<div dir="ltr">This is of interest to both resolver operators and Verisign.<div><br></div><div>We have noticed broken responses to certain query types from some instances of A and J.</div><div>This was raised originally by David Kinzel, BTW, on the DNS-OARC Mattermost channels.</div><div><br></div><div>We have seen queries for NSEC for both "jp" and "sl" return results that could/would poison the root delegation NS set (and this was what David saw that started the investigation).</div><div><br></div><div>See below for the query/response. Note the Authority section in particular.</div><div><br></div><div>Brian Dickson</div><div>GoDaddy</div><div><br></div><div>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">dig +do +norec @<a href="http://a.root-servers.net">a.root-servers.net</a> nsec sl. +nsid</span></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);min-height:16px"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">; <<>> DiG 9.16.7 <<>> +do +norec @<a href="http://a.root-servers.net">a.root-servers.net</a> nsec sl. +nsid</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">; (1 server found)</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;; global options: +cmd</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;; Got answer:</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27231</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3</span></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);min-height:16px"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;; OPT PSEUDOSECTION:</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">; EDNS: version: 0, flags: do; udp: 4096</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">; NSID: 6e 6e 6e 31 2d 73 66 6f 37 ("nnn1-sfo7")</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;; QUESTION SECTION:</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;sl.<span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>IN<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>NSEC</span></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);min-height:16px"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;; ANSWER SECTION:</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">sl.<span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>86400<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>IN<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>NSEC<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>sling. NS RRSIG NSEC</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">sl.<span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>86400<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>IN<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>RRSIG<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>NSEC 8 1 86400 20210311170000 20210226160000 42351 . CQf3h+rHcoK2WSn7ItV8IQLb6yFFXSA+Lt86S58sm32u7QtTJsepap6r LcREA16YEmr5N9U7ytPyqNZmH92q24XGAtB0bikn9iZXTuIDG6BztbLr EqmDZ+lxutzmLDL2LOA9wcnk6TiKirxcId9j95Evy3gVNObAe94xvQIw 5LLtjeyQqRvWM+SAg7aXOyugedYIJtxUBVg9P7AHlLU+Z5HSfXo8EeJ9 NgyrkVnNnJNyJ7n02qNiyCiNm0lrkglWTbEAt5iquR6KiLlKcrB6ml3c ZSqfTBv108Ev+iuL3W80kWJEpkwomPRVlF+2R4yCZt38kA0Xc0VBp4FR hTlGYA==</span></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);min-height:16px"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;; AUTHORITY SECTION:</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">.<span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>172800<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>IN<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>NS<span class="gmail-Apple-tab-span" style="white-space:pre"> </span><a href="http://ns2.neoip.com">ns2.neoip.com</a>.</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">.<span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>172800<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>IN<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>NS<span class="gmail-Apple-tab-span" style="white-space:pre"> </span><a href="http://ns1.neoip.com">ns1.neoip.com</a>.</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">.<span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>518400<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>IN<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>RRSIG<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>NS 8 0 518400 20210311170000 20210226160000 42351 . WTZU7GHTyNZvGFvc+avXpUgu26QDWaywDOoS0Ac8FQnuVnwvIbYpdoew jMJFmZ5b7rWdzlJ6NgwURxLX7/0EOSDYk3sTdnjK9RtQbVtEBCueiSF4 3xkFNILgmiCYuoLQLHNpue/ORvEPMQUYif33KLoSgoX+qMLEqjrp14E0 qKmDCErjHkrV3uqRmvix5psxLSebhCz4WJeqPC3kIi6OcfGMQO5siI4L gVNnw9Hmal7W9UJGokDbhcsnb51Q43rGlrfp6pBosiWYfJDys9YWg4jU JUeShUFLH74SqavH+jQ0FsPoi5Vzbtfua3GUs0T67J2TpctlOjUBD3oz yX1g9g==</span></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);min-height:16px"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;; ADDITIONAL SECTION:</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><a href="http://ns2.neoip.com">ns2.neoip.com</a>.<span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>172800<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>IN<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>A<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>64.202.189.47</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><a href="http://ns1.neoip.com">ns1.neoip.com</a>.<span class="gmail-Apple-tab-span" style="white-space:pre"> </span><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>172800<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>IN<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>A<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>45.83.41.38</span></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);min-height:16px"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"></span><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;; Query time: 21 msec</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;; SERVER: 198.41.0.4#53(198.41.0.4)</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;; WHEN: Fri Feb 26 11:12:15 PST 2021</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">;; MSG SIZE<span class="gmail-Apple-converted-space"> </span>rcvd: 719</span></p></div></div>