[dns-operations] Missing NSEC3 in DOE responses from the "a" and "c" nic.cl nameservers

Gonzalo Muñoz gmunoz at nic.cl
Thu Sep 21 18:28:38 UTC 2017 

Hello,

We're still investigating what caused these issues, but the bogus
responses were coming from our NSD instances. They started replying
correctly after restarting the NSD process. Thank you for the heads up.

Best regards,

Gonzalo Muñoz
DNS Administration
NIC Chile

On 21/09/17 13:33, Viktor Dukhovni wrote:
> Specifically, the "a" and "c" nameservers are returning BOGUS denial of existence
> 
>     http://dnsviz.net/d/_25._tcp.mail.nic.cl/dnssec/
> 
> [RRSIG signature blobs elided]
> 
> @a.nic.cl.[190.124.27.10] 
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @190.124.27.10
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26023
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
> ;_25._tcp.mail.nic.cl.  IN TLSA
> nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
> nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
> 
> @b.nic.cl.[200.7.4.7]
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @200.7.4.7
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4579
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
> ;_25._tcp.mail.nic.cl.  IN TLSA
> nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
> nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
> 5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. NSEC3 1 0 5 309353A311533411 5VKMBQH433VFNCU50ANUQTC0PURTIPD3  A MX TXT AAAA RRSIG
> 5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. RRSIG NSEC3 8 3 3600 20171102035805 20170921023348 37591 nic.cl.
> 206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. NSEC3 1 0 5 309353A311533411 27HL8GRHTEBTCHHJO7R0PTJ6GPFANHS4  A RRSIG
> 206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. RRSIG NSEC3 8 3 3600 20171108032617 20170921023348 37591 nic.cl.
> dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. NSEC3 1 0 5 309353A311533411 DH8UNB1NSL1VBA9DF0BC7LQ08OB4SF6H  A RRSIG
> dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. RRSIG NSEC3 8 3 3600 20171109052622 20170921023348 37591 nic.cl.
> 
> 
> @c.nic.cl.[200.16.112.16]
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @200.16.112.16
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59554
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
> ;_25._tcp.mail.nic.cl.  IN TLSA
> nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
> nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
> 
> @slave.sth.netnod.se.[192.36.144.116]
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @192.36.144.116
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41251
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
> ;_25._tcp.mail.nic.cl.  IN TLSA
> nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
> nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
> 5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. NSEC3 1 0 5 309353A311533411 5VKMBQH433VFNCU50ANUQTC0PURTIPD3  A MX TXT AAAA RRSIG
> 5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. RRSIG NSEC3 8 3 3600 20171102035805 20170921023348 37591 nic.cl.
> 206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. NSEC3 1 0 5 309353A311533411 27HL8GRHTEBTCHHJO7R0PTJ6GPFANHS4  A RRSIG
> 206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. RRSIG NSEC3 8 3 3600 20171108032617 20170921023348 37591 nic.cl.
> dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. NSEC3 1 0 5 309353A311533411 DH8UNB1NSL1VBA9DF0BC7LQ08OB4SF6H  A RRSIG
> dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. RRSIG NSEC3 8 3 3600 20171109052622 20170921023348 37591 nic.cl.
> 
> @sns-pb.isc.org.[192.5.4.1]
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @192.5.4.1
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35030
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
> ;_25._tcp.mail.nic.cl.  IN TLSA
> nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
> nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
> 5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. NSEC3 1 0 5 309353A311533411 5VKMBQH433VFNCU50ANUQTC0PURTIPD3  A MX TXT AAAA RRSIG
> 5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. RRSIG NSEC3 8 3 3600 20171102035805 20170921023348 37591 nic.cl.
> 206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. NSEC3 1 0 5 309353A311533411 27HL8GRHTEBTCHHJO7R0PTJ6GPFANHS4  A RRSIG
> 206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. RRSIG NSEC3 8 3 3600 20171108032617 20170921023348 37591 nic.cl.
> dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. NSEC3 1 0 5 309353A311533411 DH8UNB1NSL1VBA9DF0BC7LQ08OB4SF6H  A RRSIG
> dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. RRSIG NSEC3 8 3 3600 20171109052622 20170921023348 37591 nic.cl.
> 
> The "a" server also fails over IPv6 (the "c" server has no IPv6 address):
> 
> @a.nic.cl.[2001:1398:121:0:190:124:27:10]
> ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit -6 +norecur -t tlsa _25._tcp.mail.nic.cl @2001:1398:121:0:190:124:27:10
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26396
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
> ;_25._tcp.mail.nic.cl.  IN TLSA
> nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
> nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
>

More information about the dns-operations mailing list