[dns-operations] isphuset.no/fsdata.se DNSSEC breakage

Mark Andrews marka at isc.org
Mon Sep 5 03:55:19 UTC 2016 

It's not just TLSA.

The servers also get basic DNS wrong, let alone EDNS or DNSSEC.
Truncated responses are not marked as truncated as required.  The
OPT record isn't included in the truncated response as required.
Not all EDNS queries get a EDNS response.

Presumably all of these issues have been fixed in later releases.

Mark

[rock:~/git/bind9] marka% dig excelerator.no txt @62.109.39.202 +dnssec +bufsize=512 +norec

; <<>> DiG 9.11.0rc1 <<>> excelerator.no txt @62.109.39.202 +dnssec +bufsize=512 +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36884
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;excelerator.no.			IN	TXT

;; AUTHORITY SECTION:
excelerator.no.		600	IN	SOA	ns.isphuset.no. hostmaster.excelerator.no. 1395400126 10800 3600 604800 600
excelerator.no.		600	IN	RRSIG	SOA 8 2 600 20160915000000 20160901000000 40984 excelerator.no. fGVZPBzuP0LqHbRF9EYtbRcwaCiR+VQBOTqKYZrm0u66Wx6R8xK7m4KR f+kYqUHRDCw23XRltf0Djp6dswg9gSDqBIRPyNc7NXx4zW9T6amtsDMm lg8RprWU+4AmOTK9bRDYfTjzhTvGlu2EwvIAljNo1yy3qIH0/3DB0Ccx J7c=
a33m3nqgqskqbcv3m7q5r44c34su7n9l.excelerator.no. 600 IN	NSEC3 1 1 1 FC BUSTL205U0D55270B5U5QD33LCC63751  A NS SOA MX RRSIG DNSKEY NSEC3PARAM

;; Query time: 455 msec
;; SERVER: 62.109.39.202#53(62.109.39.202)
;; WHEN: Mon Sep 05 13:19:03 EST 2016
;; MSG SIZE  rcvd: 346

[rock:~/git/bind9] marka% dig ns1.isphuset.no +qr @62.109.39.202

; <<>> DiG 9.11.0rc1 <<>> ns1.isphuset.no +qr @62.109.39.202
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56832
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5f87125edbae53d6
;; QUESTION SECTION:
;ns1.isphuset.no.		IN	A

;; QUERY SIZE: 56

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56832
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns1.isphuset.no.		IN	A

;; ANSWER SECTION:
ns1.isphuset.no.	600	IN	A	89.221.244.129

;; Query time: 335 msec
;; SERVER: 62.109.39.202#53(62.109.39.202)
;; WHEN: Mon Sep 05 13:41:28 EST 2016
;; MSG SIZE  rcvd: 49

[rock:~/git/bind9] marka% dig ns1.isphuset.no +qr @62.109.39.202 +dnssec

; <<>> DiG 9.11.0rc1 <<>> ns1.isphuset.no +qr @62.109.39.202 +dnssec
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52422
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 9123498352d4a1c4
;; QUESTION SECTION:
;ns1.isphuset.no.		IN	A

;; QUERY SIZE: 56

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52422
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 2800
;; QUESTION SECTION:
;ns1.isphuset.no.		IN	A

;; ANSWER SECTION:
ns1.isphuset.no.	600	IN	A	89.221.244.129

;; Query time: 475 msec
;; SERVER: 62.109.39.202#53(62.109.39.202)
;; WHEN: Mon Sep 05 13:42:32 EST 2016
;; MSG SIZE  rcvd: 60

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list