[dns-operations] google DNS doing validation?

Petr Špaček petr.spacek at nic.cz
Thu Jul 26 16:14:28 UTC 2018 

On 26.7.2018 17:30, Marco Davids (SIDN) wrote:
> Try:
> 
> servfail.sidnlabs.nl

rhybar.cz

... is served from auth servers of .CZ TLD so it should have reasonable
SLA ;-)

Petr Špaček  @  CZ.NIC

> (same SLA btw, as in: none>
> --
> Marco
> 
> 
> On 26/07/2018 17:29, Frank Bulk wrote:
>> Thank for hosting that zone and breaking it again. =)
>>
>> There's only two zones that I know that are intentionally broken (servfail.nl and www.dnssec-failed.org -- I'd love to have a few more), but they provide at least some indication that our customer-facing DNS resolvers are properly performing DNSsec validation. 
>>
>> Frank 
>>
>> -----Original Message-----
>> From: Marco Davids (SIDN) <marco.davids at sidn.nl> 
>> Sent: Thursday, July 26, 2018 10:23 AM
>> To: frnkblk at iname.com
>> Cc: dns-operations at lists.dns-oarc.net
>> Subject: Re: [dns-operations] google DNS doing validation?
>>
>> Hi,
>>
>> Sorry, I was not aware of the critical value of servail.nl in Nagios
>> environments.
>>
>> I made a modification to the zone today and as a result of my poorly
>> designed 'keep it broken' method, the zone will be in a secure state for
>> a couple of hours afterwards.
>>
>> I should be bogus as designed again now ;-)
>>
>> --
>> Marco
>>
>>
>> On 26/07/2018 16:02, frnkblk at iname.com wrote:
>>> FYI, servfail.nl hasn't been working properly since about 6:40 U.S. Central.
>>> DNSsec resolution did not properly fail against www.servfail.nl, a zone
>>> which is supposed to be incorrectly signed.
>>>
>>> We should be getting an SERVFAIL (like I get with www.dnssec-failed.org),
>>> not a NOERROR.
>>>
>>>
>>>
>>> root at nagios:/home/fbulk# dig +dnssec A www.servfail.nl @96.31.0.32
>>>
>>> ; <<>> DiG 9.7.3 <<>> +dnssec A www.servfail.nl @96.31.0.32
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51350
>>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags: do; udp: 4096
>>> ;; QUESTION SECTION:
>>> ;www.servfail.nl.               IN      A
>>>
>>> ;; AUTHORITY SECTION:
>>> servfail.nl.            60      IN      SOA     li1.forfun.net.
>>> hostmaster.forfun.net. 1532606883 86400 7200 2419200 60
>>> servfail.nl.            60      IN      RRSIG   SOA 8 2 60 20180825110803
>>> 20180726110803 8529 servfail.nl.
>>> M/PP9fSllFVfNvaVEubeAdFjeR2yiZ4u9oGbRyQ3Hje0Ywrgk+g6VSLC
>>> qCFvqxFKlQcQBF89WQH/dGZuHU1kIg==
>>> M031C7SB3B2LGAHJCEMJ3G5IS8R8EUBC.servfail.nl. 60 IN RRSIG NSEC3 8 3 60
>>> 20180825110803 20180726110803 8529 servfail.nl.
>>> uwo/XVBvVj96hBvE7+GBHBQiXpb3or313kPSj1AXuc+Eu+v0drknqE1C
>>> dqKIB9BasDYs3/aRtmvmEfi19kt0Mw==
>>> M031C7SB3B2LGAHJCEMJ3G5IS8R8EUBC.servfail.nl. 60 IN NSEC3 1 0 10 BEAFBEAF
>>> R6K26LDO0GS7N66JPQALLM0JIDU6PHML AAAA RRSIG
>>>
>>> ;; Query time: 76 msec
>>> ;; SERVER: 96.31.0.32#53(96.31.0.32)
>>> ;; WHEN: Thu Jul 26 08:59:13 2018
>>> ;; MSG SIZE  rcvd: 402
>>>
>>>
>>> root at nagios:/home/fbulk# dig +dnssec A www.dnssec-failed.org @96.31.0.32
>>>
>>> ; <<>> DiG 9.7.3 <<>> +dnssec A www.dnssec-failed.org @96.31.0.32
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57636
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags: do; udp: 4096
>>> ;; QUESTION SECTION:
>>> ;www.dnssec-failed.org.         IN      A
>>>
>>> ;; Query time: 34 msec
>>> ;; SERVER: 96.31.0.32#53(96.31.0.32)
>>> ;; WHEN: Thu Jul 26 08:59:18 2018
>>> ;; MSG SIZE  rcvd: 50
>>>
>>> root at nagios:/home/fbulk#
>>>
>>> Frank
>>>
>>> -----Original Message-----
>>> From: dns-operations-bounces at lists.dns-oarc.net
>>> <dns-operations-bounces at lists.dns-oarc.net> On Behalf Of Marco Davids (SIDN)
>>> Sent: Monday, January 28, 2013 11:17 AM
>>> To: dns-operations at lists.dns-oarc.net
>>> Subject: Re: [dns-operations] google DNS doing validation?
>>>
>>> Op 28-01-13 18:14, Stephan Lagerholm schreef:
>>>
>>>> I get the AD bit back but oddly enough, the Swedish deliberately broken
>>> site trasigdnssec.se does not servfail on the 8.8.8.8/8.8.4.4 
>>>
>>> 'servfail.nl, also deliberately broken, does SERFVAIL.
>>>
>>> --
>>> Marco
>>>
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>> dns-jobs mailing list
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>>
>>
> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list