[dns-operations] (co.)bw DNSSEC failure

Anand Buddhdev anandb at ripe.net
Tue Sep 20 17:58:40 UTC 2016


On 20/09/16 18:58, Warren Kumari wrote:

Hi Warren,

> In the "bad" example, the nameserver is returning a helpful RRSIG, so
> it has to have at least heard of DNSSEC. The serials match, so
> (likely!) they have the same data. Sure, master.btc.net.bw could
> simply be pathological, or someone could have hand edited the signed
> zone file and <handwave>, but I'm not really sure how else this
> situation could have come about.

This particular server identifies itself as:

$ dig @master.btc.net.bw ch txt version.bind +norec +short
"djbdns"

My guess is that they're using tinydns patched for dnssec
(tinydnssec.org), and it's an older version with a bug (fixed in 1.3).

Regards,
Anand




More information about the dns-operations mailing list