[dns-operations] (co.)bw DNSSEC failure

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Sep 22 06:15:06 UTC 2016


On Wed, Sep 21, 2016 at 11:30:01PM -0600, David wrote:

> >Most misconfigurations of this type involve accidentally hosted root
> >zones, btw.

We've drifted somewhat off topic from the original report.  The
co.bw delegation is still broken at "master.btc.net.bw", and perhaps
not entirely coincidentally the delegation from "co.bw" to "nic.co.bw"
is lame (at all the nameservers):

    --- co.bw IN DS ? ---

    @master.btc.net.bw.[168.167.168.37]
    ; <<>> DiG 9.10.4-P2 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t ds co.bw @168.167.168.37
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5062
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
    ;co.bw.			IN DS
    bw.			SOA	dns1.nic.net.bw. registry.nic.net.bw. 2016092203 21600 3600 604800 3600
    bw.			RRSIG	SOA 8 1 3600 20161006014243 20160922010005 30513 bw.

    @dns1.nic.net.bw.[168.167.98.226]
    @dns2.nic.net.bw.[168.167.98.218]
    @ns-bw.afrinic.net.[196.216.168.72]
    @pch.nic.net.bw.[204.61.216.70]
    ; <<>> DiG 9.10.4-P2 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t ds co.bw @...
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46339
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
    ;co.bw.			IN DS
    bw.			SOA	dns1.nic.net.bw. registry.nic.net.bw. 2016092203 21600 3600 604800 3600
    bw.			RRSIG	SOA 8 1 3600 20161006014243 20160922010005 30513 bw.
    0r0vq8vnkjq0q8h8a21rf8vstnl8cpoj.bw. NSEC3 1 0 5 CE1457EE88F2A780 0R4R9PE5RACFBV1D2QKKHU3APDT24GJI  NS
    0r0vq8vnkjq0q8h8a21rf8vstnl8cpoj.bw. RRSIG NSEC3 8 2 3600 20161004194150 20160920130009 30513 bw.

    Related NSEC3 Hashes:

	h3cb2fvhimqif8udp31hbme3f16g9q5e. bw
	1hmipttndo47nofdprn5a8pnf98g8den. *.bw
	0r0vq8vnkjq0q8h8a21rf8vstnl8cpoj. co.bw

    --- nic.co.bw IN MX ? ---

    @master.btc.net.bw.[168.167.168.37]
    @dns1.nic.net.bw.[168.167.98.226]
    @dns2.nic.net.bw.[168.167.98.218]
    @ns-bw.afrinic.net.[196.216.168.72]
    @pch.nic.net.bw.[204.61.216.70]
    ; <<>> DiG 9.10.4-P2 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t mx nic.co.bw @...
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8259
    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
    ;nic.co.bw.		IN MX
    nic.co.bw.		NS	dns1.nic.net.bw.
    nic.co.bw.		NS	dns2.nic.net.bw.

Anyone reported these to the appropriate contacts?  There appear
to be some real domains under co.bw:

	3mbotswana.co.bw
	420agencies.co.bw
	4site.co.bw
	5mcs.co.bw
	fsg.co.bw
	...

so the parent zone does need to be correctly provisioned.

-- 
	Viktor.



More information about the dns-operations mailing list