[dns-operations] (co.)bw DNSSEC failure

Warren Kumari warren at kumari.net
Tue Sep 20 18:29:01 UTC 2016


On Tue, Sep 20, 2016 at 1:58 PM, Anand Buddhdev <anandb at ripe.net> wrote:
> On 20/09/16 18:58, Warren Kumari wrote:
>
> Hi Warren,
>
>> In the "bad" example, the nameserver is returning a helpful RRSIG, so
>> it has to have at least heard of DNSSEC. The serials match, so
>> (likely!) they have the same data. Sure, master.btc.net.bw could
>> simply be pathological, or someone could have hand edited the signed
>> zone file and <handwave>, but I'm not really sure how else this
>> situation could have come about.
>
> This particular server identifies itself as:
>
> $ dig @master.btc.net.bw ch txt version.bind +norec +short
> "djbdns"
>
> My guess is that they're using tinydns patched for dnssec
> (tinydnssec.org), and it's an older version with a bug (fixed in 1.3).

Erk. Yeah, that'll do it.

So, that explains *this* case, but we often seem to see other *weird*
issues... I'm trying to find the example (I have it squirreled away
somewhere), but one of my favorites was getting back NXDOMAIN
responses along with a full (complete and correct) answer. I never
figured out what I should do with that - do I use the answer or not?
Another good one was querying for a AAAA only got me back a TXT record
containing the string: "[TODO - FIXME!!!]".

W


>
> Regards,
> Anand
>



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf



More information about the dns-operations mailing list