[dns-operations] All dual-stack DNS servers - any problem with it?
Lutz Donnerhacke
lutz at iks-jena.de
Wed May 16 16:14:26 UTC 2007
* Mark Andrews wrote:
> The roots would start dropping glue for plain DNS queries
> once the name to be looked up exceeds 97 characters.
>
> For comparision a minimal referral to COM is 509 octets
> and glue records are dropped once the name to be looked up
> exceeds 7 characters. i.e. just about every referral from
> the root to the COM servers has incomplete glue.
Comparing with a signed root:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.isc.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS M.GTLD-SERVERS.NET.
com. 172800 IN NS C.GTLD-SERVERS.NET.
com. 172800 IN NS G.GTLD-SERVERS.NET.
com. 172800 IN NS D.GTLD-SERVERS.NET.
com. 172800 IN NS H.GTLD-SERVERS.NET.
com. 172800 IN NS E.GTLD-SERVERS.NET.
com. 172800 IN NS J.GTLD-SERVERS.NET.
com. 172800 IN NS K.GTLD-SERVERS.NET.
com. 172800 IN NS A.GTLD-SERVERS.NET.
com. 172800 IN NS L.GTLD-SERVERS.NET.
com. 172800 IN NS I.GTLD-SERVERS.NET.
com. 172800 IN NS F.GTLD-SERVERS.NET.
com. 172800 IN NS B.GTLD-SERVERS.NET.
com. 86400 IN NSEC COOP. NS RRSIG NSEC
com. 86400 IN RRSIG NSEC 5 1 86400 20070602180233 (
20070504062106 64955 .
nozkc1CpRti7BmZyy0N4fbuozqDI2lEWhAyLxXrgbi29
WDSPNK/yRwOjdDImNbffaJAYA8t0Jc/Ampt+QeedtH0t
tTBztoG9nQ0OmDyhHZFc1zuMYUZY1Z3Miq0TvYB8TfUT
zVQX7xG76xyQpZcrODDdfrQSRO39mW6du/udQiqiWu9v
c4PtzmNm/B0gpEokLXf8kExdtaxL1J/gAV22sc9AoQGV
9mzAsEOEpZGdAxx/XLes2gbx98LzK6euffqrt6cvTy7l
LQb57FNDLurTTctbH0WQIP/iEFEgqb5Uw/GcKVrZHg3R
lALfhKSRo9FnxRD7ggwLsaFPqH2GKVld4Q== )
;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30
A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30
G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30
H.GTLD-SERVERS.NET. 172800 IN A 192.54.112.30
C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30
I.GTLD-SERVERS.NET. 172800 IN A 192.43.172.30
B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30
B.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:231d::2:30
D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30
L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30
F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30
J.GTLD-SERVERS.NET. 172800 IN A 192.48.79.30
K.GTLD-SERVERS.NET. 172800 IN A 192.52.178.30
E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30
M.GTLD-SERVERS.NET. 172800 IN A 192.55.83.30
;; Query time: 4 msec
;; SERVER: 2001:4bd8::1053#53(2001:4bd8::1053)
;; WHEN: Wed May 16 17:57:39 2007
;; MSG SIZE rcvd: 841
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.ash.cz. IN A
;; AUTHORITY SECTION:
cz. 172800 IN NS C.NS.NIC.cz.
cz. 172800 IN NS E.NS.NIC.cz.
cz. 172800 IN NS F.NS.CZNIC.EU.
cz. 172800 IN NS NS.TLD.cz.
cz. 172800 IN NS NS-EXT.ISC.ORG.
cz. 172800 IN NS NSS.TLD.cz.
cz. 86400 IN NSEC DE. NS RRSIG NSEC
cz. 86400 IN RRSIG NSEC 5 1 86400 20070603030311 (
20070504062950 64955 .
jehMTV19W6+NMscFhY/uuIdARK5SoSkA0UfsUrkcfqAq
qI6dtDaxfbwVSluupN+9hfUHGmKTKDFucHIcNxz+6qlA
TaV+xCDMCk1AUyjNbLO6NZWZ+gK2YVB1BTBrSnbM/Xib
ojxHTvVN48KDoQczIxZHvkz31xe1fLuFuPX8vO2LKCrW
Eq6Of+DQlQQUX3RVPW7dAainW7BdnfHhE6qKXQl+w882
ZMwomvbg5gRBQD1tmWHvyBQRdeXK0pS3mqHCne5q2y/E
j79oEHVydp9GHQdxa/aE8ZVVH941GR9or4nD/mtDXr4h
8eyOHdRQhHO27ejGsVJdiym6ins2Mf/5ag== )
;; ADDITIONAL SECTION:
NS-EXT.ISC.ORG. 172800 IN A 204.152.184.64
NS-EXT.ISC.ORG. 172800 IN AAAA 2001:4f8:0:2::13
NS.TLD.cz. 172800 IN A 217.31.196.10
NSS.TLD.cz. 172800 IN A 217.31.200.10
C.NS.NIC.cz. 172800 IN A 195.66.241.202
C.NS.NIC.cz. 172800 IN AAAA 2a01:40:1000::2
E.NS.NIC.cz. 172800 IN A 194.146.105.38
F.NS.CZNIC.EU. 172800 IN A 193.171.255.48
F.NS.CZNIC.EU. 172800 IN AAAA 2001:628:453:420::48
;; Query time: 3 msec
;; SERVER: 2001:4bd8::1053#53(2001:4bd8::1053)
;; WHEN: Wed May 16 17:58:42 2007
;; MSG SIZE rcvd: 663
You can see, that the additional section is not signed, with renders the
provided glue almost useless: we have to requery the glue from the root
server, but do not get it signed!
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;F.NS.se. IN AAAA
;; AUTHORITY SECTION:
se. 172800 IN NS E.NS.se.
se. 172800 IN NS C.NS.se.
se. 172800 IN NS H.NS.se.
se. 172800 IN NS I.NS.se.
se. 172800 IN NS F.NS.se.
se. 172800 IN NS D.NS.se.
se. 172800 IN NS A.NS.se.
se. 172800 IN NS B.NS.se.
se. 172800 IN NS G.NS.se.
se. 172800 IN DS 6166 5 1 (
CE2B007F6D000B064B4A82E8840C19D3D09B8F8E )
se. 172800 IN DS 6166 5 2 (
CD9D147E24D866412216ADA5DBCB257DAE6CF0FFEF23
4415D6BD1114D833F213 )
se. 172800 IN DS 17686 5 1 (
9E5E81A0B71A9B6B251077F700AA730E18D712EF )
se. 172800 IN DS 17686 5 2 (
B78C0E213B17285C7BCC78884D81A5F09145F800C564
954F856140D1689153B9 )
se. 172800 IN RRSIG DS 5 1 172800 20070612182136 (
20070514093105 64955 .
UFb/xbmsSy0vioL/OcHOwlT+pbcVrJ5AkO9RSZnTG2NM
xFr5OIHEA8PrsNzeWmtzmRoHAsD78cIHMK/SZiLMIhzO
0GZYYsW1RpAhsMYU6238ZdTvWam9xS//DzfvczR4Ndnh
vAsD3Wxv30tOsdkWKb4grc8UyG3PCC/iQPe1F12hEYzU
gnyEf9/N2CIKha7tsvxm+7hE7MeQs1qRlHVLMH0YxM17
tewyMde8Y4dNlQ/nJjkV6cF94Djc9fMo0KHMC+cl6k5s
u9cGD7P2Pgb19y2Q2PMwD+nG3Odw0YCHkOmMRrvAke1Q
9+P8bG7SVYx+OF/2hW80M+haS5mrSv2GSg== )
;; ADDITIONAL SECTION:
F.NS.se. 172800 IN AAAA 2a01:280:1:53::53
F.NS.se. 172800 IN A 192.71.53.53
A.NS.se. 172800 IN A 192.36.144.107
A.NS.se. 172800 IN AAAA 2001:698:9:301::53
B.NS.se. 172800 IN A 192.36.133.107
C.NS.se. 172800 IN A 192.36.135.107
G.NS.se. 172800 IN A 130.239.5.114
G.NS.se. 172800 IN AAAA 2001:6b0:e:3::1
H.NS.se. 172800 IN A 199.7.49.30
D.NS.se. 172800 IN A 81.228.8.16
E.NS.se. 172800 IN A 81.228.10.57
I.NS.se. 172800 IN A 194.146.106.22
;; Query time: 4 msec
;; SERVER: 2001:4bd8::1053#53(2001:4bd8::1053)
;; WHEN: Wed May 16 18:08:21 2007
;; MSG SIZE rcvd: 861
All we can get is a signed DS-record, and have to check the trust chain
ourself.
If we limit the DNS size to 512 bytes, the results are frustrating: Every
possible response is truncated, because the RRSIG is too long.
On contrary it is possible to get signed data in other sections:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;iks-jena.de. IN MX
;; ANSWER SECTION:
iks-jena.de. 57600 IN MX 10 excalibur.iks-jena.de.
iks-jena.de. 57600 IN MX 20 avalon.iks-jena.de.
iks-jena.de. 57600 IN RRSIG MX 5 2 57600 20070612215343 (
20070513224243 39332 iks-jena.de.
bkWZimQOFyoBbNV7yp4pQjUqLg4NHIZehYIkvRjT5xxB
9Znu5+T14DlDmpyCuR9LjVNm+0QLFFR1SE3QhD8olCBJ
G062ecWlDHQfqQ4JlJyhY1z+ylTB/zsJuryMbD5366zJ
CokfACgU1gM4GiadWKSSX6g4gCYcYt9v+Vk0zTk= )
;; AUTHORITY SECTION:
iks-jena.de. 57600 IN NS euro-ns2.cw.net.
iks-jena.de. 57600 IN NS jengate.thur.de.
iks-jena.de. 57600 IN NS avalon.iks-jena.de.
iks-jena.de. 57600 IN NS euro-ns3.cw.net.
iks-jena.de. 57600 IN NS euro-ns1.cw.net.
iks-jena.de. 57600 IN RRSIG NS 5 2 57600 20070612210145 (
20070513224243 39332 iks-jena.de.
hx4uY4j9euW9G15GQUryHGPSRiGDulCgNLySaeMFpGIK
Dk/ib+hWB1rBqub/PxIb4Oad4nucl6Nty+s6149U/q8R
Ahggb9dUWKOU0qGucnwVAQPRsQmz+gmw8B+xTuzZk2jH
VtzfWER0ESCelWgvvOeUSW3K29o3BNli118XZP8= )
;; ADDITIONAL SECTION:
excalibur.iks-jena.de. 57600 IN A 217.17.192.67
excalibur.iks-jena.de. 57600 IN AAAA 2001:4bd8::17
avalon.iks-jena.de. 57600 IN A 217.17.192.66
excalibur.iks-jena.de. 57600 IN RRSIG A 5 3 57600 20070612211000 (
20070513224243 39332 iks-jena.de.
j9Ng5m6L6GZr9aBoKLn+NlvAss7fp9AeziY88Gl1zbxh
YpYl0GxU7UAJgcgYJ2Ybtvw/VTWvEidcrwrA6rQ67+iB
xGlu5wzQbiIDMZwjnM48ValG5cBKvyyDC+xcPSwObYR+
lStq2qMbEUzjAiitaSyCHmc81pK5LtxXCzXzM9Q= )
excalibur.iks-jena.de. 57600 IN RRSIG AAAA 5 3 57600 20070612212708 (
20070513224243 39332 iks-jena.de.
DlJQ1fN3cdP+k6OHZyRgJEi1SOSNGFIE5VS3x6bDxNE+
t9bNssB92VTeZkiR3Fm6aoobcCL8raqW+AlNVxginAgn
G604Vj9y7N4DYmtSMVZxuVU/CsfEEXY7oVh1jp0DICMn
DJ1p96eu9SBwwZkx3VAm4IdfFzVnOPSMZ2qDMlM= )
avalon.iks-jena.de. 57600 IN RRSIG A 5 3 57600 20070612214645 (
20070513224243 39332 iks-jena.de.
S1V47+lLd0P0NEyTLQFLOpShZBjjaTSgzx5+a2+WaipS
U1mXhMKjihz1tQf5tH5kYDxtrQUO3p2XAbcWzZ/aK9JD
i2tfxkAi+geUJYW03XW+CWS/8YIzHS7c6ba0tnQ6Lk9o
w28gDHCsrwyMi20Z2GkigXPAsh2ZWLVzn3OpD8Y= )
;; Query time: 20 msec
;; SERVER: 217.17.192.34#53(217.17.192.34)
;; WHEN: Wed May 16 18:13:42 2007
;; MSG SIZE rcvd: 1120
More information about the dns-operations
mailing list