[dns-operations] Broken A and J root responses
Peter van Dijk
peter.van.dijk at powerdns.com
Fri Feb 26 19:52:22 UTC 2021
I have confirmation that Verisign is on it.
On Fri, 2021-02-26 at 11:34 -0800, Brian Dickson wrote:
> This is of interest to both resolver operators and Verisign.
>
> We have noticed broken responses to certain query types from some instances of A and J.
> This was raised originally by David Kinzel, BTW, on the DNS-OARC Mattermost channels.
>
> We have seen queries for NSEC for both "jp" and "sl" return results that could/would poison the root delegation NS set (and this was what David saw that started the investigation).
>
> See below for the query/response. Note the Authority section in particular.
>
> Brian Dickson
> GoDaddy
>
> dig +do +norec @a.root-servers.net nsec sl. +nsid
>
> ; <<>> DiG 9.16.7 <<>> +do +norec @a.root-servers.net nsec sl. +nsid
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27231
> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; NSID: 6e 6e 6e 31 2d 73 66 6f 37 ("nnn1-sfo7")
> ;; QUESTION SECTION:
> ;sl. IN NSEC
>
> ;; ANSWER SECTION:
> sl. 86400 IN NSEC sling. NS RRSIG NSEC
> sl. 86400 IN RRSIG NSEC 8 1 86400 20210311170000 20210226160000 42351 . CQf3h+rHcoK2WSn7ItV8IQLb6yFFXSA+Lt86S58sm32u7QtTJsepap6r LcREA16YEmr5N9U7ytPyqNZmH92q24XGAtB0bikn9iZXTuIDG6BztbLr EqmDZ+lxutzmLDL2LOA9wcnk6TiKirxcId9j95Evy3gVNObAe94xvQIw 5LLtjeyQqRvWM+SAg7aXOyugedYIJtxUBVg9P7AHlLU+Z5HSfXo8EeJ9 NgyrkVnNnJNyJ7n02qNiyCiNm0lrkglWTbEAt5iquR6KiLlKcrB6ml3c ZSqfTBv108Ev+iuL3W80kWJEpkwomPRVlF+2R4yCZt38kA0Xc0VBp4FR hTlGYA==
>
> ;; AUTHORITY SECTION:
> . 172800 IN NS ns2.neoip.com.
> . 172800 IN NS ns1.neoip.com.
> . 518400 IN RRSIG NS 8 0 518400 20210311170000 20210226160000 42351 . WTZU7GHTyNZvGFvc+avXpUgu26QDWaywDOoS0Ac8FQnuVnwvIbYpdoew jMJFmZ5b7rWdzlJ6NgwURxLX7/0EOSDYk3sTdnjK9RtQbVtEBCueiSF4 3xkFNILgmiCYuoLQLHNpue/ORvEPMQUYif33KLoSgoX+qMLEqjrp14E0 qKmDCErjHkrV3uqRmvix5psxLSebhCz4WJeqPC3kIi6OcfGMQO5siI4L gVNnw9Hmal7W9UJGokDbhcsnb51Q43rGlrfp6pBosiWYfJDys9YWg4jU JUeShUFLH74SqavH+jQ0FsPoi5Vzbtfua3GUs0T67J2TpctlOjUBD3oz yX1g9g==
>
> ;; ADDITIONAL SECTION:
> ns2.neoip.com. 172800 IN A 64.202.189.47
> ns1.neoip.com. 172800 IN A 45.83.41.38
>
> ;; Query time: 21 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Fri Feb 26 11:12:15 PST 2021
> ;; MSG SIZE rcvd: 719
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list