[dns-operations] Fwd: Why is ns.coccaregistry.org returning REFUSED to DNSKEY queries?
Mark Andrews
marka at isc.org
Wed Aug 21 23:51:12 UTC 2019
ns.coccaregistry.org <http://ns.coccaregistry.org/> is serving 3 DNSSEC signed ccTLDs (AF, SB, TL) yet it is incapable of returning
DNSKEY records for those TLDs. This will break DNSSEC validation for every lookup in those ccTLD
if this server is the only one reachable by the DNS clients. This has been going on since at least April 2019.
Mark
> Begin forwarded message:
>
> From: Mark Andrews <marka at isc.org>
> Subject: Why is ns.coccaregistry.org returning REFUSED to DNSKEY queries?
> Date: 8 April 2019 at 2:16:28 pm AEST
> To: hostmaster at coccaregistry.org
>
> Why is ns.coccaregistry.org returning REFUSED to DNSKEY queries?
> Also why is it echoing back EDNS options when returning REFUSED?
> Also why is AD=1 in the REFUSED response?
> Also why is AA=1 in the REFUSED response?
>
> % dig dnskey af. @185.17.236.111
>
> ; <<>> DiG 9.15.0-dev <<>> dnskey af. @185.17.236.111
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 16189
> ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: b1626ff99509b9bf (echoed)
> ;; QUESTION SECTION:
> ;af. IN DNSKEY
>
> ;; Query time: 316 msec
> ;; SERVER: 185.17.236.111#53(185.17.236.111)
> ;; WHEN: Mon Apr 08 14:12:00 AEST 2019
> ;; MSG SIZE rcvd: 43
>
> %
>
> af. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns at 512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused
> af. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns at 512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused
> kn. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns at 512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=refused
> kn. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns at 512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=refused
> ms. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns at 512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=refused
> ms. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns at 512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=refused
> sb. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns at 512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused
> sb. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns at 512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused
> tl. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns at 512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused
> tl. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns at 512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190822/3d56bae8/attachment.html>
More information about the dns-operations
mailing list