.leg.br Domains Failing to Query 1.1.1.1

bug

#1

Hello guys,

The .leg.br domain is not being resolved by the dns 1.1.1.1 server.
Dig returns the following:

dig www.interlegis.leg.br @1.1.1.1

; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.interlegis.leg.br @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

Unlike 8.8.8.8, which returns:

dig www.interlegis.leg.br @8.8.8.8

; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.interlegis.leg.br @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63124
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.interlegis.leg.br. IN A

;; ANSWER SECTION:
www.interlegis.leg.br. 6669 IN CNAME pm3proxy01.interlegis.leg.br.
pm3proxy01.interlegis.leg.br. 6669 IN A 201.54.63.82

;; Query time: 68 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed May 16 13:37:37 -03 2018
;; MSG SIZE rcvd: 91

Regards,


#2

Although the following doesn’t apply to www.interlegis.leg.br, for anyone else coming to this if they have a problem with leg.br domains on 1.1.1.1 (and for the CloudFlare team supporting it):

This is a problem with the infra.leg.br name servers that breaks implementations (like CloudFlare 1.1.1.1 and Google Public DNS 8.8.8.8) that synthesize negative answers from cached DNSSEC NSEC records, as described in RFC 8198.

Basically, the name servers for infra.leg.br implement DNSSEC in a very simple (and broken) way, using an NSEC record that securely proves there are no subdomains of infra.leg.br whenever they need to return an NXDOMAIN response.

It is simple because they can use the same NSEC record for any NXDOMAIN response. It is broken because this same NSEC record also proves the non-existence of any subdomain that actually does exist. That can cause security vulnerabilities with CAA or TLSA records, where falsely proving the non-existence of a domain allows an attacker to disable security protections.

In the spirit of DNSSEC “white lies” and “black lies” I call these over-broad NSEC records proving the non-existence of all subdomains “bald-faced lies.”

As long as you only ask for existing domains, the infra.leg.br name servers return positive responses, which public resolvers implementing RFC 8198 use and cache normally. But as soon as anyone asks an RFC 8198 resolver for a non-existent domain, that resolver will cache the bald-faced lie NSEC record and start returning NXDOMAIN responses for all subdomains that are not already cached, until the bald-faced lie NSEC record expires.

Google Public DNS resolved this problem by disabling RFC 8198 negative synthesis for infra.leg.br and all its subdomains (see https://issuetracker.google.com/issues/37414272#comment2 – which also provides examples of the bald-faced lie NSEC records). I don’t know if the Knot resolver used by 1.1.1.1 has the ability to disable RFC 8198 on a per-domain or per-zone basis, or if that is not possible, to disable DNSSEC entirely for infra.leg.br.

The real fix for this problem is to replace the name servers for infra.leg.br with ones that don’t make bald-faced lies.


#3

They seem to be running PowerDNS.

They just need to run “pdnsutil rectify-zone infra.leg.br” (and remember to run it in the future).


#4

Mr mnordhoff,

I was informed by one of the managers of .leg.br that his tip was implemented successfully.
See the result:

dig www.interlegis.leg.br @1.1.1.1

; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.interlegis.leg.br @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12992
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;www.interlegis.leg.br.		IN	A

;; ANSWER SECTION:
www.interlegis.leg.br.	3586	IN	CNAME	pm3proxy01.interlegis.leg.br.
pm3proxy01.interlegis.leg.br. 3586 IN	A	201.54.63.82

;; Query time: 285 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu May 17 16:57:09 -03 2018
;; MSG SIZE  rcvd: 91

Thank you for your guidance and for your time.

Fraternal hugs,