[dns-operations] Broken A and J root responses

Brian Dickson brian.peter.dickson at gmail.com
Fri Feb 26 19:34:14 UTC 2021


This is of interest to both resolver operators and Verisign.

We have noticed broken responses to certain query types from some instances
of A and J.
This was raised originally by David Kinzel, BTW, on the DNS-OARC Mattermost
channels.

We have seen queries for NSEC for both "jp" and "sl" return results that
could/would poison the root delegation NS set (and this was what David saw
that started the investigation).

See below for the query/response. Note the Authority section in particular.

Brian Dickson
GoDaddy

dig +do +norec @a.root-servers.net nsec sl. +nsid


; <<>> DiG 9.16.7 <<>> +do +norec @a.root-servers.net nsec sl. +nsid

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27231

;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3


;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

; NSID: 6e 6e 6e 31 2d 73 66 6f 37 ("nnn1-sfo7")

;; QUESTION SECTION:

;sl. IN NSEC


;; ANSWER SECTION:

sl. 86400 IN NSEC sling. NS RRSIG NSEC

sl. 86400 IN RRSIG NSEC 8 1 86400 20210311170000 20210226160000 42351 .
CQf3h+rHcoK2WSn7ItV8IQLb6yFFXSA+Lt86S58sm32u7QtTJsepap6r
LcREA16YEmr5N9U7ytPyqNZmH92q24XGAtB0bikn9iZXTuIDG6BztbLr
EqmDZ+lxutzmLDL2LOA9wcnk6TiKirxcId9j95Evy3gVNObAe94xvQIw
5LLtjeyQqRvWM+SAg7aXOyugedYIJtxUBVg9P7AHlLU+Z5HSfXo8EeJ9
NgyrkVnNnJNyJ7n02qNiyCiNm0lrkglWTbEAt5iquR6KiLlKcrB6ml3c
ZSqfTBv108Ev+iuL3W80kWJEpkwomPRVlF+2R4yCZt38kA0Xc0VBp4FR hTlGYA==


;; AUTHORITY SECTION:

. 172800 IN NS ns2.neoip.com.

. 172800 IN NS ns1.neoip.com.

. 518400 IN RRSIG NS 8 0 518400 20210311170000 20210226160000 42351 .
WTZU7GHTyNZvGFvc+avXpUgu26QDWaywDOoS0Ac8FQnuVnwvIbYpdoew
jMJFmZ5b7rWdzlJ6NgwURxLX7/0EOSDYk3sTdnjK9RtQbVtEBCueiSF4
3xkFNILgmiCYuoLQLHNpue/ORvEPMQUYif33KLoSgoX+qMLEqjrp14E0
qKmDCErjHkrV3uqRmvix5psxLSebhCz4WJeqPC3kIi6OcfGMQO5siI4L
gVNnw9Hmal7W9UJGokDbhcsnb51Q43rGlrfp6pBosiWYfJDys9YWg4jU
JUeShUFLH74SqavH+jQ0FsPoi5Vzbtfua3GUs0T67J2TpctlOjUBD3oz yX1g9g==


;; ADDITIONAL SECTION:

ns2.neoip.com. 172800 IN A 64.202.189.47

ns1.neoip.com. 172800 IN A 45.83.41.38


;; Query time: 21 msec

;; SERVER: 198.41.0.4#53(198.41.0.4)

;; WHEN: Fri Feb 26 11:12:15 PST 2021

;; MSG SIZE  rcvd: 719
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210226/33680f53/attachment.html>


More information about the dns-operations mailing list