[dns-operations] google DNS doing validation?

Thu Jul 26 14:02:44 UTC 2018

FYI, servfail.nl hasn't been working properly since about 6:40 U.S. Central.
DNSsec resolution did not properly fail against www.servfail.nl, a zone
which is supposed to be incorrectly signed.

We should be getting an SERVFAIL (like I get with www.dnssec-failed.org),
not a NOERROR.

root at nagios:/home/fbulk# dig +dnssec A www.servfail.nl @96.31.0.32

; <<>> DiG 9.7.3 <<>> +dnssec A www.servfail.nl @96.31.0.32
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51350
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.servfail.nl.               IN      A

;; AUTHORITY SECTION:
servfail.nl.            60      IN      SOA     li1.forfun.net.
hostmaster.forfun.net. 1532606883 86400 7200 2419200 60
servfail.nl.            60      IN      RRSIG   SOA 8 2 60 20180825110803
20180726110803 8529 servfail.nl.
M/PP9fSllFVfNvaVEubeAdFjeR2yiZ4u9oGbRyQ3Hje0Ywrgk+g6VSLC
qCFvqxFKlQcQBF89WQH/dGZuHU1kIg==
M031C7SB3B2LGAHJCEMJ3G5IS8R8EUBC.servfail.nl. 60 IN RRSIG NSEC3 8 3 60
20180825110803 20180726110803 8529 servfail.nl.
uwo/XVBvVj96hBvE7+GBHBQiXpb3or313kPSj1AXuc+Eu+v0drknqE1C
dqKIB9BasDYs3/aRtmvmEfi19kt0Mw==
M031C7SB3B2LGAHJCEMJ3G5IS8R8EUBC.servfail.nl. 60 IN NSEC3 1 0 10 BEAFBEAF
R6K26LDO0GS7N66JPQALLM0JIDU6PHML AAAA RRSIG

;; Query time: 76 msec
;; SERVER: 96.31.0.32#53(96.31.0.32)
;; WHEN: Thu Jul 26 08:59:13 2018
;; MSG SIZE  rcvd: 402

root at nagios:/home/fbulk# dig +dnssec A www.dnssec-failed.org @96.31.0.32

; <<>> DiG 9.7.3 <<>> +dnssec A www.dnssec-failed.org @96.31.0.32
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57636
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org.         IN      A

;; Query time: 34 msec
;; SERVER: 96.31.0.32#53(96.31.0.32)
;; WHEN: Thu Jul 26 08:59:18 2018
;; MSG SIZE  rcvd: 50

root at nagios:/home/fbulk#

Frank

-----Original Message-----
From: dns-operations-bounces at lists.dns-oarc.net
<dns-operations-bounces at lists.dns-oarc.net> On Behalf Of Marco Davids (SIDN)
Sent: Monday, January 28, 2013 11:17 AM
To: dns-operations at lists.dns-oarc.net
Subject: Re: [dns-operations] google DNS doing validation?

Op 28-01-13 18:14, Stephan Lagerholm schreef:

> I get the AD bit back but oddly enough, the Swedish deliberately broken
site trasigdnssec.se does not servfail on the 8.8.8.8/8.8.4.4 

'servfail.nl, also deliberately broken, does SERFVAIL.

--
Marco

_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs