[dns-operations] .ag outage

Jeroen Massar jeroen at massar.ch
Fri Nov 27 12:10:56 UTC 2020



> On 20201127, at 12:09, Thomas Mieslinger <miesi at mail.com> wrote:
> 
> Hi,
> 
> I received customer complaints that quad8 and some german broadband
> resolvers were unable to resolve .ag secondlevel domains.

Any outputs from 'dig' that show the problem?

Note that all DNS for hoevalmann.ag are located in the same ASN, more specifically 217.160.8{1234}.1/24.
which seems to be announced as a single /22 (217.160.80.0/22) by AS8560.

As such, if there is a routing issue towards 1and1-dns, things will be broken.

It is funny that they chose to use different TLDs but put all eggs in the same /22 + ASN :)

Seems quite a few people are interested in those IPs looking at the atlas measurements:
https://stat.ripe.net/217.160.80.0%2F22#tabId=activity

That kind of amount of activity indicates people seeing problems...

> peak.ag
> hoevelmann.ag
> sonnenschein.ag
> hostedoffice.ag
> 
> I run the authoritatives serving the first three examples and we've had
> no outage.
> 
> I don't understand the DNSEC keys in .ag and the intended change carried
> out with the current setup.
> 
> https://dnsviz.net/d/hoevelmann.ag/dnssec/

That just shows that upto .ag it is all signed, but there is no DNSSEC towards hoevelmann.ag.

That is fine if you do not want DNSSEC.

> Do you also see problems with .ag?

Nothing from my POV, dig +trace +dnssec works fine.


https://zonemaster.iis.se/en/?resultid=4cfd71ecabb03a16
says the same thing what I mention above: all DNS servers are in one single AS...

Greets,
 Jeroen





More information about the dns-operations mailing list