[dns-operations] Stale .GN and .LR zone data in some instances of "ns-{gn, lr}.afrinic.net"

Randy Bush randy at psg.com
Tue Aug 30 16:42:06 UTC 2022 

cc:s changed and a couple of bcc:s added

> Sadly, not yet, even yesterday the SOA serial on the problem instances was
> behind, and the RRSIGs are still 2-weeks expired.  It is beginning to look
> like Afrinic are diverting all queries from Google to a separate server
> pool, and it is *that* server pool that has stale data...
> 
> ; <<>> DiG 9.11.10 <<>> @196.216.168.49 soa gn. +nosplit +dnssec +cd +nsid
> +norecur +nocrypt
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25967
> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1232
> ; NSID: 73 30 31 2d 6e 73 32 2e 6a 69 6e 78 ("s01-ns2.jinx")
> ;; QUESTION SECTION:
> ;gn.                            IN      SOA
> 
> ;; ANSWER SECTION:
> gn.                     3600    IN      SOA     rip.psg.com.
> hostmaster.psg.com. 2202015289 86400 3600 2592000 3600
> gn.                     3600    IN      RRSIG   SOA 8 1 3600 20220818095230
> 20220803224100 53103 gn. [omitted]
> 
> ;; AUTHORITY SECTION:
> gn.                     14400   IN      NS      rip.psg.com.
> gn.                     14400   IN      NS      fork.sth.dnsnode.net.
> gn.                     14400   IN      NS      ns-gn.afrinic.net.
> gn.                     14400   IN      RRSIG   NS 8 1 14400 20220816200031
> 20220803023758 53103 gn. [omitted]
> 
> On Mon, 29 Aug 2022 at 23:22, Randy Bush <randy at psg.com> wrote:
> 
>>> The zone data for .GN and .LR has older SOA serial numbers and expired
>>> signatures on some of the anycast instances of ns-gn.afrinic.net and
>>> ns-lr.afrinic.net.  Specifically, at least the ones with NSID
>>> "s01-ns2.jinx".  This breaks resolution of .GN and .LR names via
>>> Google DNS from some locations. Please ensure that the zones are
>>> updated at all anycast locations.
>>
>> thanks viktor,
>>
>> i have bumped the zones at the primary.  let's see if afrinic servers
>> get the message.

thanks viktor

another day of no response from afrinic, and i guess i should ask the
iana to remove them from the NS RRset for GN and LR.

anyone have a way to get afrinic dns folk's attention?

randy

More information about the dns-operations mailing list