[dns-operations] .PL DNSSEC broken again

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Jun 17 08:22:55 UTC 2019 

On Mon, Jun 17, 2019 at 09:48:04AM +0200, bert hubert wrote:

> On the ever vigilant PowerDNS IRC channel, a big validating operator
> reported seeing .pl bogus PowerDNS responses on apparently unsigned .pl
> domain names.
> 
> People looked into it and it appears .PL is handing out wrong NSEC3 records.
> 
> We have no better diagnosis at this point, but this is not good for DNSSEC
> validation adoption. I hope .pl can look into this urgently.

Random sampling of unsigned .PL domains shows 18/20 working as
expected.  Has the issue been resolved?

    almides.pl. IN SOA ns1.domena.pl. hosting at agnat.pl. 2016060500 43200 1800 604800 3600 ; NoError AD=0
    cemax.pl. IN SOA ns2.alte.pl. admin at alte.pl. 2016122000 10800 1800 604800 21600 ; NoError AD=0
    dim-serwis.pl. IN SOA dns.home.pl. admin at home.pl. 1550160982 14400 7200 2419200 3600 ; NoError AD=0
    goldmed.com.pl. IN SOA glen.ns.cloudflare.com. dns at cloudflare.com. 2031160434 10000 2400 604800 3600 ; NoError AD=0
    harvestbasket.pl. IN SOA ns1.eurodns.com. hostmaster at eurodns.com. 2012011303 86400 7200 604800 86400 ; NoError AD=0
    imt-host.pl. IN SOA ns1.nazwa.pl. biuro at nazwa.pl. 2008133200 28800 7200 604800 86400 ; NoError AD=0
    kontombank.pl. IN SOA ns2.kei.pl. admin at kei.pl. 2019052301 10800 1800 604800 21600 ; NoError AD=0
    ksiazkawyboru.pl. IN SOA ns1.hans.hosteurope.de. hostmaster at ksiazkawyboru.pl. 2018020822 16384 2048 1048576 2560 ; NoError AD=0
    kupprawko.pl. IN SOA dns104.ovh.net. tech at ovh.net. 2019052201 86400 3600 3600000 300 ; NoError AD=0
    metip.pl. IN SOA dns.home.pl. admin at home.pl. 1549531509 14400 7200 2419200 3600 ; NoError AD=0
    mopsmm.pl. IN SOA dns.home.pl. admin at home.pl. 1545156738 14400 7200 2419200 3600 ; NoError AD=0
    partywlo.pl. IN SOA ns1.anacom.pl. admin at samba.com.pl. 2018102402 3600 7200 1209600 86400 ; NoError AD=0
    pianistka.com.pl. IN SOA dns1.nano.pl. admin at nano.pl. 2018041902 10800 1800 604800 3600 ; NoError AD=0
    skupautlubin.pl. IN SOA ns1.aftermarket.pl. kontakt at aftermarket.pl. 1904022004 3600 15 86400 3600 ; NoError AD=0
    stacjaimpreza.com.pl. IN SOA ns1.microhost.pl. hostmaster at stacjaimpreza.com.pl. 2018110708 1000 3600 1209600 86400 ; NoError AD=0
    studiobak.pl. IN SOA dns1.mserwis.pl. tech at mserwis.pl. 2018052001 86400 7200 2419200 86400 ; NoError AD=0
    ubezpieczeniaboleslawiec.pl. IN SOA dns.home.pl. admin at home.pl. 1538671072 14400 7200 2419200 3600 ; NoError AD=0
    virtualtelecom.pl. IN SOA ns3.vtelecom.pl.virtualtelecom.pl. admin at virtualtelecom.pl. 2015100201 3600 86400 2419200 345600 ; NoError AD=0

    grotagalos.pl. IN SOA ? ; ServFail AD=0
    piotrkowianie.pl. IN SOA ? ; Timeout

For the two that are failing .PL returns valid DoE for the DS RRset,
so the issue is south of the TLD zone.  My hoard of .PL domains has
~1.4 million unsigned domains, 20 chosen at random should not be
too bad.  Retrying again with 200, shows just 5 failing to resolve,
and again all have valid DS denial of existence from the TLD.

-- 
	Viktor.

More information about the dns-operations mailing list