[dns-operations] BE NS performing referral on DS record query

Mark Andrews marka at isc.org
Mon Dec 6 01:23:33 UTC 2010


In message <C9218E6B.2A41F%chris_griffiths at cable.comcast.com>, "Griffiths, Chris" writes:
> Even with the DO bit set which I apparently copied the wrong examples from
> my command prompt, we are seeing validation failures from our name servers
> for this TLD.  
> 
> We are also seeing the same response from x.nic.eu under the .EU TLD as
> well.  See below for the examples, and this is also causing resolution
> failures in this TLD as well for us.  I will send a separate note to that
> TLD as well.
> 
> Thanks
> 
> Not working:

Stale RRSIG 20101204003448 20101127002231

> dig @x.nic.eu yahoo.eu DS +dnssec
> 
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @x.nic.eu yahoo.eu DS +dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63333
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;yahoo.eu.                      IN      DS
> 
> ;; AUTHORITY SECTION:
> yahoo.eu.               86400   IN      NS      ns1.yahoo.com.
> yahoo.eu.               86400   IN      NS      ns2.yahoo.com.
> yahoo.eu.               86400   IN      NS      ns3.yahoo.com.
> yahoo.eu.               86400   IN      NS      ns4.yahoo.com.
> yahoo.eu.               86400   IN      NS      ns5.yahoo.com.
> qbq65q6097ocppr0eucqnsc1fhe073ua.eu. 600 IN NSEC3 1 1 1 5CA1AB1E
> QBREATAE625G9UGNH0BOAAS79IT1LTPE NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
> qbq65q6097ocppr0eucqnsc1fhe073ua.eu. 600 IN RRSIG NSEC3 7 2 600
> 20101211043816 20101204041427 50273 eu.
> oa7cmwZM4KTpvEXB9qTcv9onMpjSIAeVX4kDbAxTQ41uUh29aFpMwwqa
> EPLaeC/QlS+4iKorO/NxztesoxuIb8sL5jByjo5ZPq1v7W1gvKgrcNh5
> urJX+DBn9WCK0m3hJqZs9RTbh+20VJ/VVNCInIaqsTQRXl8A2T1nQnBl c4Q=
> qh9jdcrt7d18g8h48irj7o55lit8j24n.eu. 600 IN NSEC3 1 1 1 5CA1AB1E
> QI1CCGBSN4H3JIBUNJKH1L2PNI29U9MT NS DS RRSIG
> qh9jdcrt7d18g8h48irj7o55lit8j24n.eu. 600 IN RRSIG NSEC3 7 2 600
> 20101204003448 20101127002231 50273 eu.
> BmiBkfeL0JxZh5wZStsESxR+rd9XAIZJ0VyX6mDhBjv7ZQx91GRG9uY0
> GTOAxsl6pA4TvbypQ+vfBxsXEZHHP7nk7filUNZ7hxzuvidYb+3b6/pT
> s0XMvekCDm/3NIOf1lYjboxGlLb2mB0A5dKdXrmVicxSS4UetOv58BsM Vpg=
> 
> 
> Working:
> 
> dig @a.nic.EU yahoo.eu DS +dnssec
> 
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @a.nic.EU yahoo.eu DS +dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44106
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;yahoo.eu.                      IN      DS
> 
> ;; AUTHORITY SECTION:
> QBQ65Q6097OCPPR0EUCQNSC1FHE073UA.eu. 600 IN NSEC3 1 1 1 5CA1AB1E
> QBREATAE625G9UGNH0BOAAS79IT1LTPE NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
> QBQ65Q6097OCPPR0EUCQNSC1FHE073UA.eu. 600 IN RRSIG NSEC3 7 2 600
> 20101211043816 20101204041427 50273 eu.
> oa7cmwZM4KTpvEXB9qTcv9onMpjSIAeVX4kDbAxTQ41uUh29aFpMwwqa
> EPLaeC/QlS+4iKorO/NxztesoxuIb8sL5jByjo5ZPq1v7W1gvKgrcNh5
> urJX+DBn9WCK0m3hJqZs9RTbh+20VJ/VVNCInIaqsTQRXl8A2T1nQnBl c4Q=
> eu.                     600     IN      SOA     a.nic.eu. tech.eurid.eu.
> 1003063472 3600 1800 3600000 600
> eu.                     600     IN      RRSIG   SOA 7 1 86400
> 20101212235335 20101205225335 50273 eu.
> hfFQlyt8uGcX9VvEgI59MHpsfXwl8bVrl08EL/t2avV0+SUoJ7BWzvsG
> c6+ISyad6/HdR8ShJm9xaU+HcUp9WASV4sBdSzq2ehTXe7t0lGX9BqEu
> F9LAmspWDPxP6uMFQyFVp+GV65s0/r8ccJNUb5+PhKG8jKGsCRl6f1LW e/k=
> QGEFV56B1UGDD1V3P628EKS6BN1OTMV2.eu. 600 IN NSEC3 1 1 1 5CA1AB1E
> QI1CCGBSN4H3JIBUNJKH1L2PNI29U9MT NS DS RRSIG
> QGEFV56B1UGDD1V3P628EKS6BN1OTMV2.eu. 600 IN RRSIG NSEC3 7 2 600
> 20101211193121 20101204184907 50273 eu.
> L9l0usGYeviu0QTmK3U6QK2Qq8qNBbc5/YCt1GEPP+eEuXehVUjAAPvr
> dQMgCzToWzwHnvstVaEidvR2h9hYW4gqOdaQy+nGxXN1tBkE6LsrK9pL
> IUzgEidms/7m3kzJXpdayH3PNpT5ij6TBqQo8h4xZw2DL99x35jAOw/N PQc=
> 
> 
> --
> Chris Griffiths
> Comcast Cable Communications, Inc.
> 
> 
> 
> 
> 
> 
> 
> On 12/4/10 5:59 AM, "Peter Koch" <pk at DENIC.DE> wrote:
> 
> >On Sat, Dec 04, 2010 at 01:41:59AM +0000, Griffiths, Chris wrote:
> >
> >> I am wondering if anyone can point me to who manages the .BE ccTLD.  We
> >>are seeing one of their NS performing referrals on DS query when
> >>performing DNSSEC validation and it is causing some issues.
> >
> >> The one we are seeing issues for is:  x.dns.BE.
> >
> >Of course the TLD should know, but x.dns.be == 194.0.1.10, apparently
> >CommunityDNS.
> >
> >> dig @x.dns.be yahoo.be DS
> >> 
> >> ; <<>> DiG 9.6.0-APPLE-P2 <<>> @x.dns.be yahoo.be DS
> >> ; (1 server found)
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31853
> >> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 0
> >> ;; WARNING: recursion requested but not available
> >> 
> >> ;; QUESTION SECTION:
> >> ;yahoo.be.                      IN      DS
> >> 
> >> ;; AUTHORITY SECTION:
> >> yahoo.be.               86400   IN      NS      ns1.yahoo.com.
> >> yahoo.be.               86400   IN      NS      ns2.yahoo.com.
> >> yahoo.be.               86400   IN      NS      ns3.yahoo.com.
> >> yahoo.be.               86400   IN      NS      ns5.yahoo.com.
> >> yahoo.be.               86400   IN      NS      ns7.yahoo.com.
> >
> >Well, this is arguable since you didn't set the DO bit, so you're
> >sailing a bit offshore w.r.t. DNSSEC.  However, the situation
> >does only slightly improve:
> >
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54809
> >;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
> >
> >;; OPT PSEUDOSECTION:
> >; EDNS: version: 0, flags: do; udp: 4096
> >;; QUESTION SECTION:
> >;yahoo.be.                      IN      DS
> >
> >;; AUTHORITY SECTION:
> >yahoo.be.               86400   IN      NS      ns1.yahoo.com.
> >yahoo.be.               86400   IN      NS      ns2.yahoo.com.
> >yahoo.be.               86400   IN      NS      ns3.yahoo.com.
> >yahoo.be.               86400   IN      NS      ns5.yahoo.com.
> >yahoo.be.               86400   IN      NS      ns7.yahoo.com.
> >ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN NSEC3 1 1 5 1A4E9B6C
> >BB7ONI6L9S8J5E3K6HUQ7C41J1AN85CR NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
> >ba141snrnoe1rc9mddgrest23g657rir.be. 600 IN RRSIG NSEC3 8 2 600
> >20101207140244 20101130135115 61344 be.
> >ZzvHV36wtbQ9woSfpc6nltz+tPc9GStoiEj4Fux+w70xkroPgjCtXhoY
> >jC1uErBEAIKVoMKijb4TbFkssppxTZPvsqqYO3nE6ANWm85pHpP/q9VI
> >eMk8RKcopptowjT9opikpvOJnOxlq3zTWBBoUjpyc6ZhJAPun3RPbQg5 Lfw=
> >c2occuiqjp2hpgg4j8k0qtalvuafu7km.be. 600 IN NSEC3 1 1 5 1A4E9B6C
> >C3LU29J77L9Q7FP483FBKNEHJJVPIL52 NS DS RRSIG
> >c2occuiqjp2hpgg4j8k0qtalvuafu7km.be. 600 IN RRSIG NSEC3 8 2 600
> >20101207151536 20101130145816 61344 be.
> >G+2RsqNrQbnRNKGVIo41e4tWdGpWQvCDnu+RLDZXX/TJ5k9F0R1/+N1Q
> >QIjLY608ZxKQ65IUzoFxCMdraYlV6XkxTHt872v+FG+I/nbqkpPOJlye
> >/MSDgUwynK1efD1DqmmiBqGmBmioBn0SOlIVxz/gZc8YGKGQEAQK7e69 aOc=
> >
> >;; Query time: 84 msec
> >;; SERVER: 194.0.1.10#53(194.0.1.10)
> >;; MSG SIZE  rcvd: 701
> >
> >Therefore, everybody else is affected in a similar way:
> >
> >; <<>> DiG 9.7.1-P1 <<>> +dnssec @x.nic.eu. yahoo.eu. ds
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25237
> >;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
> >;; WARNING: recursion requested but not available
> >
> >;; OPT PSEUDOSECTION:
> >; EDNS: version: 0, flags: do; udp: 4096
> >;; QUESTION SECTION:
> >;yahoo.eu.                      IN      DS
> >
> >;; AUTHORITY SECTION:
> >yahoo.eu.               86400   IN      NS      ns1.yahoo.com.
> >yahoo.eu.               86400   IN      NS      ns2.yahoo.com.
> >yahoo.eu.               86400   IN      NS      ns3.yahoo.com.
> >yahoo.eu.               86400   IN      NS      ns4.yahoo.com.
> >yahoo.eu.               86400   IN      NS      ns5.yahoo.com.
> >qbq65q6097ocppr0eucqnsc1fhe073ua.eu. 600 IN NSEC3 1 1 1 5CA1AB1E
> >QBREATAE625G9UGNH0BOAAS79IT1LTPE NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
> >qbq65q6097ocppr0eucqnsc1fhe073ua.eu. 600 IN RRSIG NSEC3 7 2 600
> >20101211043816 20101204041427 50273 eu.
> >oa7cmwZM4KTpvEXB9qTcv9onMpjSIAeVX4kDbAxTQ41uUh29aFpMwwqa
> >EPLaeC/QlS+4iKorO/NxztesoxuIb8sL5jByjo5ZPq1v7W1gvKgrcNh5
> >urJX+DBn9WCK0m3hJqZs9RTbh+20VJ/VVNCInIaqsTQRXl8A2T1nQnBl c4Q=
> >qh9jdcrt7d18g8h48irj7o55lit8j24n.eu. 600 IN NSEC3 1 1 1 5CA1AB1E
> >QI1CCGBSN4H3JIBUNJKH1L2PNI29U9MT NS DS RRSIG
> >qh9jdcrt7d18g8h48irj7o55lit8j24n.eu. 600 IN RRSIG NSEC3 7 2 600
> >20101204003448 20101127002231 50273 eu.
> >BmiBkfeL0JxZh5wZStsESxR+rd9XAIZJ0VyX6mDhBjv7ZQx91GRG9uY0
> >GTOAxsl6pA4TvbypQ+vfBxsXEZHHP7nk7filUNZ7hxzuvidYb+3b6/pT
> >s0XMvekCDm/3NIOf1lYjboxGlLb2mB0A5dKdXrmVicxSS4UetOv58BsM Vpg=
> >
> >; <<>> DiG 9.7.1-P1 <<>> +dnssec @e.fi. yahoo.fi. ds
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19749
> >;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
> >;; WARNING: recursion requested but not available
> >
> >;; OPT PSEUDOSECTION:
> >; EDNS: version: 0, flags: do; udp: 4096
> >;; QUESTION SECTION:
> >;yahoo.fi.                      IN      DS
> >
> >;; AUTHORITY SECTION:
> >yahoo.fi.               21600   IN      NS      ns1.yahoo.com.
> >yahoo.fi.               21600   IN      NS      ns5.yahoo.com.
> >ngop54kjgoqsng2ihq9otsepvfspm1cn.fi. 86400 IN NSEC3 1 1 5
> >4C3B494FE8887F61 RS46S3QG368H0JMKNO3OPMARI5GOANJD NS SOA TXT RRSIG DNSKEY
> >NSEC3PARAM
> >ngop54kjgoqsng2ihq9otsepvfspm1cn.fi. 86400 IN RRSIG NSEC3 8 2 86400
> >20101217182019 20101203184533 25800 fi.
> >cyNnxRb2nUw/s7sjlNKNqBKtUSzfLs4qjhQarRuLV1VYDqlRd3kE/Hbu
> >eENr3zCw6UXCMi/KOD+2VJMsUjKU1YM8Mzrqb2MiEvEhnDazY2yriT1I
> >rHcEdJeQuPZTfybLqv2q09SB/HbBQK52vPqOcLgrOT0lZme/F3bb7Y+q z0Q=
> >bmgnmhbo084e2f5ondpqhcrq1u3inajm.fi. 86400 IN NSEC3 1 1 5
> >4C3B494FE8887F61 HT7UML1GDJRBM2NG7OGFAPRM60EKOTQM A RRSIG
> >bmgnmhbo084e2f5ondpqhcrq1u3inajm.fi. 86400 IN RRSIG NSEC3 8 2 86400
> >20101217014516 20101202131533 25800 fi.
> >t4jnQ5Rl/DRFdzdExz8EI2w+TbMYPYmqRqiGHS63bmiVPs69y+3KhutW
> >cIRMvyMgh/cPxI2P1UH/kFXIeqvKt3VGxyhSQzXaIERf2kHHdw3LjtD/
> >09RjGpfONvFm1LFAbVz7W/km0DBa0Vvk8DFqGBuJUUyeu7lGsze4r/u0 EK8=
> >
> >Did you see validation failures?
> >
> >-Peter
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list