Missing NSEC3 in 1.1.1.1 answer

vcunat · March 22, 2023, 10:16am

TL;DR: Cloudflare is returning incomplete proofs for queries like cz.uvirt127.active24.cz. DS. Practical consequence is that validator forwarding to 1.1.1.1 SERVFAILs.

For some reason they’re always omitting NSEC3 record covering the name itself. Authoritative servers do provide it in their answer, at least from my point. Other resolvers I’ve tried don’t do this omitting.

Example bad answer:

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 2933
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 4; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; cz.uvirt127.active24.cz.             DS

;; ANSWER SECTION:
cz.uvirt127.active24.cz.        2774    CNAME   uvirt127.active24.cz.
cz.uvirt127.active24.cz.        2774    RRSIG   CNAME 13 3 3600 20230419112722 20230320112722 33072 active24.cz. [omitted]

;; AUTHORITY SECTION:
active24.cz.            2774    SOA     alfa.ns.active24.cz. hostmaster.active24.cz. 2023032005 14400 3600 604800 3600
active24.cz.            2774    RRSIG   SOA 13 2 3600 20230419112722 20230320112722 33072 active24.cz. [omitted]
pce657dbiq31h08bt39on9lnp00jpl3k.active24.cz. 2774      NSEC3   1 0 10 A8406AB06B9F1760 pcgm19ggpv55njtq313o1cndobjnmgcf A AAAA RRSIG
pce657dbiq31h08bt39on9lnp00jpl3k.active24.cz. 2774      RRSIG   NSEC3 13 3 3600 20230419112722 20230320112722 33072 active24.cz. [omitted]

Corresponding good answer (from auth in this case):

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5676
;; Flags: qr aa rd; QUERY: 1; ANSWER: 2; AUTHORITY: 4; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; cz.uvirt127.active24.cz.             DS

;; ANSWER SECTION:
cz.uvirt127.active24.cz.        3600    CNAME   uvirt127.active24.cz.
cz.uvirt127.active24.cz.        3600    RRSIG   CNAME 13 3 3600 20230419112722 20230320112722 33072 active24.cz. [omitted]

;; AUTHORITY SECTION:
jdagfn7alecd0m7570ij2ts65sn04r4i.active24.cz. 3600      NSEC3   1 0 10 A8406AB06B9F1760 jduc5pr4c1bmgc1asdsfr6mo90roald1 AAAA RRSIG
jdagfn7alecd0m7570ij2ts65sn04r4i.active24.cz. 3600      RRSIG   NSEC3 13 3 3600 20230419112722 20230320112722 33072 active24.cz. [omitted]
pce657dbiq31h08bt39on9lnp00jpl3k.active24.cz. 3600      NSEC3   1 0 10 A8406AB06B9F1760 pcgm19ggpv55njtq313o1cndobjnmgcf A AAAA RRSIG
pce657dbiq31h08bt39on9lnp00jpl3k.active24.cz. 3600      RRSIG   NSEC3 13 3 3600 20230419112722 20230320112722 33072 active24.cz. [omitted]

Note that the name itself “doesn’t exist” and is filled by wildcard *.uvirt127.active24.cz. (showing a CNAME from it in this case), and that’s why you need an NSEC3 proving “direct non-existence” of cz.uvirt127.active24.cz.

vendemiat · March 22, 2023, 3:31pm

Hi vcunat,

We will take a look. Thanks for reporting this.

mvavrusa · March 23, 2023, 7:14pm

Hi @vcunat, thanks for the report! It seems like it fails to add it when the CNAME chain doesn’t lead to a positive answer, this is fixed now and should roll out over the next few weeks.

system · April 22, 2023, 7:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.