[dns-operations] (co.)bw DNSSEC failure
Peter van Dijk
peter.van.dijk at powerdns.com
Tue Sep 20 14:11:47 UTC 2016
As (currently) visible on http://dnsviz.net/d/co.bw/dnssec/, -one- of
the auths for .bw (the one with ‘master’ in the name) responds
without any DNSSEC data to a DS query for co.bw, turning all names under
co.bw bogus if a validator happens to hit this auth.
See also, bad:
$ dig +dnssec ds co.bw @168.167.168.37 +norec
; <<>> DiG 9.11.0a2 <<>> +dnssec ds co.bw @168.167.168.37 +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55749
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;co.bw. IN DS
;; AUTHORITY SECTION:
bw. 3600 IN SOA dns1.nic.net.bw. registry.nic.net.bw. 2016092010 21600
3600 604800 3600
bw. 3600 IN RRSIG SOA 8 1 3600 20161004224314 20160920130009 30513 bw.
zSVNWUlYuP8JvpLazV2qy7GZ7DhPDkAcwGDeIx9K4EJwiOPRJW/PxSJW
1zulj9dZXDTbtu5CtgBc5RfXuFVlocLdPO2a8YrhOgmFBZV/QUfQ3521
L9ulDOU7ugB0Rdkqk+hwRm7EDLkRRFFK8wKs7Pur7caG2myFBoCqW7s5 qfk=
;; Query time: 371 msec
;; SERVER: 168.167.168.37#53(168.167.168.37)
;; WHEN: Tue Sep 20 16:10:48 CEST 2016
;; MSG SIZE rcvd: 254
good:
$ dig +dnssec ds co.bw @204.61.216.70 +norec
; <<>> DiG 9.11.0a2 <<>> +dnssec ds co.bw @204.61.216.70 +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27343
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;co.bw. IN DS
;; AUTHORITY SECTION:
bw. 3600 IN SOA dns1.nic.net.bw. registry.nic.net.bw. 2016092010 21600
3600 604800 3600
bw. 3600 IN RRSIG SOA 8 1 3600 20161004224314 20160920130009 30513 bw.
zSVNWUlYuP8JvpLazV2qy7GZ7DhPDkAcwGDeIx9K4EJwiOPRJW/PxSJW
1zulj9dZXDTbtu5CtgBc5RfXuFVlocLdPO2a8YrhOgmFBZV/QUfQ3521
L9ulDOU7ugB0Rdkqk+hwRm7EDLkRRFFK8wKs7Pur7caG2myFBoCqW7s5 qfk=
0r0vq8vnkjq0q8h8a21rf8vstnl8cpoj.bw. 3600 IN NSEC3 1 0 5
CE1457EE88F2A780 0R4R9PE5RACFBV1D2QKKHU3APDT24GJI NS
0r0vq8vnkjq0q8h8a21rf8vstnl8cpoj.bw. 3600 IN RRSIG NSEC3 8 2 3600
20161004194150 20160920130009 30513 bw.
dVxbk65WdNrwMt56HU1FCSvv1hmF7V4VhJByV9tyav56uKLEVgTA5VFM
RZjyReGj6LFQuaczsgXDCbVoCDS1NMjLl6hgkMrje9I/rZ4tdeQ6FGyU
OIIUsj8LX1/Xf0d3wckFXDO8n3WzYZHbpH26RiuK85kLlecEiYCO1vh0 10s=
;; Query time: 23 msec
;; SERVER: 204.61.216.70#53(204.61.216.70)
;; WHEN: Tue Sep 20 16:11:13 CEST 2016
;; MSG SIZE rcvd: 498
Technical contact from https://www.iana.org/domains/root/db/bw.html in
Cc; sending to dns-operations in case anybody has a better contact.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dns-operations
mailing list