[dns-operations] DNSSEC Failure w/IPv6 PTRs?

Joe Abley jabley at hopcount.ca
Sun May 15 23:17:00 UTC 2011 

Hi Mark,

We're aware of the situation and hope to have resolution shortly. I'll send a more detailed note in due course. 

Many thanks to you and the several others who noticed this and let us know. 


Joe

Sent from my iPhone

On 2011-05-15, at 16:39, Mark Kamichoff <prox at prolixium.com> wrote:

> Hi - 
> 
> I'm observing what seems to be a DNSSEC-related problem with resolving
> IPv6 PTRs from DNSSEC validating servers, today.  From a box on Comcast,
> here's what I'm seeing to Comcast's DNSSEC validating servers vs. a
> non-DNSSEC validating server (OpenDNS):
> 
> (tachyon:16:30)% dig @75.75.75.75 -x 2600::       
> 
> ; <<>> DiG 9.7.2-P3 <<>> @75.75.75.75 -x 2600::
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 985
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.ip6.arpa.  IN PTR
> 
> ;; Query time: 402 msec
> ;; SERVER: 75.75.75.75#53(75.75.75.75)
> ;; WHEN: Sun May 15 16:30:47 2011
> ;; MSG SIZE  rcvd: 90
> 
> (tachyon:16:30)% dig @resolver1.opendns.com. -x 2600::
> 
> ; <<>> DiG 9.7.2-P3 <<>> @resolver1.opendns.com. -x 2600::
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40325
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.ip6.arpa.  IN PTR
> 
> ;; ANSWER SECTION:
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.ip6.arpa.  86400    IN PTR www.sprint.net.
> 
> ;; Query time: 249 msec
> ;; SERVER: 208.67.222.222#53(208.67.222.222)
> ;; WHEN: Sun May 15 16:30:54 2011
> ;; MSG SIZE  rcvd: 118
> 
> I can replicate these problems on my own instance of BIND that's
> configured to do DNSSEC validation:
> 
> (atlantis:16:35)# tail /var/log/daemon.log
> May 15 16:35:53 atlantis named[19455]: validating @0x7fbb5f202800:
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.ip6.arpa
> PTR: bad cache hit (2.ip6.arpa/DS)
> May 15 16:35:53 atlantis named[19455]: error (broken trust chain)
> resolving
> '0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.2.ip6.arpa/PTR/IN':
> 206.228.179.10#53
> 
> Are other folks experiencing these problems, or is it just me?  Not sure
> when this started, but I can replicate it from a view different
> locations.
> 
> - Mark
> 
> -- 
> Mark Kamichoff
> prox at prolixium.com
> http://www.prolixium.com/
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list