[registration-issues-wg] [CPWG] Google public DNS breaks DNS resolution

Lutz Donnerhacke lutz at donnerhacke.de
Tue Apr 30 13:01:05 UTC 2019

I recently came across this really mad idea by Google engineers:

They try to protect against DNS spoofing by adding entropy in queries to
root/TLD name servers.
That's a braindead idea, because they can query all those servers using
DNSSEC, which invalidates the reasoning itself.

But the more important point is, that this solution is based on a misguided
understanding of DNS itself.

Let's take for instance "www.uit.int" as an example.

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37704
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1;; QUESTION
;www.uit.int.           IN A
www.uit.int.            CNAME   www.itu.int.
www.uit.int.            RRSIG   CNAME 7 3 86400 2019...
itu.int.                NS      ns.itu.ch.
itu.int.                NS      ns2.itu.ch.
itu.int.                NS      ns3.itu.ch.
[DNSSEC stuff]

So we do get a resolution and a delegation.

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48110
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;nonce-for-dummies.www.uit.int. IN A
int.                    SOA     sns.dns.icann.org. ...
[lot of DNSSEC NSEC3 non-existence proofs]

But the modified request does not reveal even a hint, that the original
query might be successful.

If necessary, I'm happy to discuss the basics of DNS directly to the
engineer, if somebody makes a contact.
This discussion will include "non empty non-terminals" and the difference
between DS and DNSKEY, both issues where Google public DNS fails.

CPWG mailing list
CPWG at icann.org

More information about the registration-issues-wg mailing list