[dns-operations] Research Project: Identifying DNSSEC Validators

Tony Finch dot at dotat.at
Wed Sep 5 10:45:23 UTC 2012 

Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>
> On my machines, I can resolve the name with BIND but not with Unbound
> (SERVFAIL, even with ). On OARC's ODVR both BIND and Unbound work.
>
> My analysis: the NSEC is not signed. It is surprising that BIND acceps
> that:

It's really weird. The name servers are serving two versions of the zone,
one signed and one unsigned, and they seem to be alternating between them.
It took me quite a long time to work out where my name server was getting
the RRSIGs from ....


; <<>> DiG 9.9.2-vjs197.15b1 <<>> +multiline +norec +dnssec prefetch.validatorsearch.verisignlabs.com. @72.13.58.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44694
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;prefetch.validatorsearch.verisignlabs.com. IN A

;; ANSWER SECTION:
prefetch.validatorsearch.verisignlabs.com. 604800 IN A 127.0.0.1

;; AUTHORITY SECTION:
validatorsearch.verisignlabs.com. 3600 IN NS vfns2.verisignlabs.com.
validatorsearch.verisignlabs.com. 3600 IN NS vfns1.verisignlabs.com.

;; Query time: 90 msec
;; SERVER: 72.13.58.100#53(72.13.58.100)
;; WHEN: Wed Sep  5 11:43:31 2012
;; MSG SIZE  rcvd: 126


; <<>> DiG 9.9.2-vjs197.15b1 <<>> +multiline +norec +dnssec prefetch.validatorsearch.verisignlabs.com. @72.13.58.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18857
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;prefetch.validatorsearch.verisignlabs.com. IN A

;; ANSWER SECTION:
prefetch.validatorsearch.verisignlabs.com. 604800 IN A 127.0.0.1
prefetch.validatorsearch.verisignlabs.com. 604800 IN RRSIG A 5 4 604800 (
                                20120906203607 20120807203607 58962 validatorsearch.verisignlabs.com.
                                vL12YMxvy1nX4EzWUAr/j4taPyxKlo/YmnDvaV2z0TmD
                                1yhIgVQDHL/fOUHLXXuO+uQeNDo3iRFXFg5DRj6AisDU
                                hSpjGch/6c+j/yvzcsRNPHuef5nZl91+UYe15PerLh6E
                                z5YVQF24iNBDmj4EgG3+F4IAgnPFX/+BBFnSb58= )

;; AUTHORITY SECTION:
validatorsearch.verisignlabs.com. 3600 IN NS vfns1.verisignlabs.com.
validatorsearch.verisignlabs.com. 3600 IN NS vfns2.verisignlabs.com.
validatorsearch.verisignlabs.com. 3600 IN RRSIG NS 5 3 3600 (
                                20120906203607 20120807203607 58962 validatorsearch.verisignlabs.com.
                                rWe8hzHOfLmi/NwT7LC64sL2LqjtIgPS1bDL6o6/PYlk
                                gBpBDzEprYlLkJM/d3KsJzpvSwfcK1KFoDk7mwKdNED5
                                Z3QCSnRrt2qlYD1H1KgOAeFXCciD380ZV7Qsn+Ubpygd
                                mGja6wTHqNAyiRgX7DIuMNjxytkT5xI0UluSv1U= )

;; Query time: 84 msec
;; SERVER: 72.13.58.100#53(72.13.58.100)
;; WHEN: Wed Sep  5 11:43:31 2012
;; MSG SIZE  rcvd: 510


Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the dns-operations mailing list