[dns-operations] [Update] DNSSEC-related issues at nic.in DNS nameservers
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Jun 16 19:06:10 UTC 2018
It'd be great if someone from nic.in got in touch.
> On Jun 15, 2018, at 8:23 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> Please see:
>
> http://dnsviz.net/d/_25._tcp.mailgw.nic.in/WyPQCQ/dnssec/
Sadly, this is not the only MX host under "nic.in" with the problem.
> This affects email delivery from DANE-validating senders to
> ~200 or more receiving domains including nic.in.
Looking more closely I see 1839 such MX hosts serving 2209 domains,
with the domain counts for the top 5 as follows:
# domains | TLSA qname lookup
----------+----------------------------------------------------
255 | _25._tcp.mailgw.nic.in. IN TLSA ? ; ServFail
63 | _25._tcp.relay.nic.in. IN TLSA ? ; ServFail
47 | _25._tcp.vastu.nic.in. IN TLSA ? ; ServFail
38 | _25._tcp.vastu3.nic.in. IN TLSA ? ; ServFail
31 | _25._tcp.rajdistricts.nic.in. IN TLSA ? ; ServFail
> The IPv4 nameservers drop TLSA lookups, while queries to the
> sole IPv6 nameserver get through. Previously this has only
> been seen with misconfigured Arbor Networks firewalls that
> have a feature to allow only queries with selected RRtypes.
Nor surprisingly, this problem applies to all TLSA lookups
for the zone. Whatever firewall is filtering out TLSA
lookups, rather than allowing the lookup to return NXDOMAIN
needs urgent attention.
> DNSViz also reports issues with DNS over TCP, a potential
> IPv6 path MTU issue, ...
http://dnsviz.net/d/_25._tcp.rajdistricts.nic.in/WyVdlQ/dnssec/
TLSA lookups time out:
@ns6.nic.in[164.100.2.3]
; <<>> DiG 9.11.2-P1 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.rajdistricts.nic.in @164.100.2.3
;; connection timed out; no servers could be reached
"A" lookups get through:
@ns6.nic.in[164.100.2.3]
; <<>> DiG 9.11.2-P1 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t a _25._tcp.rajdistricts.nic.in @164.100.2.3
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12049
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.rajdistricts.nic.in. IN A
nic.in. SOA nic.in. nsadmin.nic.in. 2018061508 1800 600 1209600 14400
nic.in. RRSIG SOA 5 2 1800 20180715105912 20180615105912 16320 nic.in.
rajdistricts.nic.in. NSEC www.rajdistricts.nic.in. A RRSIG NSEC
rajdistricts.nic.in. RRSIG NSEC 5 3 14400 20180715105912 20180615105912 16320 nic.in.
--
Viktor.
More information about the dns-operations
mailing list