[dns-operations] google DNS doing validation?

Frank Bulk frnkblk at iname.com
Thu Jul 26 15:29:18 UTC 2018


Thank for hosting that zone and breaking it again. =)

There's only two zones that I know that are intentionally broken (servfail.nl and www.dnssec-failed.org -- I'd love to have a few more), but they provide at least some indication that our customer-facing DNS resolvers are properly performing DNSsec validation. 

Frank 

-----Original Message-----
From: Marco Davids (SIDN) <marco.davids at sidn.nl> 
Sent: Thursday, July 26, 2018 10:23 AM
To: frnkblk at iname.com
Cc: dns-operations at lists.dns-oarc.net
Subject: Re: [dns-operations] google DNS doing validation?

Hi,

Sorry, I was not aware of the critical value of servail.nl in Nagios
environments.

I made a modification to the zone today and as a result of my poorly
designed 'keep it broken' method, the zone will be in a secure state for
a couple of hours afterwards.

I should be bogus as designed again now ;-)

--
Marco


On 26/07/2018 16:02, frnkblk at iname.com wrote:
> FYI, servfail.nl hasn't been working properly since about 6:40 U.S. Central.
> DNSsec resolution did not properly fail against www.servfail.nl, a zone
> which is supposed to be incorrectly signed.
> 
> We should be getting an SERVFAIL (like I get with www.dnssec-failed.org),
> not a NOERROR.
> 
> 
> 
> root at nagios:/home/fbulk# dig +dnssec A www.servfail.nl @96.31.0.32
> 
> ; <<>> DiG 9.7.3 <<>> +dnssec A www.servfail.nl @96.31.0.32
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51350
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.servfail.nl.               IN      A
> 
> ;; AUTHORITY SECTION:
> servfail.nl.            60      IN      SOA     li1.forfun.net.
> hostmaster.forfun.net. 1532606883 86400 7200 2419200 60
> servfail.nl.            60      IN      RRSIG   SOA 8 2 60 20180825110803
> 20180726110803 8529 servfail.nl.
> M/PP9fSllFVfNvaVEubeAdFjeR2yiZ4u9oGbRyQ3Hje0Ywrgk+g6VSLC
> qCFvqxFKlQcQBF89WQH/dGZuHU1kIg==
> M031C7SB3B2LGAHJCEMJ3G5IS8R8EUBC.servfail.nl. 60 IN RRSIG NSEC3 8 3 60
> 20180825110803 20180726110803 8529 servfail.nl.
> uwo/XVBvVj96hBvE7+GBHBQiXpb3or313kPSj1AXuc+Eu+v0drknqE1C
> dqKIB9BasDYs3/aRtmvmEfi19kt0Mw==
> M031C7SB3B2LGAHJCEMJ3G5IS8R8EUBC.servfail.nl. 60 IN NSEC3 1 0 10 BEAFBEAF
> R6K26LDO0GS7N66JPQALLM0JIDU6PHML AAAA RRSIG
> 
> ;; Query time: 76 msec
> ;; SERVER: 96.31.0.32#53(96.31.0.32)
> ;; WHEN: Thu Jul 26 08:59:13 2018
> ;; MSG SIZE  rcvd: 402
> 
> 
> root at nagios:/home/fbulk# dig +dnssec A www.dnssec-failed.org @96.31.0.32
> 
> ; <<>> DiG 9.7.3 <<>> +dnssec A www.dnssec-failed.org @96.31.0.32
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57636
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.dnssec-failed.org.         IN      A
> 
> ;; Query time: 34 msec
> ;; SERVER: 96.31.0.32#53(96.31.0.32)
> ;; WHEN: Thu Jul 26 08:59:18 2018
> ;; MSG SIZE  rcvd: 50
> 
> root at nagios:/home/fbulk#
> 
> Frank
> 
> -----Original Message-----
> From: dns-operations-bounces at lists.dns-oarc.net
> <dns-operations-bounces at lists.dns-oarc.net> On Behalf Of Marco Davids (SIDN)
> Sent: Monday, January 28, 2013 11:17 AM
> To: dns-operations at lists.dns-oarc.net
> Subject: Re: [dns-operations] google DNS doing validation?
> 
> Op 28-01-13 18:14, Stephan Lagerholm schreef:
> 
>> I get the AD bit back but oddly enough, the Swedish deliberately broken
> site trasigdnssec.se does not servfail on the 8.8.8.8/8.8.4.4 
> 
> 'servfail.nl, also deliberately broken, does SERFVAIL.
> 
> --
> Marco
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs






More information about the dns-operations mailing list