Re: [dns-operations] Broken A and J root responses

Fri, 26 Feb 2021 11:57:24 -0800 

I have confirmation that Verisign is on it.

On Fri, 2021-02-26 at 11:34 -0800, Brian Dickson wrote:
> This is of interest to both resolver operators and Verisign.
> 
> We have noticed broken responses to certain query types from some instances 
> of A and J.
> This was raised originally by David Kinzel, BTW, on the DNS-OARC Mattermost 
> channels.
> 
> We have seen queries for NSEC for both "jp" and "sl" return results that 
> could/would poison the root delegation NS set (and this was what David saw 
> that started the investigation).
> 
> See below for the query/response. Note the Authority section in particular.
> 
> Brian Dickson
> GoDaddy
> 
> dig +do +norec @a.root-servers.net nsec sl. +nsid
> 
> ; <<>> DiG 9.16.7 <<>> +do +norec @a.root-servers.net nsec sl. +nsid
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27231
> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; NSID: 6e 6e 6e 31 2d 73 66 6f 37 ("nnn1-sfo7")
> ;; QUESTION SECTION:
> ;sl.                          IN      NSEC
> 
> ;; ANSWER SECTION:
> sl.                   86400   IN      NSEC    sling. NS RRSIG NSEC
> sl.                   86400   IN      RRSIG   NSEC 8 1 86400 20210311170000 
> 20210226160000 42351 . 
> CQf3h+rHcoK2WSn7ItV8IQLb6yFFXSA+Lt86S58sm32u7QtTJsepap6r 
> LcREA16YEmr5N9U7ytPyqNZmH92q24XGAtB0bikn9iZXTuIDG6BztbLr 
> EqmDZ+lxutzmLDL2LOA9wcnk6TiKirxcId9j95Evy3gVNObAe94xvQIw 
> 5LLtjeyQqRvWM+SAg7aXOyugedYIJtxUBVg9P7AHlLU+Z5HSfXo8EeJ9 
> NgyrkVnNnJNyJ7n02qNiyCiNm0lrkglWTbEAt5iquR6KiLlKcrB6ml3c 
> ZSqfTBv108Ev+iuL3W80kWJEpkwomPRVlF+2R4yCZt38kA0Xc0VBp4FR hTlGYA==
> 
> ;; AUTHORITY SECTION:
> .                     172800  IN      NS      ns2.neoip.com.
> .                     172800  IN      NS      ns1.neoip.com.
> .                     518400  IN      RRSIG   NS 8 0 518400 20210311170000 
> 20210226160000 42351 . 
> WTZU7GHTyNZvGFvc+avXpUgu26QDWaywDOoS0Ac8FQnuVnwvIbYpdoew 
> jMJFmZ5b7rWdzlJ6NgwURxLX7/0EOSDYk3sTdnjK9RtQbVtEBCueiSF4 
> 3xkFNILgmiCYuoLQLHNpue/ORvEPMQUYif33KLoSgoX+qMLEqjrp14E0 
> qKmDCErjHkrV3uqRmvix5psxLSebhCz4WJeqPC3kIi6OcfGMQO5siI4L 
> gVNnw9Hmal7W9UJGokDbhcsnb51Q43rGlrfp6pBosiWYfJDys9YWg4jU 
> JUeShUFLH74SqavH+jQ0FsPoi5Vzbtfua3GUs0T67J2TpctlOjUBD3oz yX1g9g==
> 
> ;; ADDITIONAL SECTION:
> ns2.neoip.com.                172800  IN      A       64.202.189.47
> ns1.neoip.com.                172800  IN      A       45.83.41.38
> 
> ;; Query time: 21 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Fri Feb 26 11:12:15 PST 2021
> ;; MSG SIZE  rcvd: 719
> _______________________________________________
> dns-operations mailing list
> [email protected]
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations


_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Reply via email to