[dns-operations] issue with DNSSEC on one of the root NS with IPv6?

Mark Andrews marka at isc.org
Tue May 16 21:55:42 UTC 2017


In message <20170516211506.drt6fm3x2nfomgi4 at mew.swordarmor.fr>, Alarig Le Lay w
rites:
>
> On mar. 16 mai 13:16:30 2017, Franck Martin wrote:
> > If I look at the errors on
> > http://dnsviz.net/d/sigok.verteiltesysteme.net/dnssec/
> >
> > I see that it complains about 2001:500:2f::f not sending DNSSEC records
> for
> > the root zone?

Shall we look at the errors?

./DNSKEY (alg 8, id 14796): No response was received from the server over UDP (tried 6 times) until the DO EDNS flag was cleared (however, this server appeared to respond legitimately to other queries with the DO EDNS flag set). (2001:500:2f::f, UDP_0_EDNS0_32768_4096)

This is a false positive caused by packet loss / routing changes.

Unfortunately there are still nameservers that don't response to
EDNS queries reliably.  Unfortunately there are still firewalls
that block EDNS queries.  In a sane world we could have complained
to the parent zone operator to have the zones with these broken
servers excommunicated until they fixed the servers.  Unfortunately
TLD operators don't want to be protocol police and we have a system
that is out of control as a result.  Note when the DNS was designed
it was expected that parent zones would remove delegations to provide
some level of control of child zones that were not being operated
correctly.

Its been ~20 years since EDNS was introduced and this problem should
have been removed over a decade ago.  STD 13 says how to respond
to requests you do not understand and it isn't "drop the request",
rather it was return FORMERR.

./DNSKEY (alg 8, id 14796): The DNSSEC records necessary to validate the response could not be retrieved from the server. (2001:500:2f::f, UDP_0_EDNS0_32768_4096)

When you don't have DO=1 set in the query you don't get back the DNSSEC
records.

./DNSKEY (alg 8, id 19036): No response was received from the server over UDP (tried 6 times) until the DO EDNS flag was cleared (however, this server appeared to respond legitimately to other queries with the DO EDNS flag set). (2001:500:2f::f, UDP_0_EDNS0_32768_4096)

Repeat with different key ID.

./DNSKEY (alg 8, id 19036): The DNSSEC records necessary to validate the response could not be retrieved from the server. (2001:500:2f::f, UDP_0_EDNS0_32768_4096)

Repeat with different key ID.

./DNSKEY: The TCP connection was interrupted (ECONNRESET). (192.5.5.241, TCP_0_NOEDNS)

Again more network issues.

> Hi,
>
> The root zone is not signed. Either with IPv6 or IPv4.

Please learn to drive the diagnostic tools.  You need to
ask for the DNSSEC records to be returned.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> DS . @a.root-servers.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43181
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;.				IN	DS

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017051601 1800 900 604800 86400
.			86400	IN	RRSIG	SOA 8 0 86400 20170529170000 20170516160000 14796 . SXYbNYOIbdSIrkZ59nnKC+DgPzrti+NS9yPS4V1ZcTL3vtdO1MqgfY/3 lGl+d0qHDkKTMC52PCDc/m+1Ozo/9N3J0wftfoR+9rwLWt2wIn4K0HIE bHB08PGJVjwChS69qNt6s3DT3dQDgoZVxq+GrBo5ujaMZN4rIKBmiZvP pIJc4LymFuMDphUqL/XIYNyNORprX9npqo8EFAqRP7kNxczBUW3CmNOK S5YbxwLeoGTF1qA9ZtuAMIqtEHa4K2ZJQaJ9VI/a7Wv0nVsXyspvMI18 ncimzK8qxSjlgMfPoLdxrsspQ58kGYtKJb57SZCa3omsdJ655Kpu7MQM eaAn8g==
.			86400	IN	NSEC	aaa. NS SOA RRSIG NSEC DNSKEY
.			86400	IN	RRSIG	NSEC 8 0 86400 20170529170000 20170516160000 14796 . FYiPz2fGfkcvVyAml2JYJZuVAJjBFy3MXZuNdyRf6RerrsOYXo5i38pV /MDICK2yoMGLUl2pT2aBXqwNT31t3Rvtu5WhFbO1Io2THhZ1oawcrhEU VCTVTPOmZT3tqBQ4h4lPxq1/KgYVnLztNWfziqBKOjIvDNq37HHubilN YVTO8BZIpYsxPqa2gjNkSXR8fL09YJyVg/nyrI0S9QL9PtPmCkEOA9+D 0GyOmU1IeZKg0XOI6mp6Bfxhx21hn4Y6Fqr3UXgN2lAtabM0B/d7vkSx cmfd/sN3o+KpfjstSttetiGsLhiwJu2W2j3SvvCmct8pG5RLVGBvQbKR PIKZ0A==

;; Query time: 178 msec
;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)
;; WHEN: Wed May 17 07:28:33 AEST 2017
;; MSG SIZE  rcvd: 700


> alarig at airmure ~ % for srv in a b c d e f; do dig -t DS .
> @${srv}.root-servers.net; done
>
> ; <<>> DiG 9.11.0-P3 <<>> -t DS . @a.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3317
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;.				IN	DS
>
> ;; AUTHORITY SECTION:
> .			86400	IN	SOA	a.root-servers.net.
> nstld.veris
> ign-grs.com. 2017051601 1800 900 604800 86400
>
> ;; Query time: 20 msec
> ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)
> ;; WHEN: Tue May 16 23:12:51 CEST 2017
> ;; MSG SIZE  rcvd: 103
>
>
> ; <<>> DiG 9.11.0-P3 <<>> -t DS . @b.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12103
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;.				IN	DS
>
> ;; AUTHORITY SECTION:
> .			86400	IN	SOA	a.root-servers.net.
> nstld.veris
> ign-grs.com. 2017051601 1800 900 604800 86400
>
> ;; Query time: 156 msec
> ;; SERVER: 2001:500:84::b#53(2001:500:84::b)
> ;; WHEN: Tue May 16 23:12:52 CEST 2017
> ;; MSG SIZE  rcvd: 103
>
>
> ; <<>> DiG 9.11.0-P3 <<>> -t DS . @c.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4641
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;.				IN	DS
>
> ;; AUTHORITY SECTION:
> .			86400	IN	SOA	a.root-servers.net.
> nstld.veris
> ign-grs.com. 2017051601 1800 900 604800 86400
>
> ;; Query time: 13 msec
> ;; SERVER: 2001:500:2::c#53(2001:500:2::c)
> ;; WHEN: Tue May 16 23:12:52 CEST 2017
> ;; MSG SIZE  rcvd: 103
>
>
> ; <<>> DiG 9.11.0-P3 <<>> -t DS . @d.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22047
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;.				IN	DS
>
> ;; AUTHORITY SECTION:
> .			86400	IN	SOA	a.root-servers.net.
> nstld.veris
> ign-grs.com. 2017051601 1800 900 604800 86400
>
> ;; Query time: 87 msec
> ;; SERVER: 2001:500:2d::d#53(2001:500:2d::d)
> ;; WHEN: Tue May 16 23:12:52 CEST 2017
> ;; MSG SIZE  rcvd: 103
>
>
> ; <<>> DiG 9.11.0-P3 <<>> -t DS . @e.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34142
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;.				IN	DS
>
> ;; AUTHORITY SECTION:
> .			86400	IN	SOA	a.root-servers.net.
> nstld.veris
> ign-grs.com. 2017051601 1800 900 604800 86400
>
> ;; Query time: 84 msec
> ;; SERVER: 2001:500:a8::e#53(2001:500:a8::e)
> ;; WHEN: Tue May 16 23:12:52 CEST 2017
> ;; MSG SIZE  rcvd: 103
>
>
> ; <<>> DiG 9.11.0-P3 <<>> -t DS . @f.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24448
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 962d6681d43f58d6e2129755591b6b541e0674f259f1defd (good)
> ;; QUESTION SECTION:
> ;.				IN	DS
>
> ;; AUTHORITY SECTION:
> .			86400	IN	SOA	a.root-servers.net.
> nstld.veris
> ign-grs.com. 2017051601 1800 900 604800 86400
>
> ;; Query time: 20 msec
> ;; SERVER: 2001:500:2f::f#53(2001:500:2f::f)
> ;; WHEN: Tue May 16 23:12:52 CEST 2017
> ;; MSG SIZE  rcvd: 131
>
> alarig at airmure ~ % for srv in a b c d e f; do dig -4 -t DS .
> @${srv}.root-servers.net; done
>
> ; <<>> DiG 9.11.0-P3 <<>> -4 -t DS . @a.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46412
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1472
> ;; QUESTION SECTION:
> ;.				IN	DS
>
> ;; AUTHORITY SECTION:
> .			86400	IN	SOA	a.root-servers.net.
> nstld.veris
> ign-grs.com. 2017051601 1800 900 604800 86400
>
> ;; Query time: 14 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Tue May 16 23:13:35 CEST 2017
> ;; MSG SIZE  rcvd: 103
>
>
> ; <<>> DiG 9.11.0-P3 <<>> -4 -t DS . @b.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37304
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;.				IN	DS
>
> ;; AUTHORITY SECTION:
> .			86400	IN	SOA	a.root-servers.net.
> nstld.veris
> ign-grs.com. 2017051601 1800 900 604800 86400
>
> ;; Query time: 160 msec
> ;; SERVER: 192.228.79.201#53(192.228.79.201)
> ;; WHEN: Tue May 16 23:13:35 CEST 2017
> ;; MSG SIZE  rcvd: 103
>
>
> ; <<>> DiG 9.11.0-P3 <<>> -4 -t DS . @c.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36037
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;.				IN	DS
>
> ;; AUTHORITY SECTION:
> .			86400	IN	SOA	a.root-servers.net.
> nstld.veris
> ign-grs.com. 2017051601 1800 900 604800 86400
>
> ;; Query time: 6 msec
> ;; SERVER: 192.33.4.12#53(192.33.4.12)
> ;; WHEN: Tue May 16 23:13:35 CEST 2017
> ;; MSG SIZE  rcvd: 103
>
>
> ; <<>> DiG 9.11.0-P3 <<>> -4 -t DS . @d.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60761
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;.				IN	DS
>
> ;; AUTHORITY SECTION:
> .			86400	IN	SOA	a.root-servers.net.
> nstld.veris
> ign-grs.com. 2017051601 1800 900 604800 86400
>
> ;; Query time: 92 msec
> ;; SERVER: 199.7.91.13#53(199.7.91.13)
> ;; WHEN: Tue May 16 23:13:35 CEST 2017
> ;; MSG SIZE  rcvd: 103
>
>
> ; <<>> DiG 9.11.0-P3 <<>> -4 -t DS . @e.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4410
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;.				IN	DS
>
> ;; AUTHORITY SECTION:
> .			86400	IN	SOA	a.root-servers.net.
> nstld.veris
> ign-grs.com. 2017051601 1800 900 604800 86400
>
> ;; Query time: 6 msec
> ;; SERVER: 192.203.230.10#53(192.203.230.10)
> ;; WHEN: Tue May 16 23:13:35 CEST 2017
> ;; MSG SIZE  rcvd: 103
>
>
> ; <<>> DiG 9.11.0-P3 <<>> -4 -t DS . @f.root-servers.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16258
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 22d332f0f420b24d4dce946b591b6b7fb5a0df0a80fae430 (good)
> ;; QUESTION SECTION:
> ;.				IN	DS
>
> ;; AUTHORITY SECTION:
> .			86400	IN	SOA	a.root-servers.net.
> nstld.veris
> ign-grs.com. 2017051601 1800 900 604800 86400
>
> ;; Query time: 149 msec
> ;; SERVER: 192.5.5.241#53(192.5.5.241)
> ;; WHEN: Tue May 16 23:13:35 CEST 2017
> ;; MSG SIZE  rcvd: 131
>
> --
> alarig
>

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list