[Dnssec-trigger] A new kind of broken hotspot: RRSIG are OK but NSEC3 are deleted
Stephane Bortzmeyer
bortzmeyer at nic.fr
Thu Oct 27 07:34:09 UTC 2011
% dnssec-trigger-control status
at 2011-10-27 09:26:01
cache 192.168.254.2: OK
state: cache secure
But 192.168.254.2 is not OK. It strips NSEC3 records.
% dig A aws.amazon.com
; <<>> DiG 9.7.3 <<>> A aws.amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30784
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;aws.amazon.com. IN A
;; Query time: 39 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 27 09:29:22 2011
;; MSG SIZE rcvd: 43
% dig DS amazon.com
; <<>> DiG 9.7.3 <<>> DS amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53969
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;amazon.com. IN DS
;; Query time: 12 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 27 09:29:30 2011
;; MSG SIZE rcvd: 39
% dig +dnssec +cd DS amazon.com
; <<>> DiG 9.7.3 <<>> +dnssec +cd DS amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44775
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;amazon.com. IN DS
;; AUTHORITY SECTION:
com. 588 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1319700242 1800 900 604800 86400
com. 588 IN RRSIG SOA 8 1 900 20111103072402 20111027071402 3272 com. gQcKr3NkiDE1da4Oc14iSkWRsoKUju5MHABsbMfSgX7SLw2sMlgApRin tn3AKui/1oiD+ts4Qln8emkEgmvGDsvmgU1y5VptMYoQC0mdPxp4WZcI F4ZefwKSR0YY4oqWAP2yjl+WAc2VCf6YgqwhkkVhbIbcQW4w1ffYdSc0 weI=
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 27 09:29:51 2011
;; MSG SIZE rcvd: 275
% dig @192.168.254.2 +dnssec DS amazon.com
; <<>> DiG 9.7.3 <<>> @192.168.254.2 +dnssec DS amazon.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63577
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;amazon.com. IN DS
;; AUTHORITY SECTION:
com. 351 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1319700242 1800 900 604800 86400
com. 351 IN RRSIG SOA 8 1 900 20111103072402 20111027071402 3272 com. gQcKr3NkiDE1da4Oc14iSkWRsoKUju5MHABsbMfSgX7SLw2sMlgApRin tn3AKui/1oiD+ts4Qln8emkEgmvGDsvmgU1y5VptMYoQC0mdPxp4WZcI F4ZefwKSR0YY4oqWAP2yjl+WAc2VCf6YgqwhkkVhbIbcQW4w1ffYdSc0 weI=
;; Query time: 1 msec
;; SERVER: 192.168.254.2#53(192.168.254.2)
;; WHEN: Thu Oct 27 09:33:48 2011
;; MSG SIZE rcvd: 275
May be dnssec-trigger should test NSEC/NSEC3 on non-existent records
as well?
Signed names are OK since there is no NSEC to send back.
% dig +dnssec A www.afnic.fr
; <<>> DiG 9.7.3 <<>> +dnssec A www.afnic.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38813
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 7, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.afnic.fr. IN A
;; ANSWER SECTION:
www.afnic.fr. 22242 IN CNAME www.nic.fr.
www.afnic.fr. 22242 IN RRSIG CNAME 8 3 172800 20111030030835 20111022211659 25699 afnic.fr. ggA/yvdMgFeKmU/+/GIosL17dqQJswwbClqhD8rcr7fx/MHLEIr7o7y7 +RTzVbHbgsfsHeriQtEQ1QGBBENrw3Bm6aPHNrnmg5MUfExKWLqPvp8q Serqojcxgkr8ls1RZPHZYx+CwSEdiQJTvg2sEuiNimnjSRbJthpWe3mu r+Y=
www.nic.fr. 22242 IN CNAME rigolo.nic.fr.
www.nic.fr. 22242 IN RRSIG CNAME 8 3 172800 20111030000136 20111022233143 25699 nic.fr. jEsHiECJAQF213wy1JptG/2ZMdIHG7lrHtlSOAWt3ypnwpa+zBCD04+o hJFU80R8t1qHc0wxpCnO2wBPfzWS9S5/1a37LuNPk0XbrFNgkL0sCkSQ RpreN/BOmQ1Zx7AyEjiCZ6Wl4hK50onI4g/MXbhyG/HJ37VY3mtBW0m3 UFQ=
rigolo.nic.fr. 22242 IN A 192.134.4.20
rigolo.nic.fr. 22242 IN RRSIG A 8 3 172800 20111030200341 20111024053415 25699 nic.fr. CWG2ydXS9c8Zi48fk5aTAx/XuWaqFVoMNkA274ZeadHXq0ikVcopA//2 u30lJXExlfVcycKBIydNGorr/KeEE9Qo2S9tRCytl1lprjHniPg4ZvgG f8hihRs9ullsQETIT2l84wJuyNfCkFin2EAf+FI3qMoWlvizRlngwzEp oIg=
;; AUTHORITY SECTION:
nic.fr. 27687 IN NS ns6.ext.nic.fr.
nic.fr. 27687 IN NS ns2.nic.fr.
nic.fr. 27687 IN NS ns4.ext.nic.fr.
nic.fr. 27687 IN NS ns1.nic.fr.
nic.fr. 27687 IN NS ns3.nic.fr.
nic.fr. 27687 IN NS ns1.ext.nic.fr.
nic.fr. 27687 IN RRSIG NS 8 2 172800 20111030031909 20111023053213 25699 nic.fr. 0Vl3lJxUk4agQO6FUZfi6k8TlEBlWBpsekpMsS8WgpkRl3c8Heeo2Hyq wubrDMiKaNx7nIDZtlF2FY5ohfN/keBi35Tgppf15FKi8hV92IC2S8nP sVouXntpcdnR0wgQurqTBu0jV7LzlIYku6zOJKSnK0fyu/Mf5aIdL2Jz fR8=
;; ADDITIONAL SECTION:
ns2.nic.fr. 114087 IN A 192.93.0.4
ns2.nic.fr. 114087 IN AAAA 2001:660:3005:1::1:2
ns2.nic.fr. 114087 IN RRSIG A 8 3 172800 20111031150630 20111024033405 25699 nic.fr. G3yPTjKs8UFLrEY5I1Z2ervENOjV22XN2mMvKxTNxMZDNMo9pg3PwfQz WVMo2+/OHDHIdN5eaPJ9cPihAxvEX70ce6Zt4C6AYJsTUwgcAqIajJCZ 12W7HTB1cj7yv+HMgypwfz9C4TX7Bjx41068LI22fENca2AmPxQCGUTT W/0=
ns2.nic.fr. 114087 IN RRSIG AAAA 8 3 172800 20111030031945 20111023073223 25699 nic.fr. LaqvLJaQzrig7bRy06R5KDr2c6/ydm/QM+UqnXXNuLOpYyIRKHI0jh71 3RT34QF5jkB187wc1py+DmgK/um0UJfjc+MFTx+T33DGg1GcB2M9bMbd f+hd8j7XJoFMOJZ5qiPg21U1LkCfgvVJSla7H5cmuO+678OU3Q82LdrX XeA=
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 27 09:31:36 2011
;; MSG SIZE rcvd: 1254
% dig +dnssec TXT www.afnic.fr
; <<>> DiG 9.7.3 <<>> +dnssec TXT www.afnic.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37316
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.afnic.fr. IN TXT
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 27 09:32:19 2011
;; MSG SIZE rcvd: 41
More information about the dnssec-trigger
mailing list