[dns-operations] .net returning glue and NSEC3 records?

Mark Andrews marka at isc.org
Mon Nov 7 20:47:27 UTC 2011 

In message <alpine.DEB.2.00.1111071438001.25530 at mail.xelerance.com>, Paul Wouters writ
es:
> 
> We noticed that .net is returning glue for items it also proves via NSEC3 that
> it does not exist?
> 
> whois redirects to registrar which then fails, so I think the domain is valid, but
> have no proof.

I don't see a problem.  Flags is 1 so there can be insecure delegations in the
range and the hash of lanzarote-immobilie.net is 6OBCRU9HRLJA0TVFOC2JOA55ASS7OBVU
which is between 6MVJ05SNCJH2809G6OGGGH7J921VNJ7T and 6OP5R34VLOJ3Q2K4NMIIGA7.

[drugs:~/cvs/rt20287] marka% nsec3hash - 1 0 lanzarote-immobilie.net
6OBCRU9HRLJA0TVFOC2JOA55ASS7OBVU (salt=-, hash=1, iterations=0)
[drugs:~/cvs/rt20287] marka% 

Mark

> $ dig +dnssec +cd ns lanzarote-immobilie.net. @a.gtld-servers.net.
> 
> ; <<>> DiG 9.7.0-P1 <<>> +dnssec +cd ns lanzarote-immobilie.net. @a.gtld-servers.net
> .
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26976
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 3
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;lanzarote-immobilie.net. IN NS
> 
> ;; AUTHORITY SECTION:
> lanzarote-immobilie.net. 172800	IN NS dns5.sistema-dns.com.
> lanzarote-immobilie.net. 172800	IN NS dns6.sistema-dns.com.
> A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - A2003PRAPCHMS9L1A11GMVJ
> 0JNP84A46 NS SOA RRSIG DNSKEY NSEC3PARAM
> A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 8 2 86400 20111114104524 
> (
>  				20111107093524 41045 net.
>  				hdqXwxaYTRkEK7xTjPrQnLwkZ3CNCm6qbwsMBOSKcjjT
>  				RIyYWCe8pJJ5FE3TcqClarmHSaLsJH84OX6bJs5u/jTN
>  				CmDryzZs3YXrm7XEi+ZX7h2xGEgDwNTp8/CdM4+Y6nMa
>  				+Xdx+nIR+F89DHTBJ+5nCo026u3D9Dv2QF6LpDU= )
> 6MVJ05SNCJH2809G6OGGGH7J921VNJ7T.net. 86400 IN NSEC3 1 1 0 - 6OP5R34VLOJ3Q2K4NMIIGA7
> N5KBV10K5 NS DS RRSIG
> 6MVJ05SNCJH2809G6OGGGH7J921VNJ7T.net. 86400 IN RRSIG NSEC3 8 2 86400 20111114172404 
> (
>  				20111107161404 41045 net.
>  				JRDa3MJGxdnz1lFuFXWzITsONe74g/hltZWfpXxWlgQQ
>  				KwJVTM2an4r9YC0ujQjzCMvXXycqvbZW2n4OM985LNCE
>  				7qrYlGrS0AXZISO1Lp/4r0WRkEvsBKE/Mk71b9io1uCL
>  				9KKi7EeLf5WU8MbnXsLv/cFq8ZH+pSiq5IjcK2Y= )
> 
> ;; ADDITIONAL SECTION:
> dns5.sistema-dns.com.	172800 IN A 93.93.112.85
> dns6.sistema-dns.com.	172800 IN A 93.93.112.85
> 
> ;; Query time: 154 msec
> ;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
> ;; WHEN: Mon Nov  7 14:37:14 2011
> ;; MSG SIZE  rcvd: 622
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list