[dns-operations] ns6.gandi.net firewall blocks TLSA lookups
Erwin Lansing
erwin at lansing.dk
Tue Nov 15 21:44:57 UTC 2016
> On 15 Nov 2016, at 21.38, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
>
> It appears that a firewall in front of (at least one replica of)
> the ns6.gandi.net nameserver is filtering TLSA lookups:
>
> * RRtype TLSA: timeout
>
> @ns6.gandi.net.[217.70.177.40]
> ; <<>> DiG 9.10.4-P2 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.fsck.email @217.70.177.40
> ;; connection timed out; no servers could be reached
>
> * RRtype A: NODATA
>
> @ns6.gandi.net.[217.70.177.40]
> ; <<>> DiG 9.10.4-P2 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t a _25._tcp.fsck.email @217.70.177.40
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61945
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;_25._tcp.fsck.email. IN A
> fsck.email. SOA ns1.phun.ch. hostmaster.phun.ch. 2016102901 7200 1800 1209600 1800
> C6PFP82OK4JDTLM3K5A6AQQQTCC7QNO9.fsck.email. NSEC3 1 0 10 - DGU387IMBA76QE8CGH5JOVC6M77IV707 RRSIG TLSA
>
> Anyone else seeing the same results? Anyone know whom to notify
> to get prompt remediation?
I’ve forwarded your message to a technical contact at Gandi. Hopefully they’ll get back to you directly.
Erwin
More information about the dns-operations
mailing list