[dns-operations] BE NS performing referral on DS record query

Peter Koch pk at DENIC.DE
Sat Dec 4 10:59:53 UTC 2010 

On Sat, Dec 04, 2010 at 01:41:59AM +0000, Griffiths, Chris wrote:

> I am wondering if anyone can point me to who manages the .BE ccTLD.  We are seeing one of their NS performing referrals on DS query when performing DNSSEC validation and it is causing some issues.

> The one we are seeing issues for is:  x.dns.BE.

Of course the TLD should know, but x.dns.be == 194.0.1.10, apparently
CommunityDNS.

> dig @x.dns.be yahoo.be DS
> 
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @x.dns.be yahoo.be DS
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31853
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;yahoo.be.                      IN      DS
> 
> ;; AUTHORITY SECTION:
> yahoo.be.               86400   IN      NS      ns1.yahoo.com.
> yahoo.be.               86400   IN      NS      ns2.yahoo.com.
> yahoo.be.               86400   IN      NS      ns3.yahoo.com.
> yahoo.be.               86400   IN      NS      ns5.yahoo.com.
> yahoo.be.               86400   IN      NS      ns7.yahoo.com.

Well, this is arguable since you didn't set the DO bit, so you're
sailing a bit offshore w.r.t. DNSSEC.  However, the situation
does only slightly improve:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54809
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;yahoo.be.                      IN      DS

;; AUTHORITY SECTION:
yahoo.be.               86400   IN      NS      ns1.yahoo.com.
yahoo.be.               86400   IN      NS      ns2.yahoo.com.
yahoo.be.               86400   IN      NS      ns3.yahoo.com.
yahoo.be.               86400   IN      NS      ns5.yahoo.com.
yahoo.be.               86400   IN      NS      ns7.yahoo.com.
ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN NSEC3 1 1 5 1A4E9B6C BB7ONI6L9S8J5E3K6HUQ7C41J1AN85CR NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN RRSIG NSEC3 8 2 600 20101207140244 20101130135115 61344 be. ZzvHV36wtbQ9woSfpc6nltz+tPc9GStoiEj4Fux+w70xkroPgjCtXhoY jC1uErBEAIKVoMKijb4TbFkssppxTZPvsqqYO3nE6ANWm85pHpP/q9VI eMk8RKcopptowjT9opikpvOJnOxlq3zTWBBoUjpyc6ZhJAPun3RPbQg5 Lfw=
c2occuiqjp2hpgg4j8k0qtalvuafu7km.be. 600 IN NSEC3 1 1 5 1A4E9B6C C3LU29J77L9Q7FP483FBKNEHJJVPIL52 NS DS RRSIG
c2occuiqjp2hpgg4j8k0qtalvuafu7km.be. 600 IN RRSIG NSEC3 8 2 600 20101207151536 20101130145816 61344 be. G+2RsqNrQbnRNKGVIo41e4tWdGpWQvCDnu+RLDZXX/TJ5k9F0R1/+N1Q QIjLY608ZxKQ65IUzoFxCMdraYlV6XkxTHt872v+FG+I/nbqkpPOJlye /MSDgUwynK1efD1DqmmiBqGmBmioBn0SOlIVxz/gZc8YGKGQEAQK7e69 aOc=

;; Query time: 84 msec
;; SERVER: 194.0.1.10#53(194.0.1.10)
;; MSG SIZE  rcvd: 701

Therefore, everybody else is affected in a similar way:

; <<>> DiG 9.7.1-P1 <<>> +dnssec @x.nic.eu. yahoo.eu. ds
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25237
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;yahoo.eu.                      IN      DS

;; AUTHORITY SECTION:
yahoo.eu.               86400   IN      NS      ns1.yahoo.com.
yahoo.eu.               86400   IN      NS      ns2.yahoo.com.
yahoo.eu.               86400   IN      NS      ns3.yahoo.com.
yahoo.eu.               86400   IN      NS      ns4.yahoo.com.
yahoo.eu.               86400   IN      NS      ns5.yahoo.com.
qbq65q6097ocppr0eucqnsc1fhe073ua.eu. 600 IN NSEC3 1 1 1 5CA1AB1E QBREATAE625G9UGNH0BOAAS79IT1LTPE NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
qbq65q6097ocppr0eucqnsc1fhe073ua.eu. 600 IN RRSIG NSEC3 7 2 600 20101211043816 20101204041427 50273 eu. oa7cmwZM4KTpvEXB9qTcv9onMpjSIAeVX4kDbAxTQ41uUh29aFpMwwqa EPLaeC/QlS+4iKorO/NxztesoxuIb8sL5jByjo5ZPq1v7W1gvKgrcNh5 urJX+DBn9WCK0m3hJqZs9RTbh+20VJ/VVNCInIaqsTQRXl8A2T1nQnBl c4Q=
qh9jdcrt7d18g8h48irj7o55lit8j24n.eu. 600 IN NSEC3 1 1 1 5CA1AB1E QI1CCGBSN4H3JIBUNJKH1L2PNI29U9MT NS DS RRSIG
qh9jdcrt7d18g8h48irj7o55lit8j24n.eu. 600 IN RRSIG NSEC3 7 2 600 20101204003448 20101127002231 50273 eu. BmiBkfeL0JxZh5wZStsESxR+rd9XAIZJ0VyX6mDhBjv7ZQx91GRG9uY0 GTOAxsl6pA4TvbypQ+vfBxsXEZHHP7nk7filUNZ7hxzuvidYb+3b6/pT s0XMvekCDm/3NIOf1lYjboxGlLb2mB0A5dKdXrmVicxSS4UetOv58BsM Vpg=

; <<>> DiG 9.7.1-P1 <<>> +dnssec @e.fi. yahoo.fi. ds
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19749
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;yahoo.fi.                      IN      DS

;; AUTHORITY SECTION:
yahoo.fi.               21600   IN      NS      ns1.yahoo.com.
yahoo.fi.               21600   IN      NS      ns5.yahoo.com.
ngop54kjgoqsng2ihq9otsepvfspm1cn.fi. 86400 IN NSEC3 1 1 5 4C3B494FE8887F61 RS46S3QG368H0JMKNO3OPMARI5GOANJD NS SOA TXT RRSIG DNSKEY NSEC3PARAM
ngop54kjgoqsng2ihq9otsepvfspm1cn.fi. 86400 IN RRSIG NSEC3 8 2 86400 20101217182019 20101203184533 25800 fi. cyNnxRb2nUw/s7sjlNKNqBKtUSzfLs4qjhQarRuLV1VYDqlRd3kE/Hbu eENr3zCw6UXCMi/KOD+2VJMsUjKU1YM8Mzrqb2MiEvEhnDazY2yriT1I rHcEdJeQuPZTfybLqv2q09SB/HbBQK52vPqOcLgrOT0lZme/F3bb7Y+q z0Q=
bmgnmhbo084e2f5ondpqhcrq1u3inajm.fi. 86400 IN NSEC3 1 1 5 4C3B494FE8887F61 HT7UML1GDJRBM2NG7OGFAPRM60EKOTQM A RRSIG
bmgnmhbo084e2f5ondpqhcrq1u3inajm.fi. 86400 IN RRSIG NSEC3 8 2 86400 20101217014516 20101202131533 25800 fi. t4jnQ5Rl/DRFdzdExz8EI2w+TbMYPYmqRqiGHS63bmiVPs69y+3KhutW cIRMvyMgh/cPxI2P1UH/kFXIeqvKt3VGxyhSQzXaIERf2kHHdw3LjtD/ 09RjGpfONvFm1LFAbVz7W/km0DBa0Vvk8DFqGBuJUUyeu7lGsze4r/u0 EK8=

Did you see validation failures?

-Peter

More information about the dns-operations mailing list