Host is not resolved with DNSSEC


#1

Hi,
can’t verify a host with DNSSEC when I use Cloudflare DNS.

Here DNSSEC-Info is missing:
dig mailrelay3.frankfurt.postbank.de +dnssec +short @1.1.1.1
185.157.33.2

Google can do it:
dig mailrelay3.frankfurt.postbank.de +dnssec +short @8.8.8.8
185.157.33.2
A 7 4 0 20190116084157 20190109084157 59882 postbank.de. FRwZTaGfhI0a01wpgsa3F3SF3cBgD9vORfT/QSoPDjl5urX5M9aCUfyV dif/NoSj9Pxg7o05ENCJ4yfqctSty5i7P6TyOvmX39H0tqtOx1Tv8Lta BComVMueW0RJxaFrwDaUNzZINNnu/bj0rdasLmcReWfwVY6yUlD9HO/A gCQ=
A 7 4 0 20190117084144 20190110084144 10739 postbank.de. FbX6ud0GBZ60uDi26spml41HxqHmKRaeyGFKAizob1h7rjI4dfrxSRVc afSpuq2fIGe7bJpczu0qNHCKQBP9L2uKXsgquL6nefSav2Sqqoo3S6PF QrGRYzP7CDkrwUtWHGUZev3apBuHaa+QO0m2Jbq9Fl3XKlWGEVSoadDC ydg=

A check looks fine:
http://dnsviz.net/d/mailrelay3.frankfurt.postbank.de/dnssec/

Whats the problem?


#2

The problem is that postbank.de uses name servers that send responses that are subtly untrue (bad type bitmaps in NSEC3) that cause problems for resolvers implementing an extremely aggressive version of RFC 8198 Aggressive Use of DNSSEC-Validated Cache. As far as I am aware, the only resolver that uses DNSSEC type bitmaps for synthesis is the open source Knot resolver, which Cloudflare uses for their 1.1.1.1 service. The problematic name servers are F5 devices used for postbank.de and other domains (the DNS violations tracker issue includes a number of Czech domains, presumably since Knot is a Czech product and is more commonly used there).

You are not seeing the DNSSEC records for any postbank.de domains from 1.1.1.1 because Cloudflare has disabled DNSSEC for postbank.de because of this incompatibility. Since it doesn’t query for the DNSSEC records, it cannot return them.

See the Problem with oneplus.com and postbank.de thread for more gory technical details (note that oneplus.com is not affected by this issue).

You can use any other DNSSEC-validating resolver, such as Google (8.8.8.8), Verisign (64.6.64.6), or Quad9 (9.9.9.9) to resolve these domains with DNSSEC records.

If you strongly prefer Cloudflare, consider opening a feature request issue for the Knot resolver to allow disabling the aggressive DNSSEC cache feature for particular domains without disabling DNSSEC validation entirely. Google’s resolver has this capability (see this example with even gorier technical details). and it is a poor operational response to disable the security features of DNSSEC (which are working for these domains) because F5 name servers are breaking the aggressive use of DNSSEC negative response cache.

Knot resolver has a few related issues already, but they are about fixing the aggressive negative caching, not enabling more nuanced operational responses.