[dns-operations] [Ext] Missing NSEC3 in DOE responses from the "a" and "c" nic.cl nameservers
Edward Lewis
edward.lewis at icann.org
Thu Sep 21 17:48:24 UTC 2017
Perhaps forward to the tech contact for CL.
contact: technical
name: Jose M. Piquer, Technical Director
organisation: NIC Chile
organisation: University of Chile
address: Miraflores 222, Piso 14
address: Santiago RM 832-0198
address: Chile
phone: +56 22 940 7700
e-mail: jpiquer at nic.cl
(I'd do it, but ICANN indicating that a ccTLD has an issue may be touchy.)
On 9/21/17, 12:45, "dns-operations on behalf of Viktor Dukhovni" <dns-operations-bounces at dns-oarc.net on behalf of ietf-dane at dukhovni.org> wrote:
Specifically, the "a" and "c" nameservers are returning BOGUS denial of existence
https://urldefense.proofpoint.com/v2/url?u=http-3A__dnsviz.net_d_-5F25.-5Ftcp.mail.nic.cl_dnssec_&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=TCrRLTDgfc7jqtsEb3yEr-BeiFyVlIEUoYKeoT2xK9U&s=F6GqCG0m7JLzY5oGJVjMPyfKbXi2tXg98b3iwUvct5Q&e=
[RRSIG signature blobs elided]
@a.nic.cl.[190.124.27.10]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @190.124.27.10
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26023
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;_25._tcp.mail.nic.cl. IN TLSA
nic.cl. SOA a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
nic.cl. RRSIG SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
@b.nic.cl.[200.7.4.7]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @200.7.4.7
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4579
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;_25._tcp.mail.nic.cl. IN TLSA
nic.cl. SOA a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
nic.cl. RRSIG SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. NSEC3 1 0 5 309353A311533411 5VKMBQH433VFNCU50ANUQTC0PURTIPD3 A MX TXT AAAA RRSIG
5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. RRSIG NSEC3 8 3 3600 20171102035805 20170921023348 37591 nic.cl.
206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. NSEC3 1 0 5 309353A311533411 27HL8GRHTEBTCHHJO7R0PTJ6GPFANHS4 A RRSIG
206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. RRSIG NSEC3 8 3 3600 20171108032617 20170921023348 37591 nic.cl.
dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. NSEC3 1 0 5 309353A311533411 DH8UNB1NSL1VBA9DF0BC7LQ08OB4SF6H A RRSIG
dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. RRSIG NSEC3 8 3 3600 20171109052622 20170921023348 37591 nic.cl.
@c.nic.cl.[200.16.112.16]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @200.16.112.16
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59554
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;_25._tcp.mail.nic.cl. IN TLSA
nic.cl. SOA a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
nic.cl. RRSIG SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
@slave.sth.netnod.se.[192.36.144.116]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @192.36.144.116
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41251
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;_25._tcp.mail.nic.cl. IN TLSA
nic.cl. SOA a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
nic.cl. RRSIG SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. NSEC3 1 0 5 309353A311533411 5VKMBQH433VFNCU50ANUQTC0PURTIPD3 A MX TXT AAAA RRSIG
5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. RRSIG NSEC3 8 3 3600 20171102035805 20170921023348 37591 nic.cl.
206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. NSEC3 1 0 5 309353A311533411 27HL8GRHTEBTCHHJO7R0PTJ6GPFANHS4 A RRSIG
206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. RRSIG NSEC3 8 3 3600 20171108032617 20170921023348 37591 nic.cl.
dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. NSEC3 1 0 5 309353A311533411 DH8UNB1NSL1VBA9DF0BC7LQ08OB4SF6H A RRSIG
dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. RRSIG NSEC3 8 3 3600 20171109052622 20170921023348 37591 nic.cl.
@sns-pb.isc.org.[192.5.4.1]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @192.5.4.1
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35030
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;_25._tcp.mail.nic.cl. IN TLSA
nic.cl. SOA a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
nic.cl. RRSIG SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. NSEC3 1 0 5 309353A311533411 5VKMBQH433VFNCU50ANUQTC0PURTIPD3 A MX TXT AAAA RRSIG
5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. RRSIG NSEC3 8 3 3600 20171102035805 20170921023348 37591 nic.cl.
206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. NSEC3 1 0 5 309353A311533411 27HL8GRHTEBTCHHJO7R0PTJ6GPFANHS4 A RRSIG
206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. RRSIG NSEC3 8 3 3600 20171108032617 20170921023348 37591 nic.cl.
dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. NSEC3 1 0 5 309353A311533411 DH8UNB1NSL1VBA9DF0BC7LQ08OB4SF6H A RRSIG
dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. RRSIG NSEC3 8 3 3600 20171109052622 20170921023348 37591 nic.cl.
The "a" server also fails over IPv6 (the "c" server has no IPv6 address):
@a.nic.cl.[2001:1398:121:0:190:124:27:10]
; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit -6 +norecur -t tlsa _25._tcp.mail.nic.cl @2001:1398:121:0:190:124:27:10
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26396
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;_25._tcp.mail.nic.cl. IN TLSA
nic.cl. SOA a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
nic.cl. RRSIG SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
--
Viktor.
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.dns-2Doarc.net_mailman_listinfo_dns-2Doperations&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=TCrRLTDgfc7jqtsEb3yEr-BeiFyVlIEUoYKeoT2xK9U&s=723YV0Q8jiw9LSk1VCBFEsqc4C0HgGYdlnEPVFYbRa8&e=
dns-operations mailing list
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.dns-2Doarc.net_mailman_listinfo_dns-2Doperations&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=TCrRLTDgfc7jqtsEb3yEr-BeiFyVlIEUoYKeoT2xK9U&s=723YV0Q8jiw9LSk1VCBFEsqc4C0HgGYdlnEPVFYbRa8&e=
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4586 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170921/4cd175d0/attachment.bin>
More information about the dns-operations
mailing list