[dns-operations] [Update] DNSSEC-related issues at nic.in DNS nameservers

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Jun 16 19:06:10 UTC 2018 

It'd be great if someone from nic.in got in touch. 

> On Jun 15, 2018, at 8:23 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> Please see:
> 
>  http://dnsviz.net/d/_25._tcp.mailgw.nic.in/WyPQCQ/dnssec/

Sadly, this is not the only MX host under "nic.in" with the problem.

> This affects email delivery from DANE-validating senders to
> ~200 or more receiving domains including nic.in.

Looking more closely I see 1839 such MX hosts serving 2209 domains,
with the domain counts for the top 5 as follows:

 # domains | TLSA qname lookup
 ----------+----------------------------------------------------
       255 |  _25._tcp.mailgw.nic.in. IN TLSA ? ; ServFail
        63 |  _25._tcp.relay.nic.in. IN TLSA ? ; ServFail
        47 |  _25._tcp.vastu.nic.in. IN TLSA ? ; ServFail
        38 |  _25._tcp.vastu3.nic.in. IN TLSA ? ; ServFail
        31 |  _25._tcp.rajdistricts.nic.in. IN TLSA ? ; ServFail

> The IPv4 nameservers drop TLSA lookups, while queries to the
> sole IPv6 nameserver get through.  Previously this has only
> been seen with misconfigured Arbor Networks firewalls that
> have a feature to allow only queries with selected RRtypes.

Nor surprisingly, this problem applies to all TLSA lookups
for the zone.  Whatever firewall is filtering out TLSA
lookups, rather than allowing the lookup to return NXDOMAIN
needs urgent attention.

> DNSViz also reports issues with DNS over TCP, a potential
> IPv6 path MTU issue, ...

http://dnsviz.net/d/_25._tcp.rajdistricts.nic.in/WyVdlQ/dnssec/

TLSA lookups time out:

@ns6.nic.in[164.100.2.3]
; <<>> DiG 9.11.2-P1 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.rajdistricts.nic.in @164.100.2.3
;; connection timed out; no servers could be reached

"A" lookups get through:

@ns6.nic.in[164.100.2.3]
; <<>> DiG 9.11.2-P1 <<>> +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t a _25._tcp.rajdistricts.nic.in @164.100.2.3
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12049
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;_25._tcp.rajdistricts.nic.in. IN A
nic.in.                 SOA     nic.in. nsadmin.nic.in. 2018061508 1800 600 1209600 14400
nic.in.                 RRSIG   SOA 5 2 1800 20180715105912 20180615105912 16320 nic.in.
rajdistricts.nic.in.    NSEC    www.rajdistricts.nic.in. A RRSIG NSEC
rajdistricts.nic.in.    RRSIG   NSEC 5 3 14400 20180715105912 20180615105912 16320 nic.in.

-- 
	Viktor.

More information about the dns-operations mailing list