[dns-operations] isphuset.no/fsdata.se DNSSEC breakage
Mark Andrews
marka at isc.org
Mon Sep 5 03:55:19 UTC 2016
It's not just TLSA.
The servers also get basic DNS wrong, let alone EDNS or DNSSEC.
Truncated responses are not marked as truncated as required. The
OPT record isn't included in the truncated response as required.
Not all EDNS queries get a EDNS response.
Presumably all of these issues have been fixed in later releases.
Mark
[rock:~/git/bind9] marka% dig excelerator.no txt @62.109.39.202 +dnssec +bufsize=512 +norec
; <<>> DiG 9.11.0rc1 <<>> excelerator.no txt @62.109.39.202 +dnssec +bufsize=512 +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36884
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;excelerator.no. IN TXT
;; AUTHORITY SECTION:
excelerator.no. 600 IN SOA ns.isphuset.no. hostmaster.excelerator.no. 1395400126 10800 3600 604800 600
excelerator.no. 600 IN RRSIG SOA 8 2 600 20160915000000 20160901000000 40984 excelerator.no. fGVZPBzuP0LqHbRF9EYtbRcwaCiR+VQBOTqKYZrm0u66Wx6R8xK7m4KR f+kYqUHRDCw23XRltf0Djp6dswg9gSDqBIRPyNc7NXx4zW9T6amtsDMm lg8RprWU+4AmOTK9bRDYfTjzhTvGlu2EwvIAljNo1yy3qIH0/3DB0Ccx J7c=
a33m3nqgqskqbcv3m7q5r44c34su7n9l.excelerator.no. 600 IN NSEC3 1 1 1 FC BUSTL205U0D55270B5U5QD33LCC63751 A NS SOA MX RRSIG DNSKEY NSEC3PARAM
;; Query time: 455 msec
;; SERVER: 62.109.39.202#53(62.109.39.202)
;; WHEN: Mon Sep 05 13:19:03 EST 2016
;; MSG SIZE rcvd: 346
[rock:~/git/bind9] marka% dig ns1.isphuset.no +qr @62.109.39.202
; <<>> DiG 9.11.0rc1 <<>> ns1.isphuset.no +qr @62.109.39.202
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56832
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5f87125edbae53d6
;; QUESTION SECTION:
;ns1.isphuset.no. IN A
;; QUERY SIZE: 56
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56832
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns1.isphuset.no. IN A
;; ANSWER SECTION:
ns1.isphuset.no. 600 IN A 89.221.244.129
;; Query time: 335 msec
;; SERVER: 62.109.39.202#53(62.109.39.202)
;; WHEN: Mon Sep 05 13:41:28 EST 2016
;; MSG SIZE rcvd: 49
[rock:~/git/bind9] marka% dig ns1.isphuset.no +qr @62.109.39.202 +dnssec
; <<>> DiG 9.11.0rc1 <<>> ns1.isphuset.no +qr @62.109.39.202 +dnssec
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52422
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 9123498352d4a1c4
;; QUESTION SECTION:
;ns1.isphuset.no. IN A
;; QUERY SIZE: 56
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52422
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 2800
;; QUESTION SECTION:
;ns1.isphuset.no. IN A
;; ANSWER SECTION:
ns1.isphuset.no. 600 IN A 89.221.244.129
;; Query time: 475 msec
;; SERVER: 62.109.39.202#53(62.109.39.202)
;; WHEN: Mon Sep 05 13:42:32 EST 2016
;; MSG SIZE rcvd: 60
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list