[dns-operations] google DNS doing validation?

Marco Davids (SIDN) marco.davids at sidn.nl
Thu Jul 26 15:30:51 UTC 2018 

Try:

servfail.sidnlabs.nl

(same SLA btw, as in: none)

--
Marco


On 26/07/2018 17:29, Frank Bulk wrote:
> Thank for hosting that zone and breaking it again. =)
> 
> There's only two zones that I know that are intentionally broken (servfail.nl and www.dnssec-failed.org -- I'd love to have a few more), but they provide at least some indication that our customer-facing DNS resolvers are properly performing DNSsec validation. 
> 
> Frank 
> 
> -----Original Message-----
> From: Marco Davids (SIDN) <marco.davids at sidn.nl> 
> Sent: Thursday, July 26, 2018 10:23 AM
> To: frnkblk at iname.com
> Cc: dns-operations at lists.dns-oarc.net
> Subject: Re: [dns-operations] google DNS doing validation?
> 
> Hi,
> 
> Sorry, I was not aware of the critical value of servail.nl in Nagios
> environments.
> 
> I made a modification to the zone today and as a result of my poorly
> designed 'keep it broken' method, the zone will be in a secure state for
> a couple of hours afterwards.
> 
> I should be bogus as designed again now ;-)
> 
> --
> Marco
> 
> 
> On 26/07/2018 16:02, frnkblk at iname.com wrote:
>> FYI, servfail.nl hasn't been working properly since about 6:40 U.S. Central.
>> DNSsec resolution did not properly fail against www.servfail.nl, a zone
>> which is supposed to be incorrectly signed.
>>
>> We should be getting an SERVFAIL (like I get with www.dnssec-failed.org),
>> not a NOERROR.
>>
>>
>>
>> root at nagios:/home/fbulk# dig +dnssec A www.servfail.nl @96.31.0.32
>>
>> ; <<>> DiG 9.7.3 <<>> +dnssec A www.servfail.nl @96.31.0.32
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51350
>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;www.servfail.nl.               IN      A
>>
>> ;; AUTHORITY SECTION:
>> servfail.nl.            60      IN      SOA     li1.forfun.net.
>> hostmaster.forfun.net. 1532606883 86400 7200 2419200 60
>> servfail.nl.            60      IN      RRSIG   SOA 8 2 60 20180825110803
>> 20180726110803 8529 servfail.nl.
>> M/PP9fSllFVfNvaVEubeAdFjeR2yiZ4u9oGbRyQ3Hje0Ywrgk+g6VSLC
>> qCFvqxFKlQcQBF89WQH/dGZuHU1kIg==
>> M031C7SB3B2LGAHJCEMJ3G5IS8R8EUBC.servfail.nl. 60 IN RRSIG NSEC3 8 3 60
>> 20180825110803 20180726110803 8529 servfail.nl.
>> uwo/XVBvVj96hBvE7+GBHBQiXpb3or313kPSj1AXuc+Eu+v0drknqE1C
>> dqKIB9BasDYs3/aRtmvmEfi19kt0Mw==
>> M031C7SB3B2LGAHJCEMJ3G5IS8R8EUBC.servfail.nl. 60 IN NSEC3 1 0 10 BEAFBEAF
>> R6K26LDO0GS7N66JPQALLM0JIDU6PHML AAAA RRSIG
>>
>> ;; Query time: 76 msec
>> ;; SERVER: 96.31.0.32#53(96.31.0.32)
>> ;; WHEN: Thu Jul 26 08:59:13 2018
>> ;; MSG SIZE  rcvd: 402
>>
>>
>> root at nagios:/home/fbulk# dig +dnssec A www.dnssec-failed.org @96.31.0.32
>>
>> ; <<>> DiG 9.7.3 <<>> +dnssec A www.dnssec-failed.org @96.31.0.32
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57636
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;www.dnssec-failed.org.         IN      A
>>
>> ;; Query time: 34 msec
>> ;; SERVER: 96.31.0.32#53(96.31.0.32)
>> ;; WHEN: Thu Jul 26 08:59:18 2018
>> ;; MSG SIZE  rcvd: 50
>>
>> root at nagios:/home/fbulk#
>>
>> Frank
>>
>> -----Original Message-----
>> From: dns-operations-bounces at lists.dns-oarc.net
>> <dns-operations-bounces at lists.dns-oarc.net> On Behalf Of Marco Davids (SIDN)
>> Sent: Monday, January 28, 2013 11:17 AM
>> To: dns-operations at lists.dns-oarc.net
>> Subject: Re: [dns-operations] google DNS doing validation?
>>
>> Op 28-01-13 18:14, Stephan Lagerholm schreef:
>>
>>> I get the AD bit back but oddly enough, the Swedish deliberately broken
>> site trasigdnssec.se does not servfail on the 8.8.8.8/8.8.4.4 
>>
>> 'servfail.nl, also deliberately broken, does SERFVAIL.
>>
>> --
>> Marco
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180726/c7b1a3d6/attachment.sig>

More information about the dns-operations mailing list