[dns-operations] google DNS doing validation?

Moritz Muller moritz.muller at sidn.nl
Thu Jul 26 15:18:03 UTC 2018


Seems to me still pretty broken (as it should be)

http://dnsviz.net/d/www.servfail.nl/dnssec/
http://dnsviz.net/d/servfail.nl/dnssec/

> On 26 Jul 2018, at 16:02, frnkblk at iname.com wrote:
> 
> FYI, servfail.nl hasn't been working properly since about 6:40 U.S. Central.
> DNSsec resolution did not properly fail against www.servfail.nl, a zone
> which is supposed to be incorrectly signed.
> 
> We should be getting an SERVFAIL (like I get with www.dnssec-failed.org),
> not a NOERROR.
> 
> 
> 
> root at nagios:/home/fbulk# dig +dnssec A www.servfail.nl @96.31.0.32
> 
> ; <<>> DiG 9.7.3 <<>> +dnssec A www.servfail.nl @96.31.0.32
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51350
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.servfail.nl.               IN      A
> 
> ;; AUTHORITY SECTION:
> servfail.nl.            60      IN      SOA     li1.forfun.net.
> hostmaster.forfun.net. 1532606883 86400 7200 2419200 60
> servfail.nl.            60      IN      RRSIG   SOA 8 2 60 20180825110803
> 20180726110803 8529 servfail.nl.
> M/PP9fSllFVfNvaVEubeAdFjeR2yiZ4u9oGbRyQ3Hje0Ywrgk+g6VSLC
> qCFvqxFKlQcQBF89WQH/dGZuHU1kIg==
> M031C7SB3B2LGAHJCEMJ3G5IS8R8EUBC.servfail.nl. 60 IN RRSIG NSEC3 8 3 60
> 20180825110803 20180726110803 8529 servfail.nl.
> uwo/XVBvVj96hBvE7+GBHBQiXpb3or313kPSj1AXuc+Eu+v0drknqE1C
> dqKIB9BasDYs3/aRtmvmEfi19kt0Mw==
> M031C7SB3B2LGAHJCEMJ3G5IS8R8EUBC.servfail.nl. 60 IN NSEC3 1 0 10 BEAFBEAF
> R6K26LDO0GS7N66JPQALLM0JIDU6PHML AAAA RRSIG
> 
> ;; Query time: 76 msec
> ;; SERVER: 96.31.0.32#53(96.31.0.32)
> ;; WHEN: Thu Jul 26 08:59:13 2018
> ;; MSG SIZE  rcvd: 402
> 
> 
> root at nagios:/home/fbulk# dig +dnssec A www.dnssec-failed.org @96.31.0.32
> 
> ; <<>> DiG 9.7.3 <<>> +dnssec A www.dnssec-failed.org @96.31.0.32
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57636
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.dnssec-failed.org.         IN      A
> 
> ;; Query time: 34 msec
> ;; SERVER: 96.31.0.32#53(96.31.0.32)
> ;; WHEN: Thu Jul 26 08:59:18 2018
> ;; MSG SIZE  rcvd: 50
> 
> root at nagios:/home/fbulk#
> 
> Frank
> 
> -----Original Message-----
> From: dns-operations-bounces at lists.dns-oarc.net
> <dns-operations-bounces at lists.dns-oarc.net> On Behalf Of Marco Davids (SIDN)
> Sent: Monday, January 28, 2013 11:17 AM
> To: dns-operations at lists.dns-oarc.net
> Subject: Re: [dns-operations] google DNS doing validation?
> 
> Op 28-01-13 18:14, Stephan Lagerholm schreef:
> 
>> I get the AD bit back but oddly enough, the Swedish deliberately broken
> site trasigdnssec.se does not servfail on the 8.8.8.8/8.8.4.4
> 
> 'servfail.nl, also deliberately broken, does SERFVAIL.
> 
> --
> Marco
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180726/3c544054/attachment.sig>


More information about the dns-operations mailing list