[dns-operations] issue with DNSSEC on one of the root NS with IPv6?

Alarig Le Lay alarig at swordarmor.fr
Tue May 16 21:15:07 UTC 2017


On mar. 16 mai 13:16:30 2017, Franck Martin wrote:
> If I look at the errors on
> http://dnsviz.net/d/sigok.verteiltesysteme.net/dnssec/
> 
> I see that it complains about 2001:500:2f::f not sending DNSSEC records for
> the root zone?

Hi,

The root zone is not signed. Either with IPv6 or IPv4.

alarig at airmure ~ % for srv in a b c d e f; do dig -t DS . @${srv}.root-servers.net; done

; <<>> DiG 9.11.0-P3 <<>> -t DS . @a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3317
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;.				IN	DS

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017051601 1800 900 604800 86400

;; Query time: 20 msec
;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)
;; WHEN: Tue May 16 23:12:51 CEST 2017
;; MSG SIZE  rcvd: 103


; <<>> DiG 9.11.0-P3 <<>> -t DS . @b.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12103
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	DS

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017051601 1800 900 604800 86400

;; Query time: 156 msec
;; SERVER: 2001:500:84::b#53(2001:500:84::b)
;; WHEN: Tue May 16 23:12:52 CEST 2017
;; MSG SIZE  rcvd: 103


; <<>> DiG 9.11.0-P3 <<>> -t DS . @c.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4641
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	DS

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017051601 1800 900 604800 86400

;; Query time: 13 msec
;; SERVER: 2001:500:2::c#53(2001:500:2::c)
;; WHEN: Tue May 16 23:12:52 CEST 2017
;; MSG SIZE  rcvd: 103


; <<>> DiG 9.11.0-P3 <<>> -t DS . @d.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22047
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	DS

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017051601 1800 900 604800 86400

;; Query time: 87 msec
;; SERVER: 2001:500:2d::d#53(2001:500:2d::d)
;; WHEN: Tue May 16 23:12:52 CEST 2017
;; MSG SIZE  rcvd: 103


; <<>> DiG 9.11.0-P3 <<>> -t DS . @e.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34142
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	DS

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017051601 1800 900 604800 86400

;; Query time: 84 msec
;; SERVER: 2001:500:a8::e#53(2001:500:a8::e)
;; WHEN: Tue May 16 23:12:52 CEST 2017
;; MSG SIZE  rcvd: 103


; <<>> DiG 9.11.0-P3 <<>> -t DS . @f.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24448
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 962d6681d43f58d6e2129755591b6b541e0674f259f1defd (good)
;; QUESTION SECTION:
;.				IN	DS

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017051601 1800 900 604800 86400

;; Query time: 20 msec
;; SERVER: 2001:500:2f::f#53(2001:500:2f::f)
;; WHEN: Tue May 16 23:12:52 CEST 2017
;; MSG SIZE  rcvd: 131

alarig at airmure ~ % for srv in a b c d e f; do dig -4 -t DS . @${srv}.root-servers.net; done

; <<>> DiG 9.11.0-P3 <<>> -4 -t DS . @a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46412
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;.				IN	DS

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017051601 1800 900 604800 86400

;; Query time: 14 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue May 16 23:13:35 CEST 2017
;; MSG SIZE  rcvd: 103


; <<>> DiG 9.11.0-P3 <<>> -4 -t DS . @b.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37304
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	DS

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017051601 1800 900 604800 86400

;; Query time: 160 msec
;; SERVER: 192.228.79.201#53(192.228.79.201)
;; WHEN: Tue May 16 23:13:35 CEST 2017
;; MSG SIZE  rcvd: 103


; <<>> DiG 9.11.0-P3 <<>> -4 -t DS . @c.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36037
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	DS

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017051601 1800 900 604800 86400

;; Query time: 6 msec
;; SERVER: 192.33.4.12#53(192.33.4.12)
;; WHEN: Tue May 16 23:13:35 CEST 2017
;; MSG SIZE  rcvd: 103


; <<>> DiG 9.11.0-P3 <<>> -4 -t DS . @d.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60761
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	DS

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017051601 1800 900 604800 86400

;; Query time: 92 msec
;; SERVER: 199.7.91.13#53(199.7.91.13)
;; WHEN: Tue May 16 23:13:35 CEST 2017
;; MSG SIZE  rcvd: 103


; <<>> DiG 9.11.0-P3 <<>> -4 -t DS . @e.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4410
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	DS

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017051601 1800 900 604800 86400

;; Query time: 6 msec
;; SERVER: 192.203.230.10#53(192.203.230.10)
;; WHEN: Tue May 16 23:13:35 CEST 2017
;; MSG SIZE  rcvd: 103


; <<>> DiG 9.11.0-P3 <<>> -4 -t DS . @f.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16258
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 22d332f0f420b24d4dce946b591b6b7fb5a0df0a80fae430 (good)
;; QUESTION SECTION:
;.				IN	DS

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017051601 1800 900 604800 86400

;; Query time: 149 msec
;; SERVER: 192.5.5.241#53(192.5.5.241)
;; WHEN: Tue May 16 23:13:35 CEST 2017
;; MSG SIZE  rcvd: 131

-- 
alarig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170516/4a876584/attachment.sig>


More information about the dns-operations mailing list