[dns-operations] Incorrect NSEC responses from Verisign root server instances

Peter van Dijk peter.van.dijk at powerdns.com
Sat Feb 27 09:48:30 UTC 2021


On Sat, 2021-02-27 at 01:33 +0000, Wessels, Duane via dns-operations
wrote:
> Verisign is in the process of patching affected systems, and rolling
> out the new version, and bringing affected instances back into
> service in accordance with established operational procedures.

It looks like the instances that are coming back into service are still
broken:

$ dig nsec nl +nsid @a.root-servers.net

; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> nsec nl +nsid @a.root-
servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33490
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 7
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 6e 6e 6e 31 2d 61 6d 73 36 ("nnn1-ams6")
;; QUESTION SECTION:
;nl.				IN	NSEC

;; ANSWER SECTION:
nl.			86400	IN	NSEC	no. NS DS RRSIG NSEC

;; AUTHORITY SECTION:
.			172800	IN	NS	ns3.dns.nl.
.			172800	IN	NS	ns1.dns.nl.
.			172800	IN	NS	ns2.dns.nl.

;; ADDITIONAL SECTION:
ns3.dns.nl.		172800	IN	A	194.0.25.24
ns3.dns.nl.		172800	IN	AAAA	2001:678:20::24
ns1.dns.nl.		172800	IN	A	194.0.28.53
ns1.dns.nl.		172800	IN	AAAA	2001:678:2c:0:194:0:28:
53
ns2.dns.nl.		172800	IN	A	194.146.106.42
ns2.dns.nl.		172800	IN	AAAA	2001:67c:1010:10::53

;; Query time: 2 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Sat Feb 27 10:47:10 CET 2021
;; MSG SIZE  rcvd: 255

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/




More information about the dns-operations mailing list