[dns-operations] Lack of tlsa support
Rodney Joffe
rjoffe at centergate.com
Mon Jun 1 01:54:52 UTC 2015
"thanks for letting us know, a fix for v4 is in the works”
:-)
Note: I am no longer allowed to play with our electrical equipment, I can only wield a small stick. Which I have done….
On May 28, 2015, at 5:40 AM, Joe Abley <jabley at hopcount.ca> wrote:
>
>
> On 27 May 2015, at 20:40, Warren Kumari wrote:
>
>> On Wed, May 27, 2015 at 3:02 PM, Joe Abley <jabley at hopcount.ca> wrote:
>>>
>>>
>>> On 27 May 2015, at 19:14, Warren Kumari wrote:
>>>
>>>>> For what it's worth, I have no problem getting a reasonable (negative)
>>>>> response to ACCOUNTANT/IN/TLSA or SOMETHING.ACCOUNTANT/IN/TLSA from
>>>>> 156.154.144.195 with EDNS0.DO=1 or without EDNS0. Perhaps I'm special :-)
>>
>> Yah, /I/ know you are special -- but I don't know how 156.154.144.195
>> knows you are.
>
> I think I must have been referring to the server using its name, which caused dig to use IPv6. I also see timeouts on IPv4. Full dig output included this time, to satisfy Warren's great thirst for cut and paste.
>
> Just goes to show, IPv6 is better. :-)
>
> These are Neustar-hosted zones. Surely there are still Neustar people on this list who can say "thanks for letting us know, a fix for v4 is in the works".
>
>
> Joe
>
> [scallop:~]% dig @ns1.dns.nic.accountant. accountant. tlsa +noedns
>
> ; <<>> DiG 9.8.3-P1 <<>> @ns1.dns.nic.accountant. accountant. tlsa +noedns
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62146
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;accountant. IN TLSA
>
> ;; AUTHORITY SECTION:
> accountant. 7200 IN SOA ns1.dns.nic.accountant. hostmaster.neustar.biz. 189 900 900 604800 86400
>
> ;; Query time: 71 msec
> ;; SERVER: 2610:a1:1071::c3#53(2610:a1:1071::c3)
> ;; WHEN: Thu May 28 10:35:33 2015
> ;; MSG SIZE rcvd: 98
>
> [scallop:~]% dig @ns1.dns.nic.accountant. accountant. tlsa +dnssec
>
> ; <<>> DiG 9.8.3-P1 <<>> @ns1.dns.nic.accountant. accountant. tlsa +dnssec
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4456
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 65235
> ;; QUESTION SECTION:
> ;accountant. IN TLSA
>
> ;; AUTHORITY SECTION:
> accountant. 7200 IN SOA ns1.dns.nic.accountant. hostmaster.neustar.biz. 189 900 900 604800 86400
> accountant. 86400 IN NSEC *.accountant. A NS SOA MX TXT SRV RRSIG NSEC DNSKEY
> accountant. 7200 IN RRSIG SOA 8 1 7200 20150619085628 20150520075628 28309 accountant. P3V+Bfo7JNkH207xoHvboXcIhW9Dulr0YUSMAqllEyepd0ms8Al8Tjs2 TjIcENJbPA5iBwOZzpW5P2fjsq/jWp02aaOMjqRCRNraPRJD4fGxDtx8 4ex06Ysp6sOtFRssaCb4BJZ4kvdizCR64RuQdO56shP1AY5+BSKdBby/ tzU=
> accountant. 86400 IN RRSIG NSEC 8 1 86400 20150619082936 20150520075628 28309 accountant. Yt28u6y0wz+g2L90l/nP7HsmCdzGJ33Pf7+4277PKvLZIdyn+ksR4Rw8 //3ZgSIn/59P0ZlV5qGh+xlKdOCoh0gMHjXHQkvtXByI5HIg/tXvRA22 bCbcdHFujBy8WHKZQH6G0UAe+IkpEkMVwIFzSZs+5v1ATNliZUZeP9/C 4R0=
>
> ;; Query time: 102 msec
> ;; SERVER: 2610:a1:1071::c3#53(2610:a1:1071::c3)
> ;; WHEN: Thu May 28 10:35:44 2015
> ;; MSG SIZE rcvd: 484
>
> [scallop:~]% dig @ns1.dns.nic.accountant. something.accountant. tlsa +noedns
>
> ; <<>> DiG 9.8.3-P1 <<>> @ns1.dns.nic.accountant. something.accountant. tlsa +noedns
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59291
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;something.accountant. IN TLSA
>
> ;; AUTHORITY SECTION:
> accountant. 7200 IN SOA ns1.dns.nic.accountant. hostmaster.neustar.biz. 189 900 900 604800 86400
>
> ;; Query time: 63 msec
> ;; SERVER: 2610:a1:1071::c3#53(2610:a1:1071::c3)
> ;; WHEN: Thu May 28 10:35:54 2015
> ;; MSG SIZE rcvd: 108
>
> [scallop:~]% dig @ns1.dns.nic.accountant. something.accountant. tlsa +dnssec
>
> ; <<>> DiG 9.8.3-P1 <<>> @ns1.dns.nic.accountant. something.accountant. tlsa +dnssec
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33169
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 65235
> ;; QUESTION SECTION:
> ;something.accountant. IN TLSA
>
> ;; AUTHORITY SECTION:
> accountant. 7200 IN SOA ns1.dns.nic.accountant. hostmaster.neustar.biz. 189 900 900 604800 86400
> *.accountant. 86400 IN NSEC NIC.accountant. A MX TXT SRV RRSIG NSEC
> *.accountant. 86400 IN RRSIG NSEC 8 1 86400 20150619082936 20150520075628 28309 accountant. TrjOnCgHxkycajWjg6FW6Q09Udpr7DIQMtRwh+r6ku8dwvUKFvPvJDE2 XFUkmce3NqcxQHZvRnAhCado7fOtjlMecSiX/t8Ai1dOMoiCVoVpwbJJ rqZuJnbiJM7bLn8Wqodkx4PXIG8WpgRVSjZ7SQf2/IWpC4E7Y5OIynR7 O24=
> accountant. 7200 IN RRSIG SOA 8 1 7200 20150619085628 20150520075628 28309 accountant. P3V+Bfo7JNkH207xoHvboXcIhW9Dulr0YUSMAqllEyepd0ms8Al8Tjs2 TjIcENJbPA5iBwOZzpW5P2fjsq/jWp02aaOMjqRCRNraPRJD4fGxDtx8 4ex06Ysp6sOtFRssaCb4BJZ4kvdizCR64RuQdO56shP1AY5+BSKdBby/ tzU=
>
> ;; Query time: 68 msec
> ;; SERVER: 2610:a1:1071::c3#53(2610:a1:1071::c3)
> ;; WHEN: Thu May 28 10:36:09 2015
> ;; MSG SIZE rcvd: 497
>
> [scallop:~]% dig -4 @ns1.dns.nic.accountant. accountant. tlsa +noedns
>
> ; <<>> DiG 9.8.3-P1 <<>> -4 @ns1.dns.nic.accountant. accountant. tlsa +noedns
> ; (1 server found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> [scallop:~]% dig -4 @ns1.dns.nic.accountant. accountant. tlsa +dnssec
>
> ; <<>> DiG 9.8.3-P1 <<>> -4 @ns1.dns.nic.accountant. accountant. tlsa +dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> [scallop:~]% dig -4 @ns1.dns.nic.accountant. something.accountant. tlsa +noedns
>
> ; <<>> DiG 9.8.3-P1 <<>> -4 @ns1.dns.nic.accountant. something.accountant. tlsa +noedns
> ; (1 server found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> [scallop:~]% dig -4 @ns1.dns.nic.accountant. something.accountant. tlsa +dnssec
>
> ; <<>> DiG 9.8.3-P1 <<>> -4 @ns1.dns.nic.accountant. something.accountant. tlsa +dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> [scallop:~]%
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list