[dns-operations] root server lagging behind

Thor Spruyt thor.spruyt at telenet.be
Fri May 19 13:32:49 UTC 2023


Hi,

I recently detected a l root server, be-anr-aa, which was lagging behind.

On 9/5 in the evening, the serial was 2023042601 and the signatures expired 20230509170000 causing dnssec validation to fail.

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> -6 -t SOA . @l.root-servers.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64980
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 13
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;.                              IN      SOA

;; ANSWER SECTION:
.                       86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2023042601 1800 900 604800 86400
.                       86400   IN      RRSIG   SOA 8 0 86400 20230509170000 20230426160000 60955 . ZAapnzuzu9iBrd5gXC3eskevI6D0VvHuXNeUUS+QaL6OkYqf4mnUthiP 1Zgsc+8ZKtG43KShNlFAQa2ior4XVkPEageKW9cmdZQISGnbYAqGBvb0 ssrfsRoFfiNR3OdG9aLhX8Kfujl2Or9j7s9mKkAaNgboIlEQwv+Ty++r eUAaWth0pGY4uLlitb3PMln/ILnF39N+WZNh4UkQABwTbOaMKkZwD1zN 4H3ja+NQrn8o0zARbtmEtZw5aaiaX31pAU2azdcR5xDr4+xT54wrnKn8 UvVSe1tzIgGUa1KlkC/snmSoddEmuu/lIBbkZMPD7smIa4OgfCvnDJWr 3bm60A==

After reporting the issue to ICANN, the be-anr-aa server was deactivated.

After that I setup regular checking of the root server serials and since yesterday we again have a lagging l root server, now fr-bfc-aa

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> -t SOA . @l.root-servers.net. +dnssec +nsid
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52383
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 13
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID: 66 72 2d 62 66 63 2d 61 61 ("fr-bfc-aa")
;; QUESTION SECTION:
;.                              IN      SOA

;; ANSWER SECTION:
.                       86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2023051802 1800 900 604800 86400
.                       86400   IN      RRSIG   SOA 8 0 86400 20230531200000 20230518190000 60955 . MAKZKzGYX9gBARWGOGNKohj7CHkmW1PTTGzqr8JI7VBI2ICN8tZgHI2j 0/NZ6jJHrVhXIOf6sre/O6K3lJZi44kyU8TC9kGkdJiGVwj2RIDH6H3E AJ9nxv5ywLhqZclTS78Op+nUrSlNsM1HOiqeNPAcmY1W/4yInlF0/v9b vWrdweJkBRzYWaIzTs1q7KXTlDOjibRRrZKMi/eRtxSt7kRRlHRqXfY5 rNC4rQEN/FfYPgWnrBMrp17CqbwRUVmXcE2hO61JQCpW9HAVKg64qtLF 4KsadkCV2ps2c5qwmY1Hi8YBdyk7jhET9erSW90MRLwB9fDGAfzM7EXh bYh/JA==

A lagging root server will probably not cause a big issue immediately, making mitigation not that urgent.
However, with dnssec validation, it has become important that all root servers are not lagging too far (beyond the signatures expiration).
Maybe some verification and mitigation processes should be updated to take dnssec into account ?


--
Thor



More information about the dns-operations mailing list