Dnssec validation failures


#1

I’m having issues with local DNSSEC validation failing for some domains when using 1.1.1.1. It looks like DS record queries for some domains with CNAME records are sometimes incorrectly returning the result for the CNAME target instead of the label which breaks validation. This appears to be a result of an error in the cache algorithm (see the npm.community tests).

This is an issue with npm.community and, ironically, is-cf.cloudflareresolve.com (probably among many others).

npm.community queries: https://pastebin.com/FvBTGhNj
is-cf queries: https://pastebin.com/rx4y8eRF


#2

Knot Resolver has a bug open about that:

Ultimately zone apex CNAMEs are illegal and npm.community needs to be changed, but resolvers usually do tolerate it.

You’ve got me there. That’s not the zone apex, so it seems to be a different issue. Maybe there’s something with how it’s implemented.

The response has the AD bit but the CNAME seems to have no RRSIG.

It’s difficult to use DNSSEC for that kind of special case… It might be most practical to solve the problem by disabling it.


#3

I was suspicious about npm.community. I wonder if it’s possible that is-cf.cloudflareresolve.com is also an apex cname internally and we just can’t see it since it’s whole purpose is to be only available through 1.1.1.1. That would explain why it has the same behavior. If someone at Cloudflare could take a look at is-cf, is-doh, and is-dot to check that would be great. Luckily those are just test domains, but it does throw off the results of https://cloudflare-dns.com/help/ for anyone who is using a validating resolver.

PS: Thanks for the link to the bug report! I guess npm.community should be added to the list of problem domains there too.