[dns-operations] name-services.com breaks DNSSEC-aware resolvers

Alexander Gall gall at switch.ch
Thu Jul 19 15:16:26 UTC 2007

There is something very funky going on with the servers


when the DO flag is set in a query.  In that case, they send a reply
that is totally unrelated to the query.  As I write this, all servers
are basically unreachable for me, but a short while ago, I got this:

$ dig @ name-services.com. soa +dnssec
;; Warning: ID mismatch: expected ID 118, got 17517
;; Warning: ID mismatch: expected ID 118, got 12746

; <<>> DiG 9.4.1 <<>> @ name-services.com. soa +dnssec
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

The last query was lost.  I have attached a pcap trace of these
transactions (ignore the IP checksum errors, they are caused by an
offloading feature of my NIC).  The first query in that trace was done
without DO and gets a proper reply (albeit with a very large delay).

I have informed name-services.com about this and I'm extremely curious
to learn what the heck they have installed there :-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dns.cap
Type: application/octet-stream
Size: 1908 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20070719/a04fcebb/attachment.obj>

More information about the dns-operations mailing list