[dns-operations] [Ext] Missing NSEC3 in DOE responses from the "a" and "c" nic.cl nameservers

Edward Lewis edward.lewis at icann.org
Thu Sep 21 17:48:24 UTC 2017 

Perhaps forward to the tech contact for CL.

contact:      technical
name:         Jose M. Piquer, Technical Director
organisation: NIC Chile
organisation: University of Chile
address:      Miraflores 222, Piso 14
address:      Santiago RM 832-0198
address:      Chile
phone:        +56 22 940 7700
e-mail:       jpiquer at nic.cl

(I'd do it, but ICANN indicating that a ccTLD has an issue may be touchy.)

On 9/21/17, 12:45, "dns-operations on behalf of Viktor Dukhovni" <dns-operations-bounces at dns-oarc.net on behalf of ietf-dane at dukhovni.org> wrote:

    Specifically, the "a" and "c" nameservers are returning BOGUS denial of existence
    
        https://urldefense.proofpoint.com/v2/url?u=http-3A__dnsviz.net_d_-5F25.-5Ftcp.mail.nic.cl_dnssec_&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=TCrRLTDgfc7jqtsEb3yEr-BeiFyVlIEUoYKeoT2xK9U&s=F6GqCG0m7JLzY5oGJVjMPyfKbXi2tXg98b3iwUvct5Q&e= 
    
    [RRSIG signature blobs elided]
    
    @a.nic.cl.[190.124.27.10] 
    ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @190.124.27.10
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26023
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
    ;_25._tcp.mail.nic.cl.  IN TLSA
    nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
    nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
    
    @b.nic.cl.[200.7.4.7]
    ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @200.7.4.7
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4579
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
    ;_25._tcp.mail.nic.cl.  IN TLSA
    nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
    nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
    5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. NSEC3 1 0 5 309353A311533411 5VKMBQH433VFNCU50ANUQTC0PURTIPD3  A MX TXT AAAA RRSIG
    5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. RRSIG NSEC3 8 3 3600 20171102035805 20170921023348 37591 nic.cl.
    206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. NSEC3 1 0 5 309353A311533411 27HL8GRHTEBTCHHJO7R0PTJ6GPFANHS4  A RRSIG
    206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. RRSIG NSEC3 8 3 3600 20171108032617 20170921023348 37591 nic.cl.
    dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. NSEC3 1 0 5 309353A311533411 DH8UNB1NSL1VBA9DF0BC7LQ08OB4SF6H  A RRSIG
    dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. RRSIG NSEC3 8 3 3600 20171109052622 20170921023348 37591 nic.cl.
    
    
    @c.nic.cl.[200.16.112.16]
    ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @200.16.112.16
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59554
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
    ;_25._tcp.mail.nic.cl.  IN TLSA
    nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
    nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
    
    @slave.sth.netnod.se.[192.36.144.116]
    ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @192.36.144.116
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41251
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
    ;_25._tcp.mail.nic.cl.  IN TLSA
    nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
    nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
    5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. NSEC3 1 0 5 309353A311533411 5VKMBQH433VFNCU50ANUQTC0PURTIPD3  A MX TXT AAAA RRSIG
    5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. RRSIG NSEC3 8 3 3600 20171102035805 20170921023348 37591 nic.cl.
    206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. NSEC3 1 0 5 309353A311533411 27HL8GRHTEBTCHHJO7R0PTJ6GPFANHS4  A RRSIG
    206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. RRSIG NSEC3 8 3 3600 20171108032617 20170921023348 37591 nic.cl.
    dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. NSEC3 1 0 5 309353A311533411 DH8UNB1NSL1VBA9DF0BC7LQ08OB4SF6H  A RRSIG
    dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. RRSIG NSEC3 8 3 3600 20171109052622 20170921023348 37591 nic.cl.
    
    @sns-pb.isc.org.[192.5.4.1]
    ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mail.nic.cl @192.5.4.1
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35030
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
    ;_25._tcp.mail.nic.cl.  IN TLSA
    nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
    nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
    5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. NSEC3 1 0 5 309353A311533411 5VKMBQH433VFNCU50ANUQTC0PURTIPD3  A MX TXT AAAA RRSIG
    5ulb0eeoev19r48okk0i5eb57b4ssnta.nic.cl. RRSIG NSEC3 8 3 3600 20171102035805 20170921023348 37591 nic.cl.
    206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. NSEC3 1 0 5 309353A311533411 27HL8GRHTEBTCHHJO7R0PTJ6GPFANHS4  A RRSIG
    206anlcbb36tlaup3ssc9dbq5lkqv0la.nic.cl. RRSIG NSEC3 8 3 3600 20171108032617 20170921023348 37591 nic.cl.
    dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. NSEC3 1 0 5 309353A311533411 DH8UNB1NSL1VBA9DF0BC7LQ08OB4SF6H  A RRSIG
    dd6snog8aqf4tf5eovibs2jtp5sp463f.nic.cl. RRSIG NSEC3 8 3 3600 20171109052622 20170921023348 37591 nic.cl.
    
    The "a" server also fails over IPv6 (the "c" server has no IPv6 address):
    
    @a.nic.cl.[2001:1398:121:0:190:124:27:10]
    ; <<>> DiG 9.11.2 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit -6 +norecur -t tlsa _25._tcp.mail.nic.cl @2001:1398:121:0:190:124:27:10
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26396
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
    ;_25._tcp.mail.nic.cl.  IN TLSA
    nic.cl.                 SOA     a.nic.cl. dnsadmin.nic.cl. 2017092102 21600 7200 2592000 3600
    nic.cl.                 RRSIG   SOA 8 2 3600 20171106135024 20170921111451 37591 nic.cl.
    
    -- 
    	Viktor.
    
    
    _______________________________________________
    dns-operations mailing list
    dns-operations at lists.dns-oarc.net
    https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.dns-2Doarc.net_mailman_listinfo_dns-2Doperations&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=TCrRLTDgfc7jqtsEb3yEr-BeiFyVlIEUoYKeoT2xK9U&s=723YV0Q8jiw9LSk1VCBFEsqc4C0HgGYdlnEPVFYbRa8&e= 
    dns-operations mailing list
    https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.dns-2Doarc.net_mailman_listinfo_dns-2Doperations&d=DwICAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=TCrRLTDgfc7jqtsEb3yEr-BeiFyVlIEUoYKeoT2xK9U&s=723YV0Q8jiw9LSk1VCBFEsqc4C0HgGYdlnEPVFYbRa8&e= 
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4586 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170921/4cd175d0/attachment.bin>

More information about the dns-operations mailing list