[dns-operations] (co.)bw DNSSEC failure
Peter van Dijk
peter.van.dijk at powerdns.com
Thu Sep 29 11:13:06 UTC 2016
Hello,
it appears it is fixed now!
For those reading along, a point to clarify: it turns out there was no
djbdns or tinydns was involved at all here, just an operator with a
knack for funny version.bind strings.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
On 25 Sep 2016, at 18:52, Moakofi Kamanga wrote:
> hi Peter,I have escalated the issue to Botswana Telecom(operators of
> master.btc.net.bw).
>
> I will make sure the issue is resolved by EOB tommorow.
> Get Outlook for Android<https://aka.ms/ghei36>
>
> From: Peter van Dijk
> Sent: Sunday, 25 September, 18:28
> Subject: Re: [dns-operations] (co.)bw DNSSEC failure
> To: Moakofi Kamanga
> Cc: dns-operations at dns-oarc.net
>
> Hello,
>
> I did not get a response to my subsequent explanation. Your
> configuration is broken and validating resolvers cannot resolve any
> domain inside co.bw. Can you please fix your signer/server? Thank you!
>
> Kind regards,
>
> --
>
> Peter van Dijk
>
> PowerDNS.COM BV -
> https://www.powerdns.com/<https://protect-za.mimecast.com/s/QWJeBRHxxqxtb?domain=powerdns.com>
>
> On 20 Sep 2016, at 16:26, Moakofi Kamanga wrote:
>
> Hi Peter the zone co.bw has not been signed.Whe we started signing we
> started with the smallest zones and left co.bw while observing how
> other zones behave
>
> From: Peter van Dijk [mailto:peter.van.dijk at powerdns.com]
> Sent: 20 September 2016 04:12 PM
> To: dns-operations at dns-oarc.net
> Cc: Moakofi Kamanga <kamanga at BOCRA.ORG.BW>
> Subject: (co.)bw DNSSEC failure
>
> As (currently) visible on
> http://dnsviz.net/d/co.bw/dnssec/<https://protect-za.mimecast.com/s/xVa7B1fxx9xtn?domain=dnsviz.net>,
> -one- of
> the auths for .bw (the one with ‘master’ in the name) responds
> without any DNSSEC data to a DS query for co.bw, turning all names
> under
> co.bw bogus if a validator happens to hit this auth.
>
> See also, bad:
>
> $ dig +dnssec ds co.bw @168.167.168.37 +norec
>
> ; <<>> DiG 9.11.0a2 <<>> +dnssec ds co.bw @168.167.168.37 +norec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55749
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;co.bw. IN DS
>
> ;; AUTHORITY SECTION:
> bw. 3600 IN SOA dns1.nic.net.bw. registry.nic.net.bw. 2016092010 21600
> 3600 604800 3600
> bw. 3600 IN RRSIG SOA 8 1 3600 20161004224314 20160920130009 30513 bw.
> zSVNWUlYuP8JvpLazV2qy7GZ7DhPDkAcwGDeIx9K4EJwiOPRJW/PxSJW
> 1zulj9dZXDTbtu5CtgBc5RfXuFVlocLdPO2a8YrhOgmFBZV/QUfQ3521
> L9ulDOU7ugB0Rdkqk+hwRm7EDLkRRFFK8wKs7Pur7caG2myFBoCqW7s5 qfk=
>
> ;; Query time: 371 msec
> ;; SERVER: 168.167.168.37#53(168.167.168.37)
> ;; WHEN: Tue Sep 20 16:10:48 CEST 2016
> ;; MSG SIZE rcvd: 254
>
> good:
> $ dig +dnssec ds co.bw @204.61.216.70 +norec
>
> ; <<>> DiG 9.11.0a2 <<>> +dnssec ds co.bw @204.61.216.70 +norec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27343
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;co.bw. IN DS
>
> ;; AUTHORITY SECTION:
> bw. 3600 IN SOA dns1.nic.net.bw. registry.nic.net.bw. 2016092010 21600
> 3600 604800 3600
> bw. 3600 IN RRSIG SOA 8 1 3600 20161004224314 20160920130009 30513 bw.
> zSVNWUlYuP8JvpLazV2qy7GZ7DhPDkAcwGDeIx9K4EJwiOPRJW/PxSJW
> 1zulj9dZXDTbtu5CtgBc5RfXuFVlocLdPO2a8YrhOgmFBZV/QUfQ3521
> L9ulDOU7ugB0Rdkqk+hwRm7EDLkRRFFK8wKs7Pur7caG2myFBoCqW7s5 qfk=
> 0r0vq8vnkjq0q8h8a21rf8vstnl8cpoj.bw. 3600 IN NSEC3 1 0 5
> CE1457EE88F2A780 0R4R9PE5RACFBV1D2QKKHU3APDT24GJI NS
> 0r0vq8vnkjq0q8h8a21rf8vstnl8cpoj.bw. 3600 IN RRSIG NSEC3 8 2 3600
> 20161004194150 20160920130009 30513 bw.
> dVxbk65WdNrwMt56HU1FCSvv1hmF7V4VhJByV9tyav56uKLEVgTA5VFM
> RZjyReGj6LFQuaczsgXDCbVoCDS1NMjLl6hgkMrje9I/rZ4tdeQ6FGyU
> OIIUsj8LX1/Xf0d3wckFXDO8n3WzYZHbpH26RiuK85kLlecEiYCO1vh0 10s=
>
> ;; Query time: 23 msec
> ;; SERVER: 204.61.216.70#53(204.61.216.70)
> ;; WHEN: Tue Sep 20 16:11:13 CEST 2016
> ;; MSG SIZE rcvd: 498
>
> Technical contact from
> https://www.iana.org/domains/root/db/bw.html<https://protect-za.mimecast.com/s/MDN6BLU55N5f9?domain=iana.org>
> in
> Cc; sending to dns-operations in case anybody has a better contact.
>
> Kind regards,
> --
> Peter van Dijk
> PowerDNS.COM BV -
> https://www.powerdns.com/<https://protect-za.mimecast.com/s/QWJeBRHxxqxtb?domain=powerdns.com>
>
> _______________________________________________
>
> dns-operations mailing list
>
> dns-operations at lists.dns-oarc.net
>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations<https://protect-za.mimecast.com/s/O207Blh77q7Ud?domain=lists.dns-oarc.net>
>
> dns-operations mailing list
>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations<https://protect-za.mimecast.com/s/O207Blh77q7Ud?domain=lists.dns-oarc.net>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160929/7a582eb9/attachment.html>
More information about the dns-operations
mailing list