1.1.1.1 Stopped Validating Certain DNSSEC Algorithms, Including Their Own

1.1.1.1 randomly seems to validate Digest Type 2 (SHA-256) Algorithm 14 (ECDSA Curve P-384 with SHA-384) DNSSEC signed domains.

[email protected] ~ % dig bogus.d2a14n3.rootcanary.net @1.1.1.1

; <<>> DiG 9.10.6 <<>> bogus.d2a14n3.rootcanary.net @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28605
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;bogus.d2a14n3.rootcanary.net.	IN	A

;; ANSWER SECTION:
bogus.d2a14n3.rootcanary.net. 8	IN	A	145.97.20.17

;; Query time: 16 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Oct 17 15:06:07 CEST 2021
;; MSG SIZE  rcvd: 73
[email protected] ~ % dig bogus.d2a14n3.rootcanary.net @1.1.1.1

; <<>> DiG 9.10.6 <<>> bogus.d2a14n3.rootcanary.net @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27453
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 06 ("..")
;; QUESTION SECTION:
;bogus.d2a14n3.rootcanary.net.	IN	A

;; Query time: 23 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Oct 17 15:06:07 CEST 2021
;; MSG SIZE  rcvd: 63

With a little test you can see that approximately one out of three requests do not validate it.

for i in {1..100}; do echo $i: $(dig +short bogus.d2a14n3.rootcanary.net @1.1.1.1); done

Further investigation shows that the following servers do not validate DS2 ALG14 (from AMS location):

20m131
20m145
20m152
20m164
20m182
20m183
20m186
20m189
20m200
20m204
20m207
20m208
20m213
20m223
20m226
20m228
20m236
20m244
20m253
20m254
20m270
20m272
20m281
20m286
20m300
20m369
20m370
20m371
20m372
20m373
20m374
20m379
20m382
20m386
20m388
20m392
20m394
20m395
20m397
20m398
20m400
20m403
20m404
20m405
20m410
20m412
20m415
20m417
20m419
20m420
20m424
20m426
20m428
20m429
20m430
20m433
20m435
20m441
20m443
20m445
20m447
20m448
20m450
20m453
20m454
20m455
20m457
20m458
20m460
20m461
20m463
20m465
20m466
20m467
20m468
20m470
20m472
20m474
20m475
20m476
20m478
20m480
20m484
20m486
20m488
20m490
20m491
20m492
20m494
20m497
20m501
20m502
20m503
20m506
20m507
20m508
20m510
20m511
20m512
20m513
20m515
20m516
20m519
20m522
20m523
20m525
20m526
20m527
20m528
20m529
20m530
20m532
20m540
20m546
20m547
20m548
20m549
20m550
20m551
20m552
20m554
20m555
20m556
20m560
20m561
20m563
20m564
20m565
20m566
20m571
20m572
20m573
20m575
20m576
20m578
20m579
20m580
20m583
20m584
20m586
20m588
20m591
20m593
20m594
20m595
20m597
20m599
20m600
20m601
20m604
20m607
20m608
20m613
20m618
20m619
20m620
20m621
20m629
20m631
20m636
20m637
20m638
20m639
20m640
20m642
20m644
20m646
20m649
20m650
20m651
20m654
20m655
20m657
20m658
20m659
20m660
20m663
20m665
20m666
20m667
20m668
20m671
20m672
20m673
20m675
20m676
20m685
20m689
20m690
20m693
20m701
20m705
20m706
20m708
20m718
20m719
20m723
20m724
20m726
20m727
20m728
20m730
20m732
20m734
20m735
20m736
20m737
20m739
20m740
20m741

And the following servers do:

20m128
20m140
20m146
20m153
20m165
20m185
20m191
20m192
20m195
20m196
20m197
20m199
20m203
20m205
20m209
20m211
20m216
20m217
20m218
20m220
20m221
20m227
20m229
20m230
20m231
20m233
20m246
20m247
20m249
20m251
20m252
20m255
20m259
20m261
20m262
20m271
20m277
20m278
20m280
20m282
20m284
20m290
20m291
20m297
20m371
20m376
20m377
20m380
20m381
20m383
20m384
20m386
20m387
20m388
20m389
20m390
20m393
20m394
20m395
20m396
20m399
20m401
20m403
20m405
20m410
20m411
20m412
20m414
20m415
20m416
20m418
20m422
20m423
20m427
20m429
20m430
20m432
20m433
20m434
20m436
20m437
20m438
20m440
20m442
20m445
20m446
20m447
20m449
20m450
20m451
20m452
20m453
20m454
20m461
20m462
20m463
20m464
20m465
20m466
20m467
20m473
20m474
20m477
20m480
20m482
20m485
20m489
20m490
20m491
20m492
20m493
20m496
20m498
20m500
20m504
20m505
20m508
20m510
20m512
20m514
20m515
20m518
20m520
20m521
20m522
20m527
20m534
20m535
20m536
20m537
20m538
20m539
20m540
20m541
20m542
20m543
20m546
20m547
20m550
20m552
20m553
20m555
20m557
20m558
20m559
20m560
20m562
20m563
20m564
20m568
20m569
20m576
20m577
20m580
20m581
20m582
20m589
20m590
20m591
20m592
20m595
20m596
20m597
20m602
20m605
20m606
20m609
20m610
20m611
20m612
20m613
20m615
20m617
20m619
20m620
20m622
20m624
20m625
20m627
20m628
20m629
20m630
20m632
20m633
20m635
20m643
20m644
20m645
20m646
20m647
20m648
20m652
20m653
20m655
20m656
20m657
20m658
20m663
20m664
20m665
20m667
20m668
20m669
20m670
20m671
20m672
20m673
20m674
20m676
20m683
20m684
20m685
20m698
20m701
20m703
20m705
20m709
20m717
20m720
20m721
20m722
20m725
20m726
20m727
20m729
20m731
20m735
20m736
20m737
20m738

Update: this also seems to happen with SHA-256/ECDSA-P256-SHA256 (Digest Type 2, Algorithm 13).

And now it happens to SHA-256/ED25519 (Digest Type 2, Algorithm 15) too. Is some change propagating?
Edit: also SHA-384/RSA-SHA256 (Digest Type 4, Algorithm 8).

I’ll ping the DNS wizards for you, @mvavrusa @kmklapak

:dbell: :dbell: :dbell:
Something is definitely going on, d2a14 (Digest Type 2, Algorithm 14) and d2a13 (Digest Type 2, Algorithm 13) were not validated by 30% of the 1.1.1.1 resolvers in my first post, now it’s up to 80%. This is a problem because all the Cloudflare enabled DNSSEC sites use d2a13 (from what I’ve seen) and thus are not able to be validated by 1.1.1.1 anymore!

I’m not able to reproduce it right now. Looking at the delegation chain, it might be same issue as 1.1.1.1 incorrectly resolves a BOGUS domain - #5 by mvavrusa do you still see this happening?

It seems to be resolving normally now, very strange… Did any change happen the past 3 days?

The deployment for the release containing the bugfix for the previous issue was rolled out.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.