[DNSOP] Fwd: Why is ns.coccaregistry.org returning REFUSED to DNSKEY queries?
Mark Andrews <marka@isc.org> Wed, 21 August 2019 23:51 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA5611200D8 for <dnsop@ietfa.amsl.com>; Wed, 21 Aug 2019 16:51:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t21Yzb_bbcEA for <dnsop@ietfa.amsl.com>; Wed, 21 Aug 2019 16:51:20 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 217EF120043 for <dnsop@ietf.org>; Wed, 21 Aug 2019 16:51:20 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 475E73AB005; Wed, 21 Aug 2019 23:51:18 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 30FAA160051; Wed, 21 Aug 2019 23:51:18 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 0E5A8160076; Wed, 21 Aug 2019 23:51:18 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Z6L3Jddz1NL6; Wed, 21 Aug 2019 23:51:17 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id DCD02160051; Wed, 21 Aug 2019 23:51:15 +0000 (UTC)
From: Mark Andrews <marka@isc.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_02E73B8B-A7E4-49BF-B51C-EFE4B6EB57C9"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Thu, 22 Aug 2019 09:51:12 +1000
References: <4CB77A5E-2B63-4B7E-9B22-EA596C14B3BC@isc.org>
Cc: registry@nic.af, loyley.ngira@telekom.com.sb, royderitz.tati@telekom.com.sb, cctld@anc.tl, noc@cocca.org.nz
To: dnsop <dnsop@ietf.org>, dns-operations <dns-operations@dns-oarc.net>
Message-Id: <7C957602-0B99-4DBE-860C-7587A706732F@isc.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lMXYIeymCx7y9qSu0NZw-lSZvZ8>
Subject: [DNSOP] Fwd: Why is ns.coccaregistry.org returning REFUSED to DNSKEY queries?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 23:51:23 -0000
ns.coccaregistry.org <http://ns.coccaregistry.org/> is serving 3 DNSSEC signed ccTLDs (AF, SB, TL) yet it is incapable of returning DNSKEY records for those TLDs. This will break DNSSEC validation for every lookup in those ccTLD if this server is the only one reachable by the DNS clients. This has been going on since at least April 2019. Mark > Begin forwarded message: > > From: Mark Andrews <marka@isc.org> > Subject: Why is ns.coccaregistry.org returning REFUSED to DNSKEY queries? > Date: 8 April 2019 at 2:16:28 pm AEST > To: hostmaster@coccaregistry.org > > Why is ns.coccaregistry.org returning REFUSED to DNSKEY queries? > Also why is it echoing back EDNS options when returning REFUSED? > Also why is AD=1 in the REFUSED response? > Also why is AA=1 in the REFUSED response? > > % dig dnskey af. @185.17.236.111 > > ; <<>> DiG 9.15.0-dev <<>> dnskey af. @185.17.236.111 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 16189 > ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: b1626ff99509b9bf (echoed) > ;; QUESTION SECTION: > ;af. IN DNSKEY > > ;; Query time: 316 msec > ;; SERVER: 185.17.236.111#53(185.17.236.111) > ;; WHEN: Mon Apr 08 14:12:00 AEST 2019 > ;; MSG SIZE rcvd: 43 > > % > > af. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused > af. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused > kn. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=refused > kn. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=refused > ms. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=refused > ms. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=refused > sb. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused > sb. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused > tl. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused > tl. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok,yes ednstcp=refused > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] Fwd: Why is ns.coccaregistry.org returnin… Mark Andrews