[dns-operations] Cluster of DNSSEC issues for domaincontrol.com (GoDaddy) hosted domains
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Aug 12 13:35:11 UTC 2019
Some domaincontrol.com nameservers are not returning valid denial
of existence for one or more MX hosts of at least ~86 domains:
http://imrryr.org/~viktor/dnsviz/domaincontrol.html
For example (RRSIG RRs elided), pdns04 (in contrast to pdns03) is
presently returning no NSEC3 records for the domain below:
@pdns03.domaincontrol.com.[97.74.111.51]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46259
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;_25._tcp.mail1.a123.net. IN TLSA
a123.net. SOA pdns03.domaincontrol.com. ns1.a123.net. 2017072863 7200 900 604800 600
vidnm8m18lcfv441oso9gvrkbqmk452h.a123.net. NSEC3 1 0 1 - 269AR9M5MKTJET4C2P65MNMBSPADJ8FT
fgpabvajaoghtufsak8ivuvcfesj4a6f.a123.net. NSEC3 1 0 1 - HALIN073NTMF9OUEAVU6BHRN8TDCBTED A MX TXT RRSIG
269ar9m5mktjet4c2p65mnmbspadj8ft.a123.net. NSEC3 1 0 1 - 4387EUBR24GARBSEF5KOQ1SJVK9VS0BV A TXT RRSIG
@pdns04.domaincontrol.com.[173.201.79.51]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36250
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;_25._tcp.mail1.a123.net. IN TLSA
a123.net. SOA pdns03.domaincontrol.com. ns1.a123.net. 2017072863 7200 900 604800 600
[ Related NSEC3 hashes ]
h1knsbedfjsaiin7uh9uilnmrbj0t58q. _tcp.mail1.a123.net
05koth1pmnsqurc5u18sh6mnu39rphc3. *.mail1.a123.net
269ar9m5mktjet4c2p65mnmbspadj8ft. mail1.a123.net
It'd be great if someone from Goddady would look into these.
--
Viktor.
More information about the dns-operations
mailing list