[dns-operations] .PL DNSSEC broken again
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Jun 17 08:22:55 UTC 2019
On Mon, Jun 17, 2019 at 09:48:04AM +0200, bert hubert wrote:
> On the ever vigilant PowerDNS IRC channel, a big validating operator
> reported seeing .pl bogus PowerDNS responses on apparently unsigned .pl
> domain names.
>
> People looked into it and it appears .PL is handing out wrong NSEC3 records.
>
> We have no better diagnosis at this point, but this is not good for DNSSEC
> validation adoption. I hope .pl can look into this urgently.
Random sampling of unsigned .PL domains shows 18/20 working as
expected. Has the issue been resolved?
almides.pl. IN SOA ns1.domena.pl. hosting at agnat.pl. 2016060500 43200 1800 604800 3600 ; NoError AD=0
cemax.pl. IN SOA ns2.alte.pl. admin at alte.pl. 2016122000 10800 1800 604800 21600 ; NoError AD=0
dim-serwis.pl. IN SOA dns.home.pl. admin at home.pl. 1550160982 14400 7200 2419200 3600 ; NoError AD=0
goldmed.com.pl. IN SOA glen.ns.cloudflare.com. dns at cloudflare.com. 2031160434 10000 2400 604800 3600 ; NoError AD=0
harvestbasket.pl. IN SOA ns1.eurodns.com. hostmaster at eurodns.com. 2012011303 86400 7200 604800 86400 ; NoError AD=0
imt-host.pl. IN SOA ns1.nazwa.pl. biuro at nazwa.pl. 2008133200 28800 7200 604800 86400 ; NoError AD=0
kontombank.pl. IN SOA ns2.kei.pl. admin at kei.pl. 2019052301 10800 1800 604800 21600 ; NoError AD=0
ksiazkawyboru.pl. IN SOA ns1.hans.hosteurope.de. hostmaster at ksiazkawyboru.pl. 2018020822 16384 2048 1048576 2560 ; NoError AD=0
kupprawko.pl. IN SOA dns104.ovh.net. tech at ovh.net. 2019052201 86400 3600 3600000 300 ; NoError AD=0
metip.pl. IN SOA dns.home.pl. admin at home.pl. 1549531509 14400 7200 2419200 3600 ; NoError AD=0
mopsmm.pl. IN SOA dns.home.pl. admin at home.pl. 1545156738 14400 7200 2419200 3600 ; NoError AD=0
partywlo.pl. IN SOA ns1.anacom.pl. admin at samba.com.pl. 2018102402 3600 7200 1209600 86400 ; NoError AD=0
pianistka.com.pl. IN SOA dns1.nano.pl. admin at nano.pl. 2018041902 10800 1800 604800 3600 ; NoError AD=0
skupautlubin.pl. IN SOA ns1.aftermarket.pl. kontakt at aftermarket.pl. 1904022004 3600 15 86400 3600 ; NoError AD=0
stacjaimpreza.com.pl. IN SOA ns1.microhost.pl. hostmaster at stacjaimpreza.com.pl. 2018110708 1000 3600 1209600 86400 ; NoError AD=0
studiobak.pl. IN SOA dns1.mserwis.pl. tech at mserwis.pl. 2018052001 86400 7200 2419200 86400 ; NoError AD=0
ubezpieczeniaboleslawiec.pl. IN SOA dns.home.pl. admin at home.pl. 1538671072 14400 7200 2419200 3600 ; NoError AD=0
virtualtelecom.pl. IN SOA ns3.vtelecom.pl.virtualtelecom.pl. admin at virtualtelecom.pl. 2015100201 3600 86400 2419200 345600 ; NoError AD=0
grotagalos.pl. IN SOA ? ; ServFail AD=0
piotrkowianie.pl. IN SOA ? ; Timeout
For the two that are failing .PL returns valid DoE for the DS RRset,
so the issue is south of the TLD zone. My hoard of .PL domains has
~1.4 million unsigned domains, 20 chosen at random should not be
too bad. Retrying again with 200, shows just 5 failing to resolve,
and again all have valid DS denial of existence from the TLD.
--
Viktor.
More information about the dns-operations
mailing list