[dns-operations] isphuset.no/fsdata.se DNSSEC breakage
Mark Andrews
marka at isc.org
Mon Sep 5 04:33:47 UTC 2016
In message <20160905041930.GA4670 at mournblade.imrryr.org>, Viktor Dukhovni writes:
> On Mon, Sep 05, 2016 at 01:55:19PM +1000, Mark Andrews wrote:
>
> > It's not just TLSA.
> >
> > The servers also get basic DNS wrong, let alone EDNS or DNSSEC.
> > Truncated responses are not marked as truncated as required. The
> > OPT record isn't included in the truncated response as required.
> > Not all EDNS queries get a EDNS response.
>
> Is this at all similar to the situation with DNSKEY lookups for
> say uspto.gov (I don't know what DNS server software is used by
> the nameservers for that domain):
>
> http://dnsviz.net/d/uspto.gov/V8zmzA/dnssec/?rr=6&a=all&ds=all&ta=.&tk=
Similar but different. TC is set but the records counts are not
correct. The OPT record isn't in the truncated message.
[rock:~/git/bind9] marka% dig uspto.gov tlsa @lbboy-dns1.uspto.gov +dnssec +bufsize=512 +ignore
;; Warning: Message parser reports malformed message packet.
; <<>> DiG 9.11.0rc1 <<>> uspto.gov tlsa @lbboy-dns1.uspto.gov +dnssec +bufsize=512 +ignore
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35254
;; flags: qr aa tc rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;uspto.gov. IN TLSA
;; AUTHORITY SECTION:
uspto.gov. 900 IN SOA dns3.uspto.gov. nmb.uspto.gov. 2014113899 10800 1080 2419200 900
uspto.gov. 900 IN RRSIG SOA 7 2 900 20160909103741 20160902103741 5522 uspto.gov. aF3pEWZoqvm0WyzUkfIpzIeZyn3aahrHH4EqpaAjOLacA7Ua3T/9Pmqv ko59wwNBjdO8Cr8FdOi6HGmJKqkGTFa/mplZcmgUsxUGbR5ahwqgGgDz ce67YrjMShEGtKOh/0+mSFOJq7X21xOgjMiN1hnDxwZhg3TgFZGpG0GQ zUaC8rpISNnSWbDvYAr68HnoY5LUhZJJras4t39hI0bAuvcWKY5JfcfZ 8IcO+IuH/JPAr/TyHXcBzT+2SuQMaa2yNybYDHuitL/sQGC7Tte8DTGK x7a+eLMGbkYU26A+UDGD+nWFvKOZtn2hy/1jmfIyT6LrJg7euu5phPJz P+PeHw==
bd1vir6un3m7fc4fao7376f3ok3lbofl.uspto.gov. 900 IN NSEC3 1 0 1 59413CB98C289D03 BD1VIR6UN3M7FC4FAO7376F3OK3LBOFM
;; Query time: 440 msec
;; SERVER: 2610:20:500a:1606::200#53(2610:20:500a:1606::200)
;; WHEN: Mon Sep 05 14:29:08 EST 2016
;; MSG SIZE rcvd: 448
[rock:~/git/bind9] marka%
>
> > Presumably all of these issues have been fixed in later releases.
>
> I've not encountered any similar issues with folks who did upgrade
> to reasonably recent versions of PowerDNS. Admittedly my tests
> are far from comprehensive. I just look for "unbound" to not fail
> to return the MX/A/AAAA/TLSA RRsets if they exists, or to return
> NXDOMAIN or NODATA when they do not.
>
> I've not been testing any other DNS/DNSSEC edge-cases. I don't
> even make a fuss when the glue and authoritative NS or A/AAAA RRsets
> don't match up.
>
> --
> Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list