[dns-operations] google DNS doing validation?

Casey Deccio casey at deccio.net
Fri Jul 27 13:39:49 UTC 2018


> On Jul 27, 2018, at 12:27 AM, Petr Špaček <petr.spacek at nic.cz> wrote:
> 
> On 26.7.2018 18:34, frnkblk at iname.com <mailto:frnkblk at iname.com> wrote:
>> I used to use rhybar.cz <http://rhybar.cz/>, but the zone hasn’t been working since May 26
>> around 1:30 am (U.S. Central).
> 
> Are you sure? DNSViz indicates that it is broken properly! ;-)

For what it's worth, it is indeed properly broken now :)

http://dnsviz.net/d/rhybar.cz/W1sbSw/dnssec/


Yesterday, it was indeed also broken, but not really for DNSSEC reasons:

http://dnsviz.net/d/rhybar.cz/W1n28Q/dnssec/

Yesterday, the authoritative servers were responding with referrals rather than providing authoritative responses for rhybar.cz/DNSKEY, rhybar.cz/A, etc.

For example, the response from 193.29.206.1 for rhybar.cz/A looked like this:

opcode QUERY
rcode NOERROR
flags QR
edns 0
eflags DO
payload 1232
;QUESTION
rhybar.cz. IN A
;ANSWER
;AUTHORITY
rhybar.cz. 3600 IN NS a.ns.nic.cz.
rhybar.cz. 3600 IN NS d.ns.nic.cz.
rhybar.cz. 3600 IN NS b.ns.nic.cz.
rhybar.cz. 3600 IN DS 59916 5 2 1a6516c32dcf2038e5382d77adacade3ede99cdd77f019fcdf3741b49f8d563b
rhybar.cz. 3600 IN RRSIG DS 13 2 3600 20180802183134 20180721103541 62295 cz. 80AVXfeNrMy6OumE0Zt6YUIBqJZzTcuo zHD7gczAUzzu0ZgMMZNM4SQYU4NgTguj YVkYJiwOcRXWwnuP9nilVg==
;ADDITIONAL
a.ns.nic.cz. 3600 IN A 194.0.12.1
a.ns.nic.cz. 3600 IN AAAA 2001:678:f::1
b.ns.nic.cz. 3600 IN A 194.0.13.1
b.ns.nic.cz. 3600 IN AAAA 2001:678:10::1
d.ns.nic.cz. 3600 IN A 193.29.206.1
d.ns.nic.cz. 3600 IN AAAA 2001:678:1::1

So... broken is broken?  Well, maybe.  When I first began running a validating resolver years ago, I checked every SERVFAIL that was returned by re-querying the validating resolver with +cd (or I queried another, non-validating resolver).  The result (SERVFAIL or not) helped me distinguish whether it was a DNSSEC-related issue or not.  So, if the point is to discover DNSSEC validation issues, then the type of broken can actually make a difference.  In this particular case, the response from a resolver would likely have been SERVFAIL even with +cd (or with a non-validating resolver).

In any case, thanks to the many organizations that supply services of any type to help with the quality of DNSSEC deployment and maintenance--including those hosting domains designed to fail DNSSEC validation :)

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180727/becade62/attachment.html>


More information about the dns-operations mailing list