[dns-operations] [Solved] (not just) Quad9 denial of existence for _25._tcp.mx1.p01.antagonist.nl IN TLSA
Martijn Reening
martijn at reening.net
Thu Nov 28 11:55:06 UTC 2019
In the first message I forgot to mention that I work for Antagonist.
Thank you for investigating this issue further. We have updated the glue
for this domain accordingly.
Several months ago we moved ns3.antagonist.de to a different server.
Unfortunately we have overlooked glue records for this domain. They were
only updated for ns1.antagonist.nl.
The old glue record pointed to the old nameserver that was still
running, but only served stale data. This server did not have the _tcp
ENT, because the _25._tcp TLSA record did not exist. The updated
nameserver should serve the same fresh data as ns1 and ns2.
Again, thank you for investigating this issue.
On 28/11/2019 03:55, Viktor Dukhovni wrote:
> Root cause found, the antagonist.nl domain has 3 listed nameservers:
>
> ns1.antagonist.nl.
> ns2.antagonist.net.
> ns3.antagonist.de.
>
> but the IP address returned by the actual antagonist.de zone:
>
> ns3.antagonist.de. IN A 139.162.173.192
>
> differs from the glue record returned from the .DE zone:
>
> ns3.antagonist.de. IN A 66.228.42.134
>
> And it is this 66.228.42.134 (returned in the .DE glue) nameserver that is
> serving freshly signed denial of existence for _tcp.mx1.p01.antagonist.nl.
>
--
Kind regards,
Met vriendelijke groet,
Martijn Reening
Systems and Network Engineer
More information about the dns-operations
mailing list