[dns-operations] Formerly Verisign (now Neustar) public DNS no DS DoE?
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Dec 5 05:40:09 UTC 2020
Until quite recently (just a few days ago), the Verisign public DNS
servers at: 64.6.64.6, 64.6.65.6, 2620:74:1b::1:1, 2620:74:1c::2:2
where *validating* resolvers. When clients requests set either the
AD or the DO bit, the expect thing happened.
It seems that yesterday the service moved to Neustar:
https://www.verisign.com/en_US/security-services/public-dns/index.xhtml
and the new servers, no longer return denial of existence proofs for DS
lookups (breaking DNSSEC for downstream validating resolvers), e.g.:
https://dnsviz.net/d/letsencrypt.org/e/344962/dnssec/
https://dnsviz.net/d/letsencrypt.org/e/344962/responses/
$ for ip in 64.6.64.6 64.6.65.6 2620:74:1b::1:1 2620:74:1c::2:2
do printf "\n-- $ip:\n"
dig +noall +comment +ans +auth +dnssec +ad -t ds letsencrypt.org. @$ip
done
-- 64.6.64.6:
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26081
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
-- 64.6.65.6:
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42866
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
-- 2620:74:1b::1:1:
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48361
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
-- 2620:74:1c::2:2:
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45546
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
Is this a feature or a bug?
--
Viktor.
More information about the dns-operations
mailing list