[dns-operations] Was: .KE denial of existence partly broken? (Viktor Dukhovni)

Daniel Shaw daniel at techdad.xyz
Fri Jul 20 13:20:35 UTC 2018

On Thu, 19 Jul 2018 at 14:56, Calvin Browne <calvin at orange-tree.alt.za>

> Seems it is an issue with Afrinic's anycast and an older version of NSD
> - Afrinic said they'll fix it shortly.
Hmm, not exactly.

Indeed we did pick up an issue with some nodes. However, it is, I believe,
a *different* issue to what Viktor posted (based on looking in detail at
his dnsviz links). I stand to be corrected.

We also serve what we're given with NSD. In some locations 4.1.16. In
"older" locations, 4.1.3.

What we've identified thanks to Calvin is that, although the zone data is
identical, the 4.1.16 nodes are consistent with all other NS's for this
zone, whereas the 4.1.3 locations serve up less NSEC3 RRs to the same query.

This does seem to be a bug in the older NSD version. The use-case here is
NSEC3 non-existence proofs in an opt-out signed zone. We've not yet tested
other sorts of queries/zones. However we will (as Calvin mentioned), be
upgrading the NSD version on the "troublesome" instances early next week.

Daniel Shaw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180720/54d873f2/attachment.html>

More information about the dns-operations mailing list