[ Redirecting to dns-operations, I don't believe this is an IETF dnsop WG topic ]
On Mon, Mar 27, 2023 at 12:13:58PM -0400, [email protected] wrote: > www.tn.gov. CNAME www.extglb.tn.gov. > extglb.tn.gov. NS sdcgtm02.tn.gov. > extglb.tn.gov. NS ndcgtm01.tn.gov. > extglb.tn.gov. NS ndcgtm02.tn.gov. > extglb.tn.gov. NS sdcgtm01.tn.gov. > 7VIFF5QRM0PHTVOHKKJ31SMHH09RAE81.tn.gov. NSEC3 1 0 100 D317AC7ABABEF654 > 7VP1VJA5RP6KBKTVVS2IP1FCA30S4GF4 NS [Above trace trimmed to the essential records] $ ldns-nsec3-hash -t 100 -s D317AC7ABABEF654 extglb.tn.gov. 7viff5qrm0phtvohkkj31smhh09rae81. - Does BIND still support 100 NSEC3 iterations? The returned NSEC3 record is a proof of insecure delegation of extglb.tn.gov. Given also: ndcgtm01.tn.gov. IN A 170.141.169.33 ndcgtm02.tn.gov. IN A 170.141.169.34 sdcgtm01.tn.gov. IN A 170.141.172.33 sdcgtm02.tn.gov. IN A 170.141.172.34 we can check the server @170.141.167.222 queried in your PCAP and the above: $ while read ip; do dig +norecur +dnssec +nocmd +nostats @$ip -t a www.extglb.tn.gov. done <<-EOF 170.141.167.222 170.141.169.33 170.141.169.34 170.141.172.33 170.141.172.34 EOF That first address returns what would be a lame delegation, if it were believed to be the right server for the zone. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57075 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ; COOKIE: f94662e4382b07010100000064222094f3dcfcd52f692d24 (good) ;; QUESTION SECTION: ;www.extglb.tn.gov. IN A ;; AUTHORITY SECTION: extglb.tn.gov. 300 IN NS ndcgtm01.tn.gov. extglb.tn.gov. 300 IN NS sdcgtm01.tn.gov. extglb.tn.gov. 300 IN NS ndcgtm02.tn.gov. extglb.tn.gov. 300 IN NS sdcgtm02.tn.gov. 7VIFF5QRM0PHTVOHKKJ31SMHH09RAE81.tn.gov. 600 IN NSEC3 1 0 100 D317AC7ABABEF654 7VP1VJA5RP6KBKTVVS2IP1FCA30S4GF4 NS 7VIFF5QRM0PHTVOHKKJ31SMHH09RAE81.tn.gov. 600 IN RRSIG NSEC3 7 3 600 20230416173711 20230317173148 16643 tn.gov. ZxWY7y+RLEifC89LyPAtq0TQIPFuH0mrSbSCb3K44IJfqIwM8z7BuKb/ aM7gtPmApI2zxw2XpKaN7AK+XtBXdHJ29IRJQgQTnatIc+v8rU/hws/g fW8C5uQkq0XOU/YAzUGjOmtNdnzSEQZVi9CCYSsw7AqhVlUYssvAMbXE M5I= The queries for "_.extglb.tn.gov. IN A ?" in your PCAP are a novelty to me. Are these some form of query minimisation, or some sort of sanity check of the delegation? Sadly, the "tn.gov" nameserver just drops these without responding, so their failure could well contribute to the problems you observe. The rest are fine, but your resolver never asks: ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16420 ;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.extglb.tn.gov. IN A ;; ANSWER SECTION: www.extglb.tn.gov. 30 IN A 170.141.221.177 -- ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49212 ;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.extglb.tn.gov. IN A ;; ANSWER SECTION: www.extglb.tn.gov. 30 IN A 170.141.165.146 -- ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34806 ;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.extglb.tn.gov. IN A ;; ANSWER SECTION: www.extglb.tn.gov. 30 IN A 170.141.165.146 -- ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29916 ;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.extglb.tn.gov. IN A ;; ANSWER SECTION: www.extglb.tn.gov. 30 IN A 170.141.221.177 -- Viktor. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
