[dns-operations] DNSSEC Failure w/IPv6 PTRs?

Mark Kamichoff prox at prolixium.com
Sun May 15 20:39:50 UTC 2011 

Hi - 

I'm observing what seems to be a DNSSEC-related problem with resolving
IPv6 PTRs from DNSSEC validating servers, today.  From a box on Comcast,
here's what I'm seeing to Comcast's DNSSEC validating servers vs. a
non-DNSSEC validating server (OpenDNS):

(tachyon:16:30)% dig @75.75.75.75 -x 2600::       

; <<>> DiG 9.7.2-P3 <<>> @75.75.75.75 -x 2600::
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 985
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.ip6.arpa.  IN PTR

;; Query time: 402 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Sun May 15 16:30:47 2011
;; MSG SIZE  rcvd: 90

(tachyon:16:30)% dig @resolver1.opendns.com. -x 2600::

; <<>> DiG 9.7.2-P3 <<>> @resolver1.opendns.com. -x 2600::
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40325
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.ip6.arpa.  IN PTR

;; ANSWER SECTION:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.ip6.arpa.  86400	IN PTR www.sprint.net.

;; Query time: 249 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun May 15 16:30:54 2011
;; MSG SIZE  rcvd: 118

I can replicate these problems on my own instance of BIND that's
configured to do DNSSEC validation:

(atlantis:16:35)# tail /var/log/daemon.log
May 15 16:35:53 atlantis named[19455]: validating @0x7fbb5f202800:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.ip6.arpa
PTR: bad cache hit (2.ip6.arpa/DS)
May 15 16:35:53 atlantis named[19455]: error (broken trust chain)
resolving
'0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.ip6.arpa/PTR/IN':
206.228.179.10#53

Are other folks experiencing these problems, or is it just me?  Not sure
when this started, but I can replicate it from a view different
locations.

- Mark

-- 
Mark Kamichoff
prox at prolixium.com
http://www.prolixium.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110515/0af547ff/attachment.sig>

More information about the dns-operations mailing list