[dns-operations] It's begun...

Mark Andrews marka at isc.org
Thu Oct 24 22:45:29 UTC 2013


In message <DB6DAE86E038FF4D86EC85B0C70A986E2E5190CD at wds-exc1.okna.nominet.org.uk>, Brett Carr writes:
>
> >On 24 Oct 2013, at 14:12, Chris Thompson
> <cet1 at cam.ac.uk<mailto:cet1 at cam.ac.uk>> wrote:
>
>
> >At 13:01 23-10-2013, Edward Lewis wrote:
>
> >My sensors show 4 new gTLDs in the last hour or so...IDN,
> non-ccTLD...added between 1800 and 1900 UTC.
>
> >Not mentioned yet is that all four appeared already signed and with
> >DS records in the root zone.
>
> I *think* this is a condition of delegation.
>
>
> >But... the two Cyrillic gTLDs (xn--80asehdb & xn--80aswg) are a bit
> >broken, in that NXDOMAIN responses don't validate properly. Neither
> >dnssec-debugger.verisignlabs.com nor dnsviz.net are able to analyse
> >validations problems for NXDOMAIN responses, so I am not quite sure
> >why yet, but e.g.
>
> >dig +dnssec www.xn--80asehdb<http://www.xn--80asehdb>.
> >dig +dnssec www.xn--80aswg<http://www.xn--80aswg>.
>
> >give SERVFAILs which can be avoided by adding the +cd option.
>
> I'm surprised this wasn't picked up as part of pre-delegation testing.

Heaps of DNS problems exist because people do not do testing of negative
responses.

Note this one will only start to manifest itself once you populate the
zone and even then your test query may work if the wild card and the
qname fall into the same NSEC3 range.

Mark

> Brett
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list