DNS errors when resolving revoked.badssl.com on Alpine Linux in Azure VM

[rzikm]

Hi,

We are using badssl.com in our CI to test .NET runtime components. Our CI suites runs in AzDO pipelines and uses Azure DNS server. On one of our test platform (Alpine Linux), it is impossible to resolve revoked.badssl.com, due to the way musl-libc implementation of getaddrinfo handles ServFail responses from DNS servers.

Our expert tells us that

The authoritative DNS servers for revoked.badssl.com are returning an SOA for badssl.com when queried for type AAAA. This is technically not valid, as the server is only authoritative for revoked.badssl.com. They should not be returning an SOA record with owner name outside their authority. This is such a common domain configuration error that other implementations permit it. But currently Azure DNS does not.

This can be observed by running

dig +trace aaaa revoked.badssl.com.

rzikm@aginor:/tmp$ dig +trace aaaa revoked.badssl.com.

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> +trace aaaa revoked.badssl.com.
;; global options: +cmd
.                       9172    IN      NS      e.root-servers.net.
.                       9172    IN      NS      a.root-servers.net.
.                       9172    IN      NS      m.root-servers.net.
.                       9172    IN      NS      d.root-servers.net.
.                       9172    IN      NS      b.root-servers.net.
.                       9172    IN      NS      f.root-servers.net.
.                       9172    IN      NS      i.root-servers.net.
.                       9172    IN      NS      g.root-servers.net.
.                       9172    IN      NS      c.root-servers.net.
.                       9172    IN      NS      l.root-servers.net.
.                       9172    IN      NS      k.root-servers.net.
.                       9172    IN      NS      j.root-servers.net.
.                       9172    IN      NS      h.root-servers.net.
.                       82459   IN      RRSIG   NS 8 0 518400 20240903050000 20240821040000 20038 . UEqRzHccX/FfTfNXZiCiG4czqssMNxcxcrc3ilEyTlb4l4C8ILH7htHF 5tUiab/MsXihGfyW27ceWA48yPR1HsEr+nLs0PUDS0gyiv4cu2Ib+V1d CSr3PaRxCupjMaQ5wYBOi74cW5OTMTztPtDkckrk+UlHYFXhbjkCBDVp Oj304uSdmUtvRy65bT1NCro1yBcrOol0JhNZPuEih/QZ+Bx3g8pkNEV/ ihxl/8MYKYIFuVzhr4t69oZNQj3sKkEIRReHmqAcukstIztWGS5lOjlz ghEqNBCb2lnR3Xzf7tw+ixth1QEk+FlAKZdseR1d+n2ihVHjVEz27170 fdNt3w==
;; Received 525 bytes from 10.255.255.254#53(10.255.255.254) in 12 ms

;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for revoked.badssl.com. failed: network unreachable.
;; no servers could be reached

;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for revoked.badssl.com. failed: network unreachable.
;; no servers could be reached

;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for revoked.badssl.com. failed: network unreachable.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    86400   IN      DS      19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com.                    86400   IN      RRSIG   DS 8 1 86400 20240903170000 20240821160000 20038 . VO21GhEvfY0yf7t20DMzscSzum+veuXrwLByFDHSR5BetEIAaHdm11Ih k2b60mpYt9GIZYvxuPeVE/tUK/3DbkchX9hFHn1HXjDbSoUpYmkFLAmM K5IEKsKRkK5UFk6fknEkSrco8YbMW4s3Y5l0XyoB0m+B92rfzmErNWm0 JuM1RbKEuYP/wVHf0g0BXh0JBicjqOlc2gFU/RTMCzmfHTOXVRTdtQB0 25qmN/IaiWY68Q+kkuj+zXaKxNAezzM17ZJkGshpHaj8oCW58lFovFb+ 9kQ/8jwc8JYsCs/FQaQCOi7vr6wRyRzt8HAxSwBBnFHVeD5WxgBwnARu 982KRQ==
;; Received 1209 bytes from 192.112.36.4#53(g.root-servers.net) in 35 ms

badssl.com.             172800  IN      NS      ns-cloud-c1.googledomains.com.
badssl.com.             172800  IN      NS      ns-cloud-c2.googledomains.com.
badssl.com.             172800  IN      NS      ns-cloud-c3.googledomains.com.
badssl.com.             172800  IN      NS      ns-cloud-c4.googledomains.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 13 2 86400 20240828002506 20240820231506 59354 com. WL/BS7HkXbQ49qmCS1+euku6HzErcZnzxqIXpRG1PUv9wkxjhzs+MIg4 +l04rDVJ7OUMu+wKZ1D/bedp2/1cXg==
AQTBQL4N4TO5EOTJVJQ06SRJ870MCLCD.com. 86400 IN NSEC3 1 1 0 - AQTBVKDJBK4AMTSFG5MCAQ3D6FU2GGUE NS DS RRSIG
AQTBQL4N4TO5EOTJVJQ06SRJ870MCLCD.com. 86400 IN RRSIG NSEC3 13 2 86400 20240826002917 20240818231917 59354 com. qucCOwM6oW7OewHfTuBWBpwCLLiuG8yTxCUhW1xxkiXGstBR/qJRCCt+ I9083D+/A0F67qVH81L9TstfHrAlTA==
;; Received 698 bytes from 192.42.93.30#53(g.gtld-servers.net) in 43 ms

revoked.badssl.com.     300     IN      NS      ns-cloud4.googledomains.com.
revoked.badssl.com.     300     IN      NS      ns-cloud2.googledomains.com.
revoked.badssl.com.     300     IN      NS      ns-cloud1.googledomains.com.
revoked.badssl.com.     300     IN      NS      ns-cloud3.googledomains.com.
;; Received 190 bytes from 216.239.38.108#53(ns-cloud-c4.googledomains.com) in 31 ms

;; UDP setup with 2001:4860:4802:36::6a#53(2001:4860:4802:36::6a) for revoked.badssl.com. failed: network unreachable.
badssl.com.             300     IN      SOA     ns-cloud1.googledomains.com. dns-admin.google.com. 0 21600 3600 1209600 300
;; Received 157 bytes from 216.239.36.106#53(ns-cloud3.googledomains.com) in 47 ms

The command traces the DNS record from top level domain server, then to authoritative servers for .com, then .badssl.com (ns-cloud-c4.googledomains.com), which points to ns-cloud1.googledomains.com (and others) as authoritative servers for revoked.badssl.com. These servers (1-4) report as being authoritative for entire .badssl.com domain, which seems to trigger the issue.

Can you please investigate this?