[dns-operations] Incorrect NSEC responses from Verisign root server instances
Peter van Dijk
peter.van.dijk at powerdns.com
Sat Feb 27 09:48:30 UTC 2021
On Sat, 2021-02-27 at 01:33 +0000, Wessels, Duane via dns-operations
wrote:
> Verisign is in the process of patching affected systems, and rolling
> out the new version, and bringing affected instances back into
> service in accordance with established operational procedures.
It looks like the instances that are coming back into service are still
broken:
$ dig nsec nl +nsid @a.root-servers.net
; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> nsec nl +nsid @a.root-
servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33490
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 7
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 6e 6e 6e 31 2d 61 6d 73 36 ("nnn1-ams6")
;; QUESTION SECTION:
;nl. IN NSEC
;; ANSWER SECTION:
nl. 86400 IN NSEC no. NS DS RRSIG NSEC
;; AUTHORITY SECTION:
. 172800 IN NS ns3.dns.nl.
. 172800 IN NS ns1.dns.nl.
. 172800 IN NS ns2.dns.nl.
;; ADDITIONAL SECTION:
ns3.dns.nl. 172800 IN A 194.0.25.24
ns3.dns.nl. 172800 IN AAAA 2001:678:20::24
ns1.dns.nl. 172800 IN A 194.0.28.53
ns1.dns.nl. 172800 IN AAAA 2001:678:2c:0:194:0:28:
53
ns2.dns.nl. 172800 IN A 194.146.106.42
ns2.dns.nl. 172800 IN AAAA 2001:67c:1010:10::53
;; Query time: 2 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Sat Feb 27 10:47:10 CET 2021
;; MSG SIZE rcvd: 255
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dns-operations
mailing list