<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, May 27, 2015 at 3:40 PM, Warren Kumari <span dir="ltr"><<a href="mailto:warren@kumari.net" target="_blank">warren@kumari.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">On Wed, May 27, 2015 at 3:02 PM, Joe Abley <<a href="mailto:jabley@hopcount.ca">jabley@hopcount.ca</a>> wrote:<br>
><br>
><br>
> On 27 May 2015, at 19:14, Warren Kumari wrote:<br>
><br>
>>> For what it's worth, I have no problem getting a reasonable (negative)<br>
>>> response to ACCOUNTANT/IN/TLSA or SOMETHING.ACCOUNTANT/IN/TLSA from<br>
>>> 156.154.144.195 with EDNS0.DO=1 or without EDNS0. Perhaps I'm special :-)<br>
<br>
</span>Yah, /I/ know you are special -- but I don't know how 156.154.144.195<br>
knows you are.<br>
<br>
Can you include a dig (or similar) showing you asking the question and<br>
getting an answer (not a timeout?). I've queried from multiple places<br>
with no love...<br>
<span class="im"><br>
W<br>
<br></span><div class=""><div class="h5"><br></div></div></blockquote><div><br></div><div>Here's a transcript of my attempt to query all the NS addresses at accountant for TLSA records (from one location, a datacenter in New Jersey). Quick summary: no response/timeout from all the IPv4 addresses, correct NODATA answers from all the IPv6 addresses. Hmm (and no, the machine originating the queries has working IPv4 and can query other records successfully):</div><div><br></div><div><div>$ get-ns-ip accountant.</div><div>ns1.dns.nic.accountant. 156.154.144.195</div><div>ns1.dns.nic.accountant. 2610:a1:1071::c3</div><div>ns2.dns.nic.accountant. 156.154.145.195</div><div>ns2.dns.nic.accountant. 2610:a1:1072::c3</div><div>ns3.dns.nic.accountant. 156.154.159.195</div><div>ns3.dns.nic.accountant. 2610:a1:1073::c3</div><div>ns4.dns.nic.accountant. 156.154.156.195</div><div>ns4.dns.nic.accountant. 2610:a1:1074::c3</div><div>ns5.dns.nic.accountant. 156.154.157.195</div><div>ns5.dns.nic.accountant. 2610:a1:1075::c3</div><div>ns6.dns.nic.accountant. 156.154.158.195</div><div>ns6.dns.nic.accountant. 2610:a1:1076::c3</div><div><br></div><div>$ get-ns-ip accountant. | while read hostname ip</div><div>> do</div><div>> echo ">>> $hostname $ip"</div><div>> dig @$ip _443._tcp.accountant. TLSA</div><div>> echo ""</div><div>> done</div><div><br></div><div>>>> ns1.dns.nic.accountant. 156.154.144.195</div><div><br></div><div>; <<>> DiG 9.10.1 <<>> @<a href="http://156.154.144.195">156.154.144.195</a> _443._tcp.accountant. TLSA</div><div>; (1 server found)</div><div>;; global options: +cmd</div><div>;; connection timed out; no servers could be reached</div><div><br></div><div>>>> ns1.dns.nic.accountant. 2610:a1:1071::c3</div><div><br></div><div>; <<>> DiG 9.10.1 <<>> @2610:a1:1071::c3 _443._tcp.accountant. TLSA</div><div>; (1 server found)</div><div>;; global options: +cmd</div><div>;; Got answer:</div><div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45660</div><div>;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0</div><div>;; WARNING: recursion requested but not available</div><div><br></div><div>;; QUESTION SECTION:</div><div>;_443._tcp.accountant.<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>TLSA</div><div><br></div><div>;; AUTHORITY SECTION:</div><div>accountant.<span class="" style="white-space:pre"> </span>7200<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>SOA<span class="" style="white-space:pre"> </span>ns1.dns.nic.accountant. <a href="http://hostmaster.neustar.biz">hostmaster.neustar.biz</a>. 189 900 900 604800 86400</div><div><br></div><div>;; Query time: 8 msec</div><div>;; SERVER: 2610:a1:1071::c3#53(2610:a1:1071::c3)</div><div>;; WHEN: Wed May 27 15:50:11 EDT 2015</div><div>;; MSG SIZE rcvd: 108</div><div><br></div><div><br></div><div>>>> ns2.dns.nic.accountant. 156.154.145.195</div><div><br></div><div>; <<>> DiG 9.10.1 <<>> @<a href="http://156.154.145.195">156.154.145.195</a> _443._tcp.accountant. TLSA</div><div>; (1 server found)</div><div>;; global options: +cmd</div><div>;; connection timed out; no servers could be reached</div><div><br></div><div>>>> ns2.dns.nic.accountant. 2610:a1:1072::c3</div><div><br></div><div>; <<>> DiG 9.10.1 <<>> @2610:a1:1072::c3 _443._tcp.accountant. TLSA</div><div>; (1 server found)</div><div>;; global options: +cmd</div><div>;; Got answer:</div><div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8407</div><div>;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0</div><div>;; WARNING: recursion requested but not available</div><div><br></div><div>;; QUESTION SECTION:</div><div>;_443._tcp.accountant.<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>TLSA</div><div><br></div><div>;; AUTHORITY SECTION:</div><div>accountant.<span class="" style="white-space:pre"> </span>7200<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>SOA<span class="" style="white-space:pre"> </span>ns1.dns.nic.accountant. <a href="http://hostmaster.neustar.biz">hostmaster.neustar.biz</a>. 189 900 900 604800 86400</div><div><br></div><div>;; Query time: 79 msec</div><div>;; SERVER: 2610:a1:1072::c3#53(2610:a1:1072::c3)</div><div>;; WHEN: Wed May 27 15:50:27 EDT 2015</div><div>;; MSG SIZE rcvd: 108</div><div><br></div><div><br></div><div>>>> ns3.dns.nic.accountant. 156.154.159.195</div><div><br></div><div>; <<>> DiG 9.10.1 <<>> @<a href="http://156.154.159.195">156.154.159.195</a> _443._tcp.accountant. TLSA</div><div>; (1 server found)</div><div>;; global options: +cmd</div><div>;; connection timed out; no servers could be reached</div><div><br></div><div>>>> ns3.dns.nic.accountant. 2610:a1:1073::c3</div><div><br></div><div>; <<>> DiG 9.10.1 <<>> @2610:a1:1073::c3 _443._tcp.accountant. TLSA</div><div>; (1 server found)</div><div>;; global options: +cmd</div><div>;; Got answer:</div><div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46624</div><div>;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0</div><div>;; WARNING: recursion requested but not available</div><div><br></div><div>;; QUESTION SECTION:</div><div>;_443._tcp.accountant.<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>TLSA</div><div><br></div><div>;; AUTHORITY SECTION:</div><div>accountant.<span class="" style="white-space:pre"> </span>7200<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>SOA<span class="" style="white-space:pre"> </span>ns1.dns.nic.accountant. <a href="http://hostmaster.neustar.biz">hostmaster.neustar.biz</a>. 189 900 900 604800 86400</div><div><br></div><div>;; Query time: 8 msec</div><div>;; SERVER: 2610:a1:1073::c3#53(2610:a1:1073::c3)</div><div>;; WHEN: Wed May 27 15:50:42 EDT 2015</div><div>;; MSG SIZE rcvd: 108</div><div><br></div><div><br></div><div>>>> ns4.dns.nic.accountant. 156.154.156.195</div><div><br></div><div>; <<>> DiG 9.10.1 <<>> @<a href="http://156.154.156.195">156.154.156.195</a> _443._tcp.accountant. TLSA</div><div>; (1 server found)</div><div>;; global options: +cmd</div><div>;; connection timed out; no servers could be reached</div><div><br></div><div>>>> ns4.dns.nic.accountant. 2610:a1:1074::c3</div><div><br></div><div>; <<>> DiG 9.10.1 <<>> @2610:a1:1074::c3 _443._tcp.accountant. TLSA</div><div>; (1 server found)</div><div>;; global options: +cmd</div><div>;; Got answer:</div><div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21156</div><div>;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0</div><div>;; WARNING: recursion requested but not available</div><div><br></div><div>;; QUESTION SECTION:</div><div>;_443._tcp.accountant.<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>TLSA</div><div><br></div><div>;; AUTHORITY SECTION:</div><div>accountant.<span class="" style="white-space:pre"> </span>7200<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>SOA<span class="" style="white-space:pre"> </span>ns1.dns.nic.accountant. <a href="http://hostmaster.neustar.biz">hostmaster.neustar.biz</a>. 189 900 900 604800 86400</div><div><br></div><div>;; Query time: 8 msec</div><div>;; SERVER: 2610:a1:1074::c3#53(2610:a1:1074::c3)</div><div>;; WHEN: Wed May 27 15:50:57 EDT 2015</div><div>;; MSG SIZE rcvd: 108</div><div><br></div><div><br></div><div>>>> ns5.dns.nic.accountant. 156.154.157.195</div><div><br></div><div>; <<>> DiG 9.10.1 <<>> @<a href="http://156.154.157.195">156.154.157.195</a> _443._tcp.accountant. TLSA</div><div>; (1 server found)</div><div>;; global options: +cmd</div><div>;; connection timed out; no servers could be reached</div><div><br></div><div>>>> ns5.dns.nic.accountant. 2610:a1:1075::c3</div><div><br></div><div>; <<>> DiG 9.10.1 <<>> @2610:a1:1075::c3 _443._tcp.accountant. TLSA</div><div>; (1 server found)</div><div>;; global options: +cmd</div><div>;; Got answer:</div><div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56808</div><div>;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0</div><div>;; WARNING: recursion requested but not available</div><div><br></div><div>;; QUESTION SECTION:</div><div>;_443._tcp.accountant.<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>TLSA</div><div><br></div><div>;; AUTHORITY SECTION:</div><div>accountant.<span class="" style="white-space:pre"> </span>7200<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>SOA<span class="" style="white-space:pre"> </span>ns1.dns.nic.accountant. <a href="http://hostmaster.neustar.biz">hostmaster.neustar.biz</a>. 189 900 900 604800 86400</div><div><br></div><div>;; Query time: 13 msec</div><div>;; SERVER: 2610:a1:1075::c3#53(2610:a1:1075::c3)</div><div>;; WHEN: Wed May 27 15:51:12 EDT 2015</div><div>;; MSG SIZE rcvd: 108</div><div><br></div><div><br></div><div>>>> ns6.dns.nic.accountant. 156.154.158.195</div><div><br></div><div>; <<>> DiG 9.10.1 <<>> @<a href="http://156.154.158.195">156.154.158.195</a> _443._tcp.accountant. TLSA</div><div>; (1 server found)</div><div>;; global options: +cmd</div><div>;; connection timed out; no servers could be reached</div><div><br></div><div>>>> ns6.dns.nic.accountant. 2610:a1:1076::c3</div><div><br></div><div>; <<>> DiG 9.10.1 <<>> @2610:a1:1076::c3 _443._tcp.accountant. TLSA</div><div>; (1 server found)</div><div>;; global options: +cmd</div><div>;; Got answer:</div><div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40030</div><div>;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0</div><div>;; WARNING: recursion requested but not available</div><div><br></div><div>;; QUESTION SECTION:</div><div>;_443._tcp.accountant.<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>TLSA</div><div><br></div><div>;; AUTHORITY SECTION:</div><div>accountant.<span class="" style="white-space:pre"> </span>7200<span class="" style="white-space:pre"> </span>IN<span class="" style="white-space:pre"> </span>SOA<span class="" style="white-space:pre"> </span>ns1.dns.nic.accountant. <a href="http://hostmaster.neustar.biz">hostmaster.neustar.biz</a>. 189 900 900 604800 86400</div><div><br></div><div>;; Query time: 1 msec</div><div>;; SERVER: 2610:a1:1076::c3#53(2610:a1:1076::c3)</div><div>;; WHEN: Wed May 27 15:51:27 EDT 2015</div><div>;; MSG SIZE rcvd: 108</div></div><div><br></div><div>-- </div><div>Shumon Huque</div><div><br></div></div></div></div>