[dns-operations] www.dnssec-or-not.net
Joe Abley
jabley at hopcount.ca
Sat Oct 17 10:45:32 UTC 2015
Hi Frank,
On 16 Oct 2015, at 23:07, frnkblk at iname.com wrote:
> On Thursday I reached out to Duane about www.dnssec-or-not.net not
> consistently returning the AD bit for one our DNS servers. Looking
> back our
> DNS server logs I saw some issues starting on the 15th with the name
> servers
> for that zone (ns[01].dnssec-or-not.org).
>
> Just this evening, starting at 9:57 pm (U.S. Central) I see the zone
> is not
> responding at all.
The COM servers return a referral for DNSSEC-OR-NOT.COM to the following
nameservers:
ns0.dnssec-or-not.org (72.13.58.76, no IPv6)
ns1.dnssec-or-not.org (72.13.58.80, no IPv6)
Those nameservers seem to respond as expected for QTYPE={SOA, A,
DNSKEY}, QNAME=DNSSEC-OR-NOT.COM and maybe also AAAA (I get an empty
answer section with NOERROR, but the lack of v6 there matches the lack
of v6 in the NS set, so maybe that's expected).
Perhaps interestingly, I get an empty answer/NOERROR response to queries
with QTYPE=NS. I have no way of knowing whether that's normal. The
nameservers themselves (via VERSION.BIND/CH/TXT) suggest they're of the
hand-rolled variety and also written in perl, so a certain degree of
madness is surely to be expected.
[scallop:~]% dig @72.13.58.76 dnssec-or-not.com ns +norec
; <<>> DiG 9.8.3-P1 <<>> @72.13.58.76 dnssec-or-not.com ns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17265
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;dnssec-or-not.com. IN NS
;; Query time: 44 msec
;; SERVER: 72.13.58.76#53(72.13.58.76)
;; WHEN: Sat Oct 17 06:37:37 2015
;; MSG SIZE rcvd: 35
[scallop:~]% dig @72.13.58.80 dnssec-or-not.com ns +norec
; <<>> DiG 9.8.3-P1 <<>> @72.13.58.80 dnssec-or-not.com ns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10087
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;dnssec-or-not.com. IN NS
;; Query time: 43 msec
;; SERVER: 72.13.58.80#53(72.13.58.80)
;; WHEN: Sat Oct 17 06:37:43 2015
;; MSG SIZE rcvd: 35
[scallop:~]%
Using a validating resolver, I get the expected redirect from
http://dnssec-or-not.com/
[scallop:~]% curl http://dnssec-or-not.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a
href="http://test.dnssec-or-not.com/">here</a>.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at dnssec-or-not.com Port
80</address>
</body></html>
[scallop:~]%
and when viewed in a browser, test.dnssec-or-not.com (as redirected) I
get confirmation that I'm validating using DNS and SEC, very nice.
Maybe those nameservers were just feeling a bit unwell last night, but
have since succumbed to a revitalising slumber and have emerged,
blinking, into the cold pre-dawn with a renewed sense of vigour.
Joe
More information about the dns-operations
mailing list