You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are using badssl.com in our CI to test .NET runtime components. Our CI suites runs in AzDO pipelines and uses Azure DNS server. On one of our test platform (Alpine Linux), it is impossible to resolve revoked.badssl.com, due to the way musl-libc implementation of getaddrinfo handles ServFail responses from DNS servers.
Our expert tells us that
The authoritative DNS servers for revoked.badssl.com are returning an SOA for badssl.com when queried for type AAAA. This is technically not valid, as the server is only authoritative for revoked.badssl.com. They should not be returning an SOA record with owner name outside their authority. This is such a common domain configuration error that other implementations permit it. But currently Azure DNS does not.
This can be observed by running
dig +trace aaaa revoked.badssl.com.
rzikm@aginor:/tmp$ dig +trace aaaa revoked.badssl.com.
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> +trace aaaa revoked.badssl.com.
;; global options: +cmd
. 9172 IN NS e.root-servers.net.
. 9172 IN NS a.root-servers.net.
. 9172 IN NS m.root-servers.net.
. 9172 IN NS d.root-servers.net.
. 9172 IN NS b.root-servers.net.
. 9172 IN NS f.root-servers.net.
. 9172 IN NS i.root-servers.net.
. 9172 IN NS g.root-servers.net.
. 9172 IN NS c.root-servers.net.
. 9172 IN NS l.root-servers.net.
. 9172 IN NS k.root-servers.net.
. 9172 IN NS j.root-servers.net.
. 9172 IN NS h.root-servers.net.
. 82459 IN RRSIG NS 8 0 518400 20240903050000 20240821040000 20038 . UEqRzHccX/FfTfNXZiCiG4czqssMNxcxcrc3ilEyTlb4l4C8ILH7htHF 5tUiab/MsXihGfyW27ceWA48yPR1HsEr+nLs0PUDS0gyiv4cu2Ib+V1d CSr3PaRxCupjMaQ5wYBOi74cW5OTMTztPtDkckrk+UlHYFXhbjkCBDVp Oj304uSdmUtvRy65bT1NCro1yBcrOol0JhNZPuEih/QZ+Bx3g8pkNEV/ ihxl/8MYKYIFuVzhr4t69oZNQj3sKkEIRReHmqAcukstIztWGS5lOjlz ghEqNBCb2lnR3Xzf7tw+ixth1QEk+FlAKZdseR1d+n2ihVHjVEz27170 fdNt3w==
;; Received 525 bytes from 10.255.255.254#53(10.255.255.254) in 12 ms
;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for revoked.badssl.com. failed: network unreachable.
;; no servers could be reached
;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for revoked.badssl.com. failed: network unreachable.
;; no servers could be reached
;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for revoked.badssl.com. failed: network unreachable.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com. 86400 IN RRSIG DS 8 1 86400 20240903170000 20240821160000 20038 . VO21GhEvfY0yf7t20DMzscSzum+veuXrwLByFDHSR5BetEIAaHdm11Ih k2b60mpYt9GIZYvxuPeVE/tUK/3DbkchX9hFHn1HXjDbSoUpYmkFLAmM K5IEKsKRkK5UFk6fknEkSrco8YbMW4s3Y5l0XyoB0m+B92rfzmErNWm0 JuM1RbKEuYP/wVHf0g0BXh0JBicjqOlc2gFU/RTMCzmfHTOXVRTdtQB0 25qmN/IaiWY68Q+kkuj+zXaKxNAezzM17ZJkGshpHaj8oCW58lFovFb+ 9kQ/8jwc8JYsCs/FQaQCOi7vr6wRyRzt8HAxSwBBnFHVeD5WxgBwnARu 982KRQ==
;; Received 1209 bytes from 192.112.36.4#53(g.root-servers.net) in 35 ms
badssl.com. 172800 IN NS ns-cloud-c1.googledomains.com.
badssl.com. 172800 IN NS ns-cloud-c2.googledomains.com.
badssl.com. 172800 IN NS ns-cloud-c3.googledomains.com.
badssl.com. 172800 IN NS ns-cloud-c4.googledomains.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 13 2 86400 20240828002506 20240820231506 59354 com. WL/BS7HkXbQ49qmCS1+euku6HzErcZnzxqIXpRG1PUv9wkxjhzs+MIg4 +l04rDVJ7OUMu+wKZ1D/bedp2/1cXg==
AQTBQL4N4TO5EOTJVJQ06SRJ870MCLCD.com. 86400 IN NSEC3 1 1 0 - AQTBVKDJBK4AMTSFG5MCAQ3D6FU2GGUE NS DS RRSIG
AQTBQL4N4TO5EOTJVJQ06SRJ870MCLCD.com. 86400 IN RRSIG NSEC3 13 2 86400 20240826002917 20240818231917 59354 com. qucCOwM6oW7OewHfTuBWBpwCLLiuG8yTxCUhW1xxkiXGstBR/qJRCCt+ I9083D+/A0F67qVH81L9TstfHrAlTA==
;; Received 698 bytes from 192.42.93.30#53(g.gtld-servers.net) in 43 ms
revoked.badssl.com. 300 IN NS ns-cloud4.googledomains.com.
revoked.badssl.com. 300 IN NS ns-cloud2.googledomains.com.
revoked.badssl.com. 300 IN NS ns-cloud1.googledomains.com.
revoked.badssl.com. 300 IN NS ns-cloud3.googledomains.com.
;; Received 190 bytes from 216.239.38.108#53(ns-cloud-c4.googledomains.com) in 31 ms
;; UDP setup with 2001:4860:4802:36::6a#53(2001:4860:4802:36::6a) for revoked.badssl.com. failed: network unreachable.
badssl.com. 300 IN SOA ns-cloud1.googledomains.com. dns-admin.google.com. 0 21600 3600 1209600 300
;; Received 157 bytes from 216.239.36.106#53(ns-cloud3.googledomains.com) in 47 ms
The command traces the DNS record from top level domain server, then to authoritative servers for .com, then .badssl.com (ns-cloud-c4.googledomains.com), which points to ns-cloud1.googledomains.com (and others) as authoritative servers for revoked.badssl.com. These servers (1-4) report as being authoritative for entire .badssl.com domain, which seems to trigger the issue.
Can you please investigate this?
The text was updated successfully, but these errors were encountered:
We recommend against relying on the live badssl.com site for CI (smoke test type integrations can be okay, but we provide no SLO for the live site -- deploying a local instance via Docker is generally a much better approach for CI)
The DNS configuration for the site is admittedly a bit brittle, so I'm unlikely to be able to prioritize tweaking this to address this edge case, so you may be best served by attempting to find a workaround (if you haven't already). I think this is likely caused by the DNS delegation we currently do in order (for some complicated internal project reasons) so I'm not sure if there's a great fix. I assume this would equally apply to every subdomain and wouldn't be specific to revoked?
(Aside to @shbhmexe -- the offers to assist here are often bordering on spam. In this particular case a fix would require internal DNS changes so can't be resolved by a PR to this repository.)
Hi,
We are using badssl.com in our CI to test .NET runtime components. Our CI suites runs in AzDO pipelines and uses Azure DNS server. On one of our test platform (Alpine Linux), it is impossible to resolve
revoked.badssl.com
, due to the way musl-libc implementation ofgetaddrinfo
handles ServFail responses from DNS servers.Our expert tells us that
This can be observed by running
The command traces the DNS record from top level domain server, then to authoritative servers for .com, then
.badssl.com
(ns-cloud-c4.googledomains.com
), which points tons-cloud1.googledomains.com
(and others) as authoritative servers for revoked.badssl.com. These servers (1-4) report as being authoritative for entire.badssl.com
domain, which seems to trigger the issue.Can you please investigate this?
The text was updated successfully, but these errors were encountered: