[dns-operations] google DNS doing validation?
Georg Kahest
georg.kahest at internet.ee
Sat Jul 28 13:37:31 UTC 2018
Hello,
.ee is hosting broken dnssec subdomains aswell:
katki.dnssec.ee / broken.dnssec.ee
Georg
On 26.07.2018 18:29, Frank Bulk wrote:
> Thank for hosting that zone and breaking it again. =)
>
> There's only two zones that I know that are intentionally broken (servfail.nl and www.dnssec-failed.org -- I'd love to have a few more), but they provide at least some indication that our customer-facing DNS resolvers are properly performing DNSsec validation.
>
> Frank
>
> -----Original Message-----
> From: Marco Davids (SIDN) <marco.davids at sidn.nl>
> Sent: Thursday, July 26, 2018 10:23 AM
> To: frnkblk at iname.com
> Cc: dns-operations at lists.dns-oarc.net
> Subject: Re: [dns-operations] google DNS doing validation?
>
> Hi,
>
> Sorry, I was not aware of the critical value of servail.nl in Nagios
> environments.
>
> I made a modification to the zone today and as a result of my poorly
> designed 'keep it broken' method, the zone will be in a secure state for
> a couple of hours afterwards.
>
> I should be bogus as designed again now ;-)
>
> --
> Marco
>
>
> On 26/07/2018 16:02, frnkblk at iname.com wrote:
>> FYI, servfail.nl hasn't been working properly since about 6:40 U.S. Central.
>> DNSsec resolution did not properly fail against www.servfail.nl, a zone
>> which is supposed to be incorrectly signed.
>>
>> We should be getting an SERVFAIL (like I get with www.dnssec-failed.org),
>> not a NOERROR.
>>
>>
>>
>> root at nagios:/home/fbulk# dig +dnssec A www.servfail.nl @96.31.0.32
>>
>> ; <<>> DiG 9.7.3 <<>> +dnssec A www.servfail.nl @96.31.0.32
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51350
>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;www.servfail.nl. IN A
>>
>> ;; AUTHORITY SECTION:
>> servfail.nl. 60 IN SOA li1.forfun.net.
>> hostmaster.forfun.net. 1532606883 86400 7200 2419200 60
>> servfail.nl. 60 IN RRSIG SOA 8 2 60 20180825110803
>> 20180726110803 8529 servfail.nl.
>> M/PP9fSllFVfNvaVEubeAdFjeR2yiZ4u9oGbRyQ3Hje0Ywrgk+g6VSLC
>> qCFvqxFKlQcQBF89WQH/dGZuHU1kIg==
>> M031C7SB3B2LGAHJCEMJ3G5IS8R8EUBC.servfail.nl. 60 IN RRSIG NSEC3 8 3 60
>> 20180825110803 20180726110803 8529 servfail.nl.
>> uwo/XVBvVj96hBvE7+GBHBQiXpb3or313kPSj1AXuc+Eu+v0drknqE1C
>> dqKIB9BasDYs3/aRtmvmEfi19kt0Mw==
>> M031C7SB3B2LGAHJCEMJ3G5IS8R8EUBC.servfail.nl. 60 IN NSEC3 1 0 10 BEAFBEAF
>> R6K26LDO0GS7N66JPQALLM0JIDU6PHML AAAA RRSIG
>>
>> ;; Query time: 76 msec
>> ;; SERVER: 96.31.0.32#53(96.31.0.32)
>> ;; WHEN: Thu Jul 26 08:59:13 2018
>> ;; MSG SIZE rcvd: 402
>>
>>
>> root at nagios:/home/fbulk# dig +dnssec A www.dnssec-failed.org @96.31.0.32
>>
>> ; <<>> DiG 9.7.3 <<>> +dnssec A www.dnssec-failed.org @96.31.0.32
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57636
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;www.dnssec-failed.org. IN A
>>
>> ;; Query time: 34 msec
>> ;; SERVER: 96.31.0.32#53(96.31.0.32)
>> ;; WHEN: Thu Jul 26 08:59:18 2018
>> ;; MSG SIZE rcvd: 50
>>
>> root at nagios:/home/fbulk#
>>
>> Frank
>>
>> -----Original Message-----
>> From: dns-operations-bounces at lists.dns-oarc.net
>> <dns-operations-bounces at lists.dns-oarc.net> On Behalf Of Marco Davids (SIDN)
>> Sent: Monday, January 28, 2013 11:17 AM
>> To: dns-operations at lists.dns-oarc.net
>> Subject: Re: [dns-operations] google DNS doing validation?
>>
>> Op 28-01-13 18:14, Stephan Lagerholm schreef:
>>
>>> I get the AD bit back but oddly enough, the Swedish deliberately broken
>> site trasigdnssec.se does not servfail on the 8.8.8.8/8.8.4.4
>>
>> 'servfail.nl, also deliberately broken, does SERFVAIL.
>>
>> --
>> Marco
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list