[dns-operations] www.dnssec-or-not.net
frnkblk at iname.com
frnkblk at iname.com
Sat Oct 17 11:23:44 UTC 2015
Yes, the issue resolved by 11:20 pm, but the 10+ DNS servers I tried before
then were timing out. See this output from last night:
root at nagios:/home/fbulk# dig-all www.dnssec-or-not.net +short +time=1 |
more
============================================
DNS server: 10.20.0.10
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @10.20.0.10
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 2607:fe28:0:4000::10
; <<>> DiG 9.7.3 <<>> -6 www.dnssec-or-not.net +short +time=1
@2607:fe28:0:4000::10
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 10.20.0.20
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @10.20.0.20
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 2607:fe28:0:4000::20
; <<>> DiG 9.7.3 <<>> -6 www.dnssec-or-not.net +short +time=1
@2607:fe28:0:4000::20
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 10.20.0.100
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @10.20.0.100
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 2607:fe28:0:4000::100
; <<>> DiG 9.7.3 <<>> -6 www.dnssec-or-not.net +short +time=1
@2607:fe28:0:4000::100
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 10.20.0.200
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @10.20.0.200
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 2607:fe28:0:4000::200
; <<>> DiG 9.7.3 <<>> -6 www.dnssec-or-not.net +short +time=1
@2607:fe28:0:4000::200
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 96.31.0.32
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @96.31.0.32
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 2607:fe28:0:1000::32
============================================
DNS server: 10.20.0.5
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @10.20.0.5
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 96.31.0.5
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @96.31.0.5
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 2607:fe28:0:1000::5
; <<>> DiG 9.7.3 <<>> -6 www.dnssec-or-not.net +short +time=1
@2607:fe28:0:1000::5
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 10.20.0.8
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @10.20.0.8
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 96.31.0.8
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @96.31.0.8
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 2607:fe28:0:1000::8
; <<>> DiG 9.7.3 <<>> -6 www.dnssec-or-not.net +short +time=1
@2607:fe28:0:1000::8
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 199.120.69.24
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @199.120.69.24
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 167.142.225.5
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @167.142.225.5
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 167.142.225.6
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @167.142.225.6
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 192.168.0.12
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @192.168.0.12
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 192.168.0.93
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @192.168.0.93
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 192.168.0.94
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @192.168.0.94
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 8.8.8.8
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 8.8.4.4
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @8.8.4.4
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 208.67.222.222
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @208.67.222.222
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
DNS server: 208.67.220.220
; <<>> DiG 9.7.3 <<>> www.dnssec-or-not.net +short +time=1 @208.67.220.220
;; global options: +cmd
;; connection timed out; no servers could be reached
============================================
Frank
-----Original Message-----
From: Joe Abley [mailto:jabley at hopcount.ca]
Sent: Saturday, October 17, 2015 5:46 AM
To: frnkblk at iname.com
Cc: dns-operations at dns-oarc.net
Subject: Re: [dns-operations] www.dnssec-or-not.net
Hi Frank,
On 16 Oct 2015, at 23:07, frnkblk at iname.com wrote:
> On Thursday I reached out to Duane about www.dnssec-or-not.net not
> consistently returning the AD bit for one our DNS servers. Looking
> back our
> DNS server logs I saw some issues starting on the 15th with the name
> servers
> for that zone (ns[01].dnssec-or-not.org).
>
> Just this evening, starting at 9:57 pm (U.S. Central) I see the zone
> is not
> responding at all.
The COM servers return a referral for DNSSEC-OR-NOT.COM to the following
nameservers:
ns0.dnssec-or-not.org (72.13.58.76, no IPv6)
ns1.dnssec-or-not.org (72.13.58.80, no IPv6)
Those nameservers seem to respond as expected for QTYPE={SOA, A,
DNSKEY}, QNAME=DNSSEC-OR-NOT.COM and maybe also AAAA (I get an empty
answer section with NOERROR, but the lack of v6 there matches the lack
of v6 in the NS set, so maybe that's expected).
Perhaps interestingly, I get an empty answer/NOERROR response to queries
with QTYPE=NS. I have no way of knowing whether that's normal. The
nameservers themselves (via VERSION.BIND/CH/TXT) suggest they're of the
hand-rolled variety and also written in perl, so a certain degree of
madness is surely to be expected.
[scallop:~]% dig @72.13.58.76 dnssec-or-not.com ns +norec
; <<>> DiG 9.8.3-P1 <<>> @72.13.58.76 dnssec-or-not.com ns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17265
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;dnssec-or-not.com. IN NS
;; Query time: 44 msec
;; SERVER: 72.13.58.76#53(72.13.58.76)
;; WHEN: Sat Oct 17 06:37:37 2015
;; MSG SIZE rcvd: 35
[scallop:~]% dig @72.13.58.80 dnssec-or-not.com ns +norec
; <<>> DiG 9.8.3-P1 <<>> @72.13.58.80 dnssec-or-not.com ns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10087
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;dnssec-or-not.com. IN NS
;; Query time: 43 msec
;; SERVER: 72.13.58.80#53(72.13.58.80)
;; WHEN: Sat Oct 17 06:37:43 2015
;; MSG SIZE rcvd: 35
[scallop:~]%
Using a validating resolver, I get the expected redirect from
http://dnssec-or-not.com/
[scallop:~]% curl http://dnssec-or-not.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a
href="http://test.dnssec-or-not.com/">here</a>.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at dnssec-or-not.com Port
80</address>
</body></html>
[scallop:~]%
and when viewed in a browser, test.dnssec-or-not.com (as redirected) I
get confirmation that I'm validating using DNS and SEC, very nice.
Maybe those nameservers were just feeling a bit unwell last night, but
have since succumbed to a revitalising slumber and have emerged,
blinking, into the cold pre-dawn with a renewed sense of vigour.
Joe
More information about the dns-operations
mailing list