[dns-operations] Fortinet contact? Problems with their public resolvers
Daniel Stirnimann
daniel.stirnimann at switch.ch
Wed Jun 13 12:00:49 UTC 2018
Hi Klaus,
> $ dig @208.91.112.53 dnssec-signiert.at
I noticed that 208.91.112.53 sets the CD-bit for upstream queries.
I thinks this resolver expects the CD-bit to be copied to the response
(RFC 4035, 3.2.2. The CD Bit) which is not the case for the
authoritative name servers of goeast.ch, e.g.:
dig @192.174.68.100 goeast.ch +norec +dnssec +cd
; <<>> DiG 9.11.0rc1 <<>> @192.174.68.100 goeast.ch +norec +dnssec +cd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46779
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1680
;; QUESTION SECTION:
;goeast.ch. IN A
;; ANSWER SECTION:
goeast.ch. 7200 IN A 91.222.86.6
goeast.ch. 7200 IN RRSIG A 8 2 7200 20180712151928 20180612150725 28824
goeast.ch. kpdLUFIfjgDPoiTwNHvJy+EyiwAZ0fbMLWRou1j4kr2X4nOEajbbbiS/
ruQaND4jaW8fJ1K9WynJLa/zAfBpVXhyVqKsDLClLJ2lLQPAwLKgAPdp
gVW8k1xWXe5+QWGviYck1aumheSeauCW9Z4XjLLBLO42GRuLEXIJ3uDn /pE=
;; Query time: 35 msec
;; SERVER: 192.174.68.100#53(192.174.68.100)
;; WHEN: Wed Jun 13 13:58:08 CEST 2018
;; MSG SIZE rcvd: 223
It looks like that if the CD bit is absent, it returns SERVFAIL.
Daniel
More information about the dns-operations
mailing list