[dns-operations] Broken A and J root responses

Peter van Dijk peter.van.dijk at powerdns.com
Fri Feb 26 19:52:22 UTC 2021


I have confirmation that Verisign is on it.

On Fri, 2021-02-26 at 11:34 -0800, Brian Dickson wrote:
> This is of interest to both resolver operators and Verisign.
> 
> We have noticed broken responses to certain query types from some instances of A and J.
> This was raised originally by David Kinzel, BTW, on the DNS-OARC Mattermost channels.
> 
> We have seen queries for NSEC for both "jp" and "sl" return results that could/would poison the root delegation NS set (and this was what David saw that started the investigation).
> 
> See below for the query/response. Note the Authority section in particular.
> 
> Brian Dickson
> GoDaddy
> 
> dig +do +norec @a.root-servers.net nsec sl. +nsid
> 
> ; <<>> DiG 9.16.7 <<>> +do +norec @a.root-servers.net nsec sl. +nsid
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27231
> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; NSID: 6e 6e 6e 31 2d 73 66 6f 37 ("nnn1-sfo7")
> ;; QUESTION SECTION:
> ;sl.				IN	NSEC
> 
> ;; ANSWER SECTION:
> sl.			86400	IN	NSEC	sling. NS RRSIG NSEC
> sl.			86400	IN	RRSIG	NSEC 8 1 86400 20210311170000 20210226160000 42351 . CQf3h+rHcoK2WSn7ItV8IQLb6yFFXSA+Lt86S58sm32u7QtTJsepap6r LcREA16YEmr5N9U7ytPyqNZmH92q24XGAtB0bikn9iZXTuIDG6BztbLr EqmDZ+lxutzmLDL2LOA9wcnk6TiKirxcId9j95Evy3gVNObAe94xvQIw 5LLtjeyQqRvWM+SAg7aXOyugedYIJtxUBVg9P7AHlLU+Z5HSfXo8EeJ9 NgyrkVnNnJNyJ7n02qNiyCiNm0lrkglWTbEAt5iquR6KiLlKcrB6ml3c ZSqfTBv108Ev+iuL3W80kWJEpkwomPRVlF+2R4yCZt38kA0Xc0VBp4FR hTlGYA==
> 
> ;; AUTHORITY SECTION:
> .			172800	IN	NS	ns2.neoip.com.
> .			172800	IN	NS	ns1.neoip.com.
> .			518400	IN	RRSIG	NS 8 0 518400 20210311170000 20210226160000 42351 . WTZU7GHTyNZvGFvc+avXpUgu26QDWaywDOoS0Ac8FQnuVnwvIbYpdoew jMJFmZ5b7rWdzlJ6NgwURxLX7/0EOSDYk3sTdnjK9RtQbVtEBCueiSF4 3xkFNILgmiCYuoLQLHNpue/ORvEPMQUYif33KLoSgoX+qMLEqjrp14E0 qKmDCErjHkrV3uqRmvix5psxLSebhCz4WJeqPC3kIi6OcfGMQO5siI4L gVNnw9Hmal7W9UJGokDbhcsnb51Q43rGlrfp6pBosiWYfJDys9YWg4jU JUeShUFLH74SqavH+jQ0FsPoi5Vzbtfua3GUs0T67J2TpctlOjUBD3oz yX1g9g==
> 
> ;; ADDITIONAL SECTION:
> ns2.neoip.com.		172800	IN	A	64.202.189.47
> ns1.neoip.com.		172800	IN	A	45.83.41.38
> 
> ;; Query time: 21 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Fri Feb 26 11:12:15 PST 2021
> ;; MSG SIZE  rcvd: 719
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations





More information about the dns-operations mailing list