[dns-operations] google DNS doing validation?
casey at deccio.net
Fri Jul 27 13:39:49 UTC 2018
> On Jul 27, 2018, at 12:27 AM, Petr Špaček <petr.spacek at nic.cz> wrote:
> On 26.7.2018 18:34, frnkblk at iname.com <mailto:frnkblk at iname.com> wrote:
>> I used to use rhybar.cz <http://rhybar.cz/>, but the zone hasn’t been working since May 26
>> around 1:30 am (U.S. Central).
> Are you sure? DNSViz indicates that it is broken properly! ;-)
For what it's worth, it is indeed properly broken now :)
Yesterday, it was indeed also broken, but not really for DNSSEC reasons:
Yesterday, the authoritative servers were responding with referrals rather than providing authoritative responses for rhybar.cz/DNSKEY, rhybar.cz/A, etc.
For example, the response from 22.214.171.124 for rhybar.cz/A looked like this:
rhybar.cz. IN A
rhybar.cz. 3600 IN NS a.ns.nic.cz.
rhybar.cz. 3600 IN NS d.ns.nic.cz.
rhybar.cz. 3600 IN NS b.ns.nic.cz.
rhybar.cz. 3600 IN DS 59916 5 2 1a6516c32dcf2038e5382d77adacade3ede99cdd77f019fcdf3741b49f8d563b
rhybar.cz. 3600 IN RRSIG DS 13 2 3600 20180802183134 20180721103541 62295 cz. 80AVXfeNrMy6OumE0Zt6YUIBqJZzTcuo zHD7gczAUzzu0ZgMMZNM4SQYU4NgTguj YVkYJiwOcRXWwnuP9nilVg==
a.ns.nic.cz. 3600 IN A 126.96.36.199
a.ns.nic.cz. 3600 IN AAAA 2001:678:f::1
b.ns.nic.cz. 3600 IN A 188.8.131.52
b.ns.nic.cz. 3600 IN AAAA 2001:678:10::1
d.ns.nic.cz. 3600 IN A 184.108.40.206
d.ns.nic.cz. 3600 IN AAAA 2001:678:1::1
So... broken is broken? Well, maybe. When I first began running a validating resolver years ago, I checked every SERVFAIL that was returned by re-querying the validating resolver with +cd (or I queried another, non-validating resolver). The result (SERVFAIL or not) helped me distinguish whether it was a DNSSEC-related issue or not. So, if the point is to discover DNSSEC validation issues, then the type of broken can actually make a difference. In this particular case, the response from a resolver would likely have been SERVFAIL even with +cd (or with a non-validating resolver).
In any case, thanks to the many organizations that supply services of any type to help with the quality of DNSSEC deployment and maintenance--including those hosting domains designed to fail DNSSEC validation :)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations