<>> DiG 9.10.6 <<>> 27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 468
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; OPT=15: 00 0a ("..")
;; QUESTION SECTION:
;27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl.	IN A

;; Query time: 33 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Thu Oct 07 11:59:26 CEST 2021
;; MSG SIZE  rcvd: 105

OpenDNS

[email protected] ~ % dig @208.67.222.222 27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl

; <<>> DiG 9.10.6 <<>> 27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl @208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17679
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;27a338a67ae442e3bfb1980ef98a2285.bogus.conn.test-ns-signed.internet.nl.	IN A

;; Query time: 47 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Thu Oct 07 11:59:34 CEST 2021
;; MSG SIZE  rcvd: 99

Thanks! Hmm, this seems to be related to qname minimization. I’ll open a ticket to track this!

This is scheduled to go out this week. The bug is not checking for the opt-out bit, as otherwise NSEC3s from the child zone can be used for the DS denial proof in this particular case (potential insecure child zone).

I’m really interested in how these bugs appear in 1.1.1.1, as I thought it was based on Knot Resolver (and hey, you are the main developer of Knot Resolver! Nice, I did not know that ). I have tried kresd versions 2.4.0 up until 5.4.1 and am not able to reproduce this bug – the domain never resolves:

DNSSEC validation failure d6f0133f9c9c4132ab74d0cde9efdcf4.bogus.conn.test-ns-signed.internet.nl. RRSIG

Could you tell me what the differences are between Knot Resolver and 1.1.1.1? (and why you are not able to backport changes from kresd into 1.1.1.1?)

I haven’t been in a long time, but it’s in capable hands. There’s too many, it’s an entirely new architecture so it’s difficult to backport or transfer patches, especially the logic around child zone discovery and lazy revalidation is much different so the edge cases are different. We usually manage to catch regressions with comparison tests, but for these test sites there’s not enough traffic to show up, as it’s not a common scenario. So we must do a better job unit testing particularly around the NSEC3 edge cases, as this broke when we added a workaround for something else a few weeks back.