[dns-operations] DNSSEC failures resolving the Sophos domain sophosxl.net

Mark Andrews marka at isc.org
Fri Jan 20 07:32:53 UTC 2017 

Well when the servers doesn't actually answer the question what do
you expect.  The answer section is NOT a valid answer to the query.

Can't do DNS properly. Can't to EDNS properly. 

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> 3.1o18sr00n57o62ppp3744opqr8qn9813764r5o86osn295ss2r4pr1632rq4903.064p8r741p334393648s241824r58s9s84o22o6q9p20rro629o0rnro4q9r5q6.s3184q863ro1qp7928208809r78q0627o49q7rpnor36s013.931np766rn5645s1.i.00.s.sophosxl.net ns @frontend-44.eu-west-1.4.sophosxl.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58618
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 846c37c8b240aa88 (echoed)
;; QUESTION SECTION:
;3.1o18sr00n57o62ppp3744opqr8qn9813764r5o86osn295ss2r4pr1632rq4903.064p8r741p334393648s241824r58s9s84o22o6q9p20rro629o0rnro4q9r5q6.s3184q863ro1qp7928208809r78q0627o49q7rpnor36s013.931np766rn5645s1.i.00.s.sophosxl.net. IN NS

;; ANSWER SECTION:
i.00.s.sophosxl.net.	300	IN	NS	frontend-44.eu-west-1.4.sophosxl.net.
i.00.s.sophosxl.net.	300	IN	NS	frontend-44-2.eu-west-1.4.sophosxl.net.

;; Query time: 333 msec
;; SERVER: 52.49.16.99#53(52.49.16.99)
;; WHEN: Fri Jan 20 18:27:04 EST 2017
;; MSG SIZE  rcvd: 358

In message <20170120061213.rzdfgtiq3zy57xil at mycre.ws>, Robert Edmonds writes:
> Craig Leres wrote:
> >        2 Jan 19 14:09:18 131.243.???.??? named[1316]: client
> > 198.128.208.???#61079 (3.1o18sr00n57o62ppp3744opqr8qn9813764r5o86osn295ss2r4pr1632rq4903.064p8r741p334393648s241824r58s9s84o22o6q9p20rro629o0rnro4q9r5q
> 6.s3184q863ro1qp7928208809r78q0627o49q7rpnor36s013.931np766rn5645s1.i.00.s.sophosxl.net):
> > rpz NSIP rewrite 3.1o18sr00n57o62ppp3744opqr8qn9813764r5o86osn295ss2r4pr1632rq4903.064p8r741p334393648s241824r58s9s84o22o6q9p20rro629o0rnro4q9r5q6.s318
> 4q863ro1qp7928208809r78q0627o49q7rpnor36s013.931np766rn5645s1.i.00.s.sophosxl.net
> > via 931np766rn5645s1.i.00.s.sophosxl.net unrecognized NS rpz_rrset_find()
> > failed: SERVFAIL
> > 
> > While we do make extensive use of rpz we do not use the NSIP feature nor do
> > we even build bind with RPZ_NSIP support.
> 
> Hi, Craig:
> 
> If you grep for ENABLE_RPZ_NSIP in the BIND source, there's exactly one
> #ifdef of it, and it appears to be in the RPZ loading code. So I think
> the only thing --disable-rpz-nsip does is prevent NSIP RPZ rules from
> being loaded.
> 
> The code that actually performs RPZ rewriting doesn't have such an
> #ifdef, and the "unrecognized NS" log message is only generated here:
> 
> https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=bin/named/query.c;h=52d13b6c61436f1357cf4ce15722e326953c54a4;hb=2b12043ba0debf1aba08ddd091
> 4aff287e46978a#l5360
> 
> But, it looks like that code is trying to perform RPZ NSDNAME filtering
> (not RPZ NSIP).
> 
> > Here's a dnsviz.net report that shows a number of DNSSEC issues:
> > 
> >     http://dnsviz.net/d/i.00.s.sophosxl.net/dnssec/
> 
> There's an insecure delegation from the TLD for sophosxl[dot]net, and
> the Sophos zones aren't signed (and don't appear to have ever been
> signed). So by definition it can't be a DNSSEC issue :-)
> 
> The issues listed on that page:
> 
>     i.00.s.sophosxl.net zone: The server(s) were not responsive to
>     queries over TCP.
> 
>     i.00.s.sophosxl.net/AAAA: The response had an invalid RCODE
>     (REFUSED).
> 
>     i.00.s.sophosxl.net/DNSKEY: The response had an invalid RCODE
>     (REFUSED).
> 
>     i.00.s.sophosxl.net/NS: A query for i.00.s.sophosxl.net results in a
>     NOERROR response, while a query for its ancestor, s.sophosxl.net,
>     returns a name error (NXDOMAIN), which indicates that subdomains of
>     s.sophosxl.net, including i.00.s.sophosxl.net, don't exist.
> 
>     i.00.s.sophosxl.net/SOA: A query for i.00.s.sophosxl.net results in
>     a NOERROR response, while a query for its ancestor, s.sophosxl.net,
>     returns a name error (NXDOMAIN), which indicates that subdomains of
>     s.sophosxl.net, including i.00.s.sophosxl.net, don't exist.
> 
>     i.00.s.sophosxl.net/SOA: No response was received from the server
>     over TCP (tried 3 times).
> 
> So, those nameservers are pretty broken, but probably not broken enough
> to break an old school DNS resolver :-\
> 
> FWIW, Unbound 1.6.0 with a stock configuration (and with DNSSEC
> validation enabled) can resolve that name successfully (returning
> NODATA), but if you enable qname minimisation it looks like the first
> few resolution attempts will SERVFAIL before it starts resolving.
> 
> > So far attempts to interest Sophos tech support in this issue have failed.
> > It would be appreciated if someone could put us in touch with a clueful
> > contact at Sophos.
> 
> Good luck!
> 
> -- 
> Robert Edmonds
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list