[dns-operations] DNSSEC failures resolving the Sophos domain sophosxl.net
Craig Leres
leres at ee.lbl.gov
Thu Jan 19 22:43:40 UTC 2017
We do dnssec validation at LBL and for many months have been seeing
Sophos client dns lookup failures that might result from the use of dns
to validate threat signatures. Here's an example named 9.10 log message
from a recursive resolver:
2 Jan 19 14:09:18 131.243.???.??? named[1316]: client
198.128.208.???#61079
(3.1o18sr00n57o62ppp3744opqr8qn9813764r5o86osn295ss2r4pr1632rq4903.064p8r741p334393648s241824r58s9s84o22o6q9p20rro629o0rnro4q9r5q6.s3184q863ro1qp7928208809r78q0627o49q7rpnor36s013.931np766rn5645s1.i.00.s.sophosxl.net):
rpz NSIP rewrite
3.1o18sr00n57o62ppp3744opqr8qn9813764r5o86osn295ss2r4pr1632rq4903.064p8r741p334393648s241824r58s9s84o22o6q9p20rro629o0rnro4q9r5q6.s3184q863ro1qp7928208809r78q0627o49q7rpnor36s013.931np766rn5645s1.i.00.s.sophosxl.net
via 931np766rn5645s1.i.00.s.sophosxl.net unrecognized NS
rpz_rrset_find() failed: SERVFAIL
While we do make extensive use of rpz we do not use the NSIP feature nor
do we even build bind with RPZ_NSIP support.
Here's a dnsviz.net report that shows a number of DNSSEC issues:
http://dnsviz.net/d/i.00.s.sophosxl.net/dnssec/
So far attempts to interest Sophos tech support in this issue have
failed. It would be appreciated if someone could put us in touch with a
clueful contact at Sophos.
Craig
More information about the dns-operations
mailing list