[dns-operations] Lack of tlsa support
Joe Abley
jabley at hopcount.ca
Thu May 28 09:40:57 UTC 2015
On 27 May 2015, at 20:40, Warren Kumari wrote:
> On Wed, May 27, 2015 at 3:02 PM, Joe Abley <jabley at hopcount.ca> wrote:
>>
>>
>> On 27 May 2015, at 19:14, Warren Kumari wrote:
>>
>>>> For what it's worth, I have no problem getting a reasonable
>>>> (negative)
>>>> response to ACCOUNTANT/IN/TLSA or SOMETHING.ACCOUNTANT/IN/TLSA from
>>>> 156.154.144.195 with EDNS0.DO=1 or without EDNS0. Perhaps I'm
>>>> special :-)
>
> Yah, /I/ know you are special -- but I don't know how 156.154.144.195
> knows you are.
I think I must have been referring to the server using its name, which
caused dig to use IPv6. I also see timeouts on IPv4. Full dig output
included this time, to satisfy Warren's great thirst for cut and paste.
Just goes to show, IPv6 is better. :-)
These are Neustar-hosted zones. Surely there are still Neustar people on
this list who can say "thanks for letting us know, a fix for v4 is in
the works".
Joe
[scallop:~]% dig @ns1.dns.nic.accountant. accountant. tlsa +noedns
; <<>> DiG 9.8.3-P1 <<>> @ns1.dns.nic.accountant. accountant. tlsa
+noedns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62146
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;accountant. IN TLSA
;; AUTHORITY SECTION:
accountant. 7200 IN SOA ns1.dns.nic.accountant. hostmaster.neustar.biz.
189 900 900 604800 86400
;; Query time: 71 msec
;; SERVER: 2610:a1:1071::c3#53(2610:a1:1071::c3)
;; WHEN: Thu May 28 10:35:33 2015
;; MSG SIZE rcvd: 98
[scallop:~]% dig @ns1.dns.nic.accountant. accountant. tlsa +dnssec
; <<>> DiG 9.8.3-P1 <<>> @ns1.dns.nic.accountant. accountant. tlsa
+dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4456
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65235
;; QUESTION SECTION:
;accountant. IN TLSA
;; AUTHORITY SECTION:
accountant. 7200 IN SOA ns1.dns.nic.accountant. hostmaster.neustar.biz.
189 900 900 604800 86400
accountant. 86400 IN NSEC *.accountant. A NS SOA MX TXT SRV RRSIG NSEC
DNSKEY
accountant. 7200 IN RRSIG SOA 8 1 7200 20150619085628 20150520075628
28309 accountant.
P3V+Bfo7JNkH207xoHvboXcIhW9Dulr0YUSMAqllEyepd0ms8Al8Tjs2
TjIcENJbPA5iBwOZzpW5P2fjsq/jWp02aaOMjqRCRNraPRJD4fGxDtx8
4ex06Ysp6sOtFRssaCb4BJZ4kvdizCR64RuQdO56shP1AY5+BSKdBby/ tzU=
accountant. 86400 IN RRSIG NSEC 8 1 86400 20150619082936 20150520075628
28309 accountant.
Yt28u6y0wz+g2L90l/nP7HsmCdzGJ33Pf7+4277PKvLZIdyn+ksR4Rw8
//3ZgSIn/59P0ZlV5qGh+xlKdOCoh0gMHjXHQkvtXByI5HIg/tXvRA22
bCbcdHFujBy8WHKZQH6G0UAe+IkpEkMVwIFzSZs+5v1ATNliZUZeP9/C 4R0=
;; Query time: 102 msec
;; SERVER: 2610:a1:1071::c3#53(2610:a1:1071::c3)
;; WHEN: Thu May 28 10:35:44 2015
;; MSG SIZE rcvd: 484
[scallop:~]% dig @ns1.dns.nic.accountant. something.accountant. tlsa
+noedns
; <<>> DiG 9.8.3-P1 <<>> @ns1.dns.nic.accountant. something.accountant.
tlsa +noedns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59291
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;something.accountant. IN TLSA
;; AUTHORITY SECTION:
accountant. 7200 IN SOA ns1.dns.nic.accountant. hostmaster.neustar.biz.
189 900 900 604800 86400
;; Query time: 63 msec
;; SERVER: 2610:a1:1071::c3#53(2610:a1:1071::c3)
;; WHEN: Thu May 28 10:35:54 2015
;; MSG SIZE rcvd: 108
[scallop:~]% dig @ns1.dns.nic.accountant. something.accountant. tlsa
+dnssec
; <<>> DiG 9.8.3-P1 <<>> @ns1.dns.nic.accountant. something.accountant.
tlsa +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33169
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65235
;; QUESTION SECTION:
;something.accountant. IN TLSA
;; AUTHORITY SECTION:
accountant. 7200 IN SOA ns1.dns.nic.accountant. hostmaster.neustar.biz.
189 900 900 604800 86400
*.accountant. 86400 IN NSEC NIC.accountant. A MX TXT SRV RRSIG NSEC
*.accountant. 86400 IN RRSIG NSEC 8 1 86400 20150619082936
20150520075628 28309 accountant.
TrjOnCgHxkycajWjg6FW6Q09Udpr7DIQMtRwh+r6ku8dwvUKFvPvJDE2
XFUkmce3NqcxQHZvRnAhCado7fOtjlMecSiX/t8Ai1dOMoiCVoVpwbJJ
rqZuJnbiJM7bLn8Wqodkx4PXIG8WpgRVSjZ7SQf2/IWpC4E7Y5OIynR7 O24=
accountant. 7200 IN RRSIG SOA 8 1 7200 20150619085628 20150520075628
28309 accountant.
P3V+Bfo7JNkH207xoHvboXcIhW9Dulr0YUSMAqllEyepd0ms8Al8Tjs2
TjIcENJbPA5iBwOZzpW5P2fjsq/jWp02aaOMjqRCRNraPRJD4fGxDtx8
4ex06Ysp6sOtFRssaCb4BJZ4kvdizCR64RuQdO56shP1AY5+BSKdBby/ tzU=
;; Query time: 68 msec
;; SERVER: 2610:a1:1071::c3#53(2610:a1:1071::c3)
;; WHEN: Thu May 28 10:36:09 2015
;; MSG SIZE rcvd: 497
[scallop:~]% dig -4 @ns1.dns.nic.accountant. accountant. tlsa +noedns
; <<>> DiG 9.8.3-P1 <<>> -4 @ns1.dns.nic.accountant. accountant. tlsa
+noedns
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[scallop:~]% dig -4 @ns1.dns.nic.accountant. accountant. tlsa +dnssec
; <<>> DiG 9.8.3-P1 <<>> -4 @ns1.dns.nic.accountant. accountant. tlsa
+dnssec
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[scallop:~]% dig -4 @ns1.dns.nic.accountant. something.accountant. tlsa
+noedns
; <<>> DiG 9.8.3-P1 <<>> -4 @ns1.dns.nic.accountant.
something.accountant. tlsa +noedns
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[scallop:~]% dig -4 @ns1.dns.nic.accountant. something.accountant. tlsa
+dnssec
; <<>> DiG 9.8.3-P1 <<>> -4 @ns1.dns.nic.accountant.
something.accountant. tlsa +dnssec
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[scallop:~]%
More information about the dns-operations
mailing list