[dns-operations] BE NS performing referral on DS record query
Griffiths, Chris
Chris_Griffiths at Cable.Comcast.com
Sun Dec 5 23:57:30 UTC 2010
Even with the DO bit set which I apparently copied the wrong examples from
my command prompt, we are seeing validation failures from our name servers
for this TLD.
We are also seeing the same response from x.nic.eu under the .EU TLD as
well. See below for the examples, and this is also causing resolution
failures in this TLD as well for us. I will send a separate note to that
TLD as well.
Thanks
Not working:
dig @x.nic.eu yahoo.eu DS +dnssec
; <<>> DiG 9.6.0-APPLE-P2 <<>> @x.nic.eu yahoo.eu DS +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63333
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;yahoo.eu. IN DS
;; AUTHORITY SECTION:
yahoo.eu. 86400 IN NS ns1.yahoo.com.
yahoo.eu. 86400 IN NS ns2.yahoo.com.
yahoo.eu. 86400 IN NS ns3.yahoo.com.
yahoo.eu. 86400 IN NS ns4.yahoo.com.
yahoo.eu. 86400 IN NS ns5.yahoo.com.
qbq65q6097ocppr0eucqnsc1fhe073ua.eu. 600 IN NSEC3 1 1 1 5CA1AB1E
QBREATAE625G9UGNH0BOAAS79IT1LTPE NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
qbq65q6097ocppr0eucqnsc1fhe073ua.eu. 600 IN RRSIG NSEC3 7 2 600
20101211043816 20101204041427 50273 eu.
oa7cmwZM4KTpvEXB9qTcv9onMpjSIAeVX4kDbAxTQ41uUh29aFpMwwqa
EPLaeC/QlS+4iKorO/NxztesoxuIb8sL5jByjo5ZPq1v7W1gvKgrcNh5
urJX+DBn9WCK0m3hJqZs9RTbh+20VJ/VVNCInIaqsTQRXl8A2T1nQnBl c4Q=
qh9jdcrt7d18g8h48irj7o55lit8j24n.eu. 600 IN NSEC3 1 1 1 5CA1AB1E
QI1CCGBSN4H3JIBUNJKH1L2PNI29U9MT NS DS RRSIG
qh9jdcrt7d18g8h48irj7o55lit8j24n.eu. 600 IN RRSIG NSEC3 7 2 600
20101204003448 20101127002231 50273 eu.
BmiBkfeL0JxZh5wZStsESxR+rd9XAIZJ0VyX6mDhBjv7ZQx91GRG9uY0
GTOAxsl6pA4TvbypQ+vfBxsXEZHHP7nk7filUNZ7hxzuvidYb+3b6/pT
s0XMvekCDm/3NIOf1lYjboxGlLb2mB0A5dKdXrmVicxSS4UetOv58BsM Vpg=
Working:
dig @a.nic.EU yahoo.eu DS +dnssec
; <<>> DiG 9.6.0-APPLE-P2 <<>> @a.nic.EU yahoo.eu DS +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44106
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;yahoo.eu. IN DS
;; AUTHORITY SECTION:
QBQ65Q6097OCPPR0EUCQNSC1FHE073UA.eu. 600 IN NSEC3 1 1 1 5CA1AB1E
QBREATAE625G9UGNH0BOAAS79IT1LTPE NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
QBQ65Q6097OCPPR0EUCQNSC1FHE073UA.eu. 600 IN RRSIG NSEC3 7 2 600
20101211043816 20101204041427 50273 eu.
oa7cmwZM4KTpvEXB9qTcv9onMpjSIAeVX4kDbAxTQ41uUh29aFpMwwqa
EPLaeC/QlS+4iKorO/NxztesoxuIb8sL5jByjo5ZPq1v7W1gvKgrcNh5
urJX+DBn9WCK0m3hJqZs9RTbh+20VJ/VVNCInIaqsTQRXl8A2T1nQnBl c4Q=
eu. 600 IN SOA a.nic.eu. tech.eurid.eu.
1003063472 3600 1800 3600000 600
eu. 600 IN RRSIG SOA 7 1 86400
20101212235335 20101205225335 50273 eu.
hfFQlyt8uGcX9VvEgI59MHpsfXwl8bVrl08EL/t2avV0+SUoJ7BWzvsG
c6+ISyad6/HdR8ShJm9xaU+HcUp9WASV4sBdSzq2ehTXe7t0lGX9BqEu
F9LAmspWDPxP6uMFQyFVp+GV65s0/r8ccJNUb5+PhKG8jKGsCRl6f1LW e/k=
QGEFV56B1UGDD1V3P628EKS6BN1OTMV2.eu. 600 IN NSEC3 1 1 1 5CA1AB1E
QI1CCGBSN4H3JIBUNJKH1L2PNI29U9MT NS DS RRSIG
QGEFV56B1UGDD1V3P628EKS6BN1OTMV2.eu. 600 IN RRSIG NSEC3 7 2 600
20101211193121 20101204184907 50273 eu.
L9l0usGYeviu0QTmK3U6QK2Qq8qNBbc5/YCt1GEPP+eEuXehVUjAAPvr
dQMgCzToWzwHnvstVaEidvR2h9hYW4gqOdaQy+nGxXN1tBkE6LsrK9pL
IUzgEidms/7m3kzJXpdayH3PNpT5ij6TBqQo8h4xZw2DL99x35jAOw/N PQc=
--
Chris Griffiths
Comcast Cable Communications, Inc.
On 12/4/10 5:59 AM, "Peter Koch" <pk at DENIC.DE> wrote:
>On Sat, Dec 04, 2010 at 01:41:59AM +0000, Griffiths, Chris wrote:
>
>> I am wondering if anyone can point me to who manages the .BE ccTLD. We
>>are seeing one of their NS performing referrals on DS query when
>>performing DNSSEC validation and it is causing some issues.
>
>> The one we are seeing issues for is: x.dns.BE.
>
>Of course the TLD should know, but x.dns.be == 194.0.1.10, apparently
>CommunityDNS.
>
>> dig @x.dns.be yahoo.be DS
>>
>> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @x.dns.be yahoo.be DS
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31853
>> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 0
>> ;; WARNING: recursion requested but not available
>>
>> ;; QUESTION SECTION:
>> ;yahoo.be. IN DS
>>
>> ;; AUTHORITY SECTION:
>> yahoo.be. 86400 IN NS ns1.yahoo.com.
>> yahoo.be. 86400 IN NS ns2.yahoo.com.
>> yahoo.be. 86400 IN NS ns3.yahoo.com.
>> yahoo.be. 86400 IN NS ns5.yahoo.com.
>> yahoo.be. 86400 IN NS ns7.yahoo.com.
>
>Well, this is arguable since you didn't set the DO bit, so you're
>sailing a bit offshore w.r.t. DNSSEC. However, the situation
>does only slightly improve:
>
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54809
>;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags: do; udp: 4096
>;; QUESTION SECTION:
>;yahoo.be. IN DS
>
>;; AUTHORITY SECTION:
>yahoo.be. 86400 IN NS ns1.yahoo.com.
>yahoo.be. 86400 IN NS ns2.yahoo.com.
>yahoo.be. 86400 IN NS ns3.yahoo.com.
>yahoo.be. 86400 IN NS ns5.yahoo.com.
>yahoo.be. 86400 IN NS ns7.yahoo.com.
>ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN NSEC3 1 1 5 1A4E9B6C
>BB7ONI6L9S8J5E3K6HUQ7C41J1AN85CR NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
>ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN RRSIG NSEC3 8 2 600
>20101207140244 20101130135115 61344 be.
>ZzvHV36wtbQ9woSfpc6nltz+tPc9GStoiEj4Fux+w70xkroPgjCtXhoY
>jC1uErBEAIKVoMKijb4TbFkssppxTZPvsqqYO3nE6ANWm85pHpP/q9VI
>eMk8RKcopptowjT9opikpvOJnOxlq3zTWBBoUjpyc6ZhJAPun3RPbQg5 Lfw=
>c2occuiqjp2hpgg4j8k0qtalvuafu7km.be. 600 IN NSEC3 1 1 5 1A4E9B6C
>C3LU29J77L9Q7FP483FBKNEHJJVPIL52 NS DS RRSIG
>c2occuiqjp2hpgg4j8k0qtalvuafu7km.be. 600 IN RRSIG NSEC3 8 2 600
>20101207151536 20101130145816 61344 be.
>G+2RsqNrQbnRNKGVIo41e4tWdGpWQvCDnu+RLDZXX/TJ5k9F0R1/+N1Q
>QIjLY608ZxKQ65IUzoFxCMdraYlV6XkxTHt872v+FG+I/nbqkpPOJlye
>/MSDgUwynK1efD1DqmmiBqGmBmioBn0SOlIVxz/gZc8YGKGQEAQK7e69 aOc=
>
>;; Query time: 84 msec
>;; SERVER: 194.0.1.10#53(194.0.1.10)
>;; MSG SIZE rcvd: 701
>
>Therefore, everybody else is affected in a similar way:
>
>; <<>> DiG 9.7.1-P1 <<>> +dnssec @x.nic.eu. yahoo.eu. ds
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25237
>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
>;; WARNING: recursion requested but not available
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags: do; udp: 4096
>;; QUESTION SECTION:
>;yahoo.eu. IN DS
>
>;; AUTHORITY SECTION:
>yahoo.eu. 86400 IN NS ns1.yahoo.com.
>yahoo.eu. 86400 IN NS ns2.yahoo.com.
>yahoo.eu. 86400 IN NS ns3.yahoo.com.
>yahoo.eu. 86400 IN NS ns4.yahoo.com.
>yahoo.eu. 86400 IN NS ns5.yahoo.com.
>qbq65q6097ocppr0eucqnsc1fhe073ua.eu. 600 IN NSEC3 1 1 1 5CA1AB1E
>QBREATAE625G9UGNH0BOAAS79IT1LTPE NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
>qbq65q6097ocppr0eucqnsc1fhe073ua.eu. 600 IN RRSIG NSEC3 7 2 600
>20101211043816 20101204041427 50273 eu.
>oa7cmwZM4KTpvEXB9qTcv9onMpjSIAeVX4kDbAxTQ41uUh29aFpMwwqa
>EPLaeC/QlS+4iKorO/NxztesoxuIb8sL5jByjo5ZPq1v7W1gvKgrcNh5
>urJX+DBn9WCK0m3hJqZs9RTbh+20VJ/VVNCInIaqsTQRXl8A2T1nQnBl c4Q=
>qh9jdcrt7d18g8h48irj7o55lit8j24n.eu. 600 IN NSEC3 1 1 1 5CA1AB1E
>QI1CCGBSN4H3JIBUNJKH1L2PNI29U9MT NS DS RRSIG
>qh9jdcrt7d18g8h48irj7o55lit8j24n.eu. 600 IN RRSIG NSEC3 7 2 600
>20101204003448 20101127002231 50273 eu.
>BmiBkfeL0JxZh5wZStsESxR+rd9XAIZJ0VyX6mDhBjv7ZQx91GRG9uY0
>GTOAxsl6pA4TvbypQ+vfBxsXEZHHP7nk7filUNZ7hxzuvidYb+3b6/pT
>s0XMvekCDm/3NIOf1lYjboxGlLb2mB0A5dKdXrmVicxSS4UetOv58BsM Vpg=
>
>; <<>> DiG 9.7.1-P1 <<>> +dnssec @e.fi. yahoo.fi. ds
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19749
>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
>;; WARNING: recursion requested but not available
>
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags: do; udp: 4096
>;; QUESTION SECTION:
>;yahoo.fi. IN DS
>
>;; AUTHORITY SECTION:
>yahoo.fi. 21600 IN NS ns1.yahoo.com.
>yahoo.fi. 21600 IN NS ns5.yahoo.com.
>ngop54kjgoqsng2ihq9otsepvfspm1cn.fi. 86400 IN NSEC3 1 1 5
>4C3B494FE8887F61 RS46S3QG368H0JMKNO3OPMARI5GOANJD NS SOA TXT RRSIG DNSKEY
>NSEC3PARAM
>ngop54kjgoqsng2ihq9otsepvfspm1cn.fi. 86400 IN RRSIG NSEC3 8 2 86400
>20101217182019 20101203184533 25800 fi.
>cyNnxRb2nUw/s7sjlNKNqBKtUSzfLs4qjhQarRuLV1VYDqlRd3kE/Hbu
>eENr3zCw6UXCMi/KOD+2VJMsUjKU1YM8Mzrqb2MiEvEhnDazY2yriT1I
>rHcEdJeQuPZTfybLqv2q09SB/HbBQK52vPqOcLgrOT0lZme/F3bb7Y+q z0Q=
>bmgnmhbo084e2f5ondpqhcrq1u3inajm.fi. 86400 IN NSEC3 1 1 5
>4C3B494FE8887F61 HT7UML1GDJRBM2NG7OGFAPRM60EKOTQM A RRSIG
>bmgnmhbo084e2f5ondpqhcrq1u3inajm.fi. 86400 IN RRSIG NSEC3 8 2 86400
>20101217014516 20101202131533 25800 fi.
>t4jnQ5Rl/DRFdzdExz8EI2w+TbMYPYmqRqiGHS63bmiVPs69y+3KhutW
>cIRMvyMgh/cPxI2P1UH/kFXIeqvKt3VGxyhSQzXaIERf2kHHdw3LjtD/
>09RjGpfONvFm1LFAbVz7W/km0DBa0Vvk8DFqGBuJUUyeu7lGsze4r/u0 EK8=
>
>Did you see validation failures?
>
>-Peter
More information about the dns-operations
mailing list