[dns-operations] Missing NSEC3 in DOE responses from the "a" and "c" nic.cl nameservers

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Sep 21 16:33:11 UTC 2017


Specifically, the "a" and "c" nameservers are returning BOGUS denial of existence

    http://dnsviz.net/d/_25._tcp.mail.nic.cl/dnssec/

[RRSIG signature blobs elided]

@a.nic.cl.[190.124.27.10] 
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @190.124.27.10
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26023
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;_25._tcp.mail.nic.cl.  IN TLSA
nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.

@b.nic.cl.[200.7.4.7]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @200.7.4.7
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4579
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;_25._tcp.mail.nic.cl.  IN TLSA
nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. NSEC3 1 0 5 309353A311533411 5VKMBQH433VFNCU50ANUQTC0PURTIPD3  A MX TXT AAAA RRSIG
5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. RRSIG NSEC3 8 3 3600 20171102035805 20170921023348 37591 nic.cl.
206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. NSEC3 1 0 5 309353A311533411 27HL8GRHTEBTCHHJO7R0PTJ6GPFANHS4  A RRSIG
206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. RRSIG NSEC3 8 3 3600 20171108032617 20170921023348 37591 nic.cl.
dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. NSEC3 1 0 5 309353A311533411 DH8UNB1NSL1VBA9DF0BC7LQ08OB4SF6H  A RRSIG
dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. RRSIG NSEC3 8 3 3600 20171109052622 20170921023348 37591 nic.cl.


@c.nic.cl.[200.16.112.16]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @200.16.112.16
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59554
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;_25._tcp.mail.nic.cl.  IN TLSA
nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.

@slave.sth.netnod.se.[192.36.144.116]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @192.36.144.116
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41251
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;_25._tcp.mail.nic.cl.  IN TLSA
nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. NSEC3 1 0 5 309353A311533411 5VKMBQH433VFNCU50ANUQTC0PURTIPD3  A MX TXT AAAA RRSIG
5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. RRSIG NSEC3 8 3 3600 20171102035805 20170921023348 37591 nic.cl.
206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. NSEC3 1 0 5 309353A311533411 27HL8GRHTEBTCHHJO7R0PTJ6GPFANHS4  A RRSIG
206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. RRSIG NSEC3 8 3 3600 20171108032617 20170921023348 37591 nic.cl.
dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. NSEC3 1 0 5 309353A311533411 DH8UNB1NSL1VBA9DF0BC7LQ08OB4SF6H  A RRSIG
dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. RRSIG NSEC3 8 3 3600 20171109052622 20170921023348 37591 nic.cl.

@sns-pb.isc.org.[192.5.4.1]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @192.5.4.1
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35030
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;_25._tcp.mail.nic.cl.  IN TLSA
nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. NSEC3 1 0 5 309353A311533411 5VKMBQH433VFNCU50ANUQTC0PURTIPD3  A MX TXT AAAA RRSIG
5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. RRSIG NSEC3 8 3 3600 20171102035805 20170921023348 37591 nic.cl.
206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. NSEC3 1 0 5 309353A311533411 27HL8GRHTEBTCHHJO7R0PTJ6GPFANHS4  A RRSIG
206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. RRSIG NSEC3 8 3 3600 20171108032617 20170921023348 37591 nic.cl.
dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. NSEC3 1 0 5 309353A311533411 DH8UNB1NSL1VBA9DF0BC7LQ08OB4SF6H  A RRSIG
dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. RRSIG NSEC3 8 3 3600 20171109052622 20170921023348 37591 nic.cl.

The "a" server also fails over IPv6 (the "c" server has no IPv6 address):

@a.nic.cl.[2001:1398:121:0:190:124:27:10]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit -6 +norecur -t tlsa _25._tcp.mail.nic.cl @2001:1398:121:0:190:124:27:10
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26396
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;_25._tcp.mail.nic.cl.  IN TLSA
nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.

-- 
	Viktor.





More information about the dns-operations mailing list