[dns-operations] which breakage is this? *.org

Mark Andrews marka at isc.org
Tue Nov 3 01:07:10 UTC 2020


The anycast server is misconfigured.  Some instances return DNS COOKIE responses and some don’t.

[beetle:~/git/bind9] marka% dig dnskey @2001:500:b::1 org +nsi

; <<>> DiG 9.15.4 <<>> dnskey @2001:500:b::1 org +nsi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33145
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 6e 73 30 30 30 62 2e 61 70 70 37 2e 6e 72 74 31 2e 61 66 69 6c 69 61 73 2d 6e 73 74 2e 69 6e 66 6f ("ns000b.app7.nrt1.afilias-nst.info")
;; QUESTION SECTION:
;org.				IN	DNSKEY

;; ANSWER SECTION:
org.			900	IN	DNSKEY	257 3 8 AwEAAexZJ/1wfyNCxNPrTZizaG7UlibGhP+AyogR6bqjptKweEgE4gD8 GxRQJkt+Fn5pCoNqzmm1ZnEoKqvm93uOYtbKkYQDGH+W69J66MSKpgIy S+mT/4iaXn+lpb5o99l/sf7lHMa975O/fqN6aPUll4hUbN2T1LHv6HzQ uQCtNRJA8jHGwX5q0NMmh2Z+yaG6B9cISerje9l5L+ID2ydJ6zXquYte oIUvX2xzqnXCdHPSvD+oL6R/weW+tztdFS1hok/1z3tn5NzmcaOLll9n XniCozEpLFEGPswyvtphWgCYhI8bBTqhUsIwfIwLSBQTEg2oCX7sS5Cb Xg44OqwhIW8=
org.			900	IN	DNSKEY	256 3 8 AwEAAeyU2rU2Fpatuu5eJ0htiV+vSA/dLoM4ID73SBkI5AOuc/gdpxFq gDzDyU7oQRbWSvz2oAXThIC7jw81fsCovYnS3a+VOQnqWK19TOPputZe 1JsNCJYpcvDCf8vevCc7R8ciA+cuGvW/fM6mmiHVG4Haka9SHQXXbk6K ktkPtDUt
org.			900	IN	DNSKEY	256 3 8 AwEAAeLN9V09yYMX1uJe79mgf5GvynVUNsbzm32kD1quIZlVfx1k3I3Y TT0bJPAVv8BggG2U6hSNlTvfb3AbnzRxyiJCJmzQ+JIzVAWI3EeiVHWF 7eLJHxsYsyz2Vx+kxmIQDQ1Efn14JmcoWHrd0I+c+drAYyW+vNn2xP1j G32efk7l

;; Query time: 335 msec
;; SERVER: 2001:500:b::1#53(2001:500:b::1)
;; WHEN: Tue Nov 03 12:03:23 AEDT 2020
;; MSG SIZE  rcvd: 641


[beetle:~/git/bind9] marka% dig dnskey @2001:500:b::1 org +nsi

; <<>> DiG 9.15.4 <<>> dnskey @2001:500:b::1 org +nsi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54031
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 6e 73 30 30 30 62 2e 61 70 70 32 32 2e 6e 72 74 31 2e 61 66 69 6c 69 61 73 2d 6e 73 74 2e 69 6e 66 6f ("ns000b.app22.nrt1.afilias-nst.info")
;; QUESTION SECTION:
;org.				IN	DNSKEY

;; ANSWER SECTION:
org.			900	IN	DNSKEY	256 3 8 AwEAAeyU2rU2Fpatuu5eJ0htiV+vSA/dLoM4ID73SBkI5AOuc/gdpxFq gDzDyU7oQRbWSvz2oAXThIC7jw81fsCovYnS3a+VOQnqWK19TOPputZe 1JsNCJYpcvDCf8vevCc7R8ciA+cuGvW/fM6mmiHVG4Haka9SHQXXbk6K ktkPtDUt
org.			900	IN	DNSKEY	256 3 8 AwEAAeLN9V09yYMX1uJe79mgf5GvynVUNsbzm32kD1quIZlVfx1k3I3Y TT0bJPAVv8BggG2U6hSNlTvfb3AbnzRxyiJCJmzQ+JIzVAWI3EeiVHWF 7eLJHxsYsyz2Vx+kxmIQDQ1Efn14JmcoWHrd0I+c+drAYyW+vNn2xP1j G32efk7l
org.			900	IN	DNSKEY	257 3 8 AwEAAexZJ/1wfyNCxNPrTZizaG7UlibGhP+AyogR6bqjptKweEgE4gD8 GxRQJkt+Fn5pCoNqzmm1ZnEoKqvm93uOYtbKkYQDGH+W69J66MSKpgIy S+mT/4iaXn+lpb5o99l/sf7lHMa975O/fqN6aPUll4hUbN2T1LHv6HzQ uQCtNRJA8jHGwX5q0NMmh2Z+yaG6B9cISerje9l5L+ID2ydJ6zXquYte oIUvX2xzqnXCdHPSvD+oL6R/weW+tztdFS1hok/1z3tn5NzmcaOLll9n XniCozEpLFEGPswyvtphWgCYhI8bBTqhUsIwfIwLSBQTEg2oCX7sS5Cb Xg44OqwhIW8=

;; Query time: 769 msec
;; SERVER: 2001:500:b::1#53(2001:500:b::1)
;; WHEN: Tue Nov 03 12:03:28 AEDT 2020
;; MSG SIZE  rcvd: 642

[beetle:~/git/bind9] marka% dig dnskey @2001:500:b::1 org +nsi

; <<>> DiG 9.15.4 <<>> dnskey @2001:500:b::1 org +nsi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51346
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 6e 73 30 30 30 62 2e 61 70 70 31 36 2e 6e 72 74 31 2e 61 66 69 6c 69 61 73 2d 6e 73 74 2e 69 6e 66 6f ("ns000b.app16.nrt1.afilias-nst.info")
; COOKIE: 338c8cd8104e76067db04fd75fa0ac624af12950ec015e70 (good)
;; QUESTION SECTION:
;org.				IN	DNSKEY

;; ANSWER SECTION:
org.			900	IN	DNSKEY	256 3 8 AwEAAeyU2rU2Fpatuu5eJ0htiV+vSA/dLoM4ID73SBkI5AOuc/gdpxFq gDzDyU7oQRbWSvz2oAXThIC7jw81fsCovYnS3a+VOQnqWK19TOPputZe 1JsNCJYpcvDCf8vevCc7R8ciA+cuGvW/fM6mmiHVG4Haka9SHQXXbk6K ktkPtDUt
org.			900	IN	DNSKEY	257 3 8 AwEAAexZJ/1wfyNCxNPrTZizaG7UlibGhP+AyogR6bqjptKweEgE4gD8 GxRQJkt+Fn5pCoNqzmm1ZnEoKqvm93uOYtbKkYQDGH+W69J66MSKpgIy S+mT/4iaXn+lpb5o99l/sf7lHMa975O/fqN6aPUll4hUbN2T1LHv6HzQ uQCtNRJA8jHGwX5q0NMmh2Z+yaG6B9cISerje9l5L+ID2ydJ6zXquYte oIUvX2xzqnXCdHPSvD+oL6R/weW+tztdFS1hok/1z3tn5NzmcaOLll9n XniCozEpLFEGPswyvtphWgCYhI8bBTqhUsIwfIwLSBQTEg2oCX7sS5Cb Xg44OqwhIW8=
org.			900	IN	DNSKEY	256 3 8 AwEAAeLN9V09yYMX1uJe79mgf5GvynVUNsbzm32kD1quIZlVfx1k3I3Y TT0bJPAVv8BggG2U6hSNlTvfb3AbnzRxyiJCJmzQ+JIzVAWI3EeiVHWF 7eLJHxsYsyz2Vx+kxmIQDQ1Efn14JmcoWHrd0I+c+drAYyW+vNn2xP1j G32efk7l

;; Query time: 580 msec
;; SERVER: 2001:500:b::1#53(2001:500:b::1)
;; WHEN: Tue Nov 03 12:03:30 AEDT 2020
;; MSG SIZE  rcvd: 670

[beetle:~/git/bind9] marka% 

> On 3 Nov 2020, at 11:43, Jim Popovitch via dns-operations <dns-operations at dns-oarc.net> wrote:
> 
> 
> From: Jim Popovitch <jimpop at domainmail.org>
> Subject: which breakage is this? *.org
> Date: 3 November 2020 at 11:43:30 AEDT
> To: dns-operations at dns-oarc.net
> 
> 
> 
> From: https://dnsviz.net/d/freebsd.org/dnssec/
> 
> freebsd.org/DS (alg 8, id 32359): The server appears to support DNS cookies but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> freebsd.org/DS (alg 8, id 32359): The server appears to support DNS cookies but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY (alg 8, id 26974): The server appears to support DNS cookies but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY (alg 8, id 34266): The server appears to support DNS cookies but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY (alg 8, id 63858): The server appears to support DNS cookies but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY: The server appears to support DNS cookies but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_512_D_K)
> 
> and from: https://dnsviz.net/d/netcool.org/dnssec/
> 
> netcool.org/DS (alg 13, id 50687): The server appears to support DNS cookies but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> netcool.org/DS (alg 13, id 50687): The server appears to support DNS cookies but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY (alg 8, id 26974): The server appears to support DNS cookies but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY (alg 8, id 34266): The server appears to support DNS cookies but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY (alg 8, id 63858): The server appears to support DNS cookies but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY: The server appears to support DNS cookies but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_512_D_K)
> 
> Is .org having issues?
> 
> 
> -Jim P.
> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org





More information about the dns-operations mailing list