On 9/17/18 10:46 AM, Stephane Bortzmeyer wrote: >> • NSEC3 proving non-existence of admin.ch/DS: No NSEC3 RR matches the >> SNAME (admin.ch). >> • NSEC3 proving non-existence of admin.ch/DS: No NSEC3 RR matches the >> SNAME (admin.ch). > > The real problem seems to be in .ch.
It indeed does look like h.nic.ch is currently serving invalid denial of existence proofs. Sep 17 10:54:12 [1] admin.ch: Resolved 'ch' NS h.nic.ch to: 2a03:bd80:36::1:203:230, 85.119.5.230 Sep 17 10:54:12 [1] admin.ch: Trying IP [2a03:bd80:36::1:203:230]:53, asking 'admin.ch|DS' Sep 17 10:54:12 [1] admin.ch: Got 7 answers from h.nic.ch (2a03:bd80:36::1:203:230), rcode=0 (No Error), aa=1, in 19ms Sep 17 10:54:12 [1] admin.ch: accept answer 'ch|SOA|a.nic.ch. dns-operation.switch.ch. 2018091710 900 600 1123200 900' from 'ch' nameservers? ttl=900, place=2 YES! Sep 17 10:54:12 [1] admin.ch: accept answer 'ch|RRSIG|SOA 8 1 900 20181017072134 20180917070659 43368 ch. lqiFlvlLzpfZiJtXq2lA7xMEBcDZ8JkBVDyW9eGOiDf50tlSAFf7lfPbNvk4Kr5oGvYEfykiFyNRPbVhB7Q7td2MFc24rDuHmWodO5dHu8CP8npjQFRDVhK16xwe52gi+HhaIBEs3UgoJAhHbw6fUT39eISVq7nKQ+Zbi9H79VmSvsrXIDJpwxXYRxEnG16yUPDEjALs72wjQUVPK1AFqA==' from 'ch' nameservers? ttl=900, place=2 RRSIG - separate Sep 17 10:54:12 [1] admin.ch: accept answer 'b3r86ai7q4714nt11g03efktr8e8uoqn.ch|NSEC3|1 1 2 563f2a03 B3RMRJ5UH7SCR184M2COCF3M5MATJUOU NS SOA RRSIG DNSKEY NSEC3PARAM' from 'ch' nameservers? ttl=900, place=2 YES! Sep 17 10:54:12 [1] admin.ch: accept answer 'b3r86ai7q4714nt11g03efktr8e8uoqn.ch|RRSIG|NSEC3 8 2 900 20181004034939 20180916113001 43368 ch. v+kKyz9cwB8I2FTuEsQ29QqEGCqRsLQPNUKsyqYaX6ehEN2QH0/x8+O/iwAEBuRRV1w1oFJyCUKgDyUEbbZWHJHOICcyJtcZvsbuv2Pk9ZM1IhzpVoDaP/ty5458dinB5cL7+aFWcNflUKJGxFnEXtjwtft3SlB2yY6mXtolDVwDFZVlVDPGhcYcSmPtPkf4SENr0Ys0Ols+dBVE5eIL2g==' from 'ch' nameservers? ttl=900, place=2 RRSIG - separate Sep 17 10:54:12 [1] admin.ch: accept answer 'n18tgf150r26u73788obf8kl1lddpdbm.ch|NSEC3|1 1 2 563f2a03 N19I6GLRO0S7IEK6ESINL5OJS1295DH4 NS DS RRSIG' from 'ch' nameservers? ttl=900, place=2 YES! Sep 17 10:54:12 [1] admin.ch: accept answer 'n18tgf150r26u73788obf8kl1lddpdbm.ch|RRSIG|NSEC3 8 2 900 20181008010305 20180916113001 43368 ch. n2mL4npemCPuXAgsz3fymS9x/hjVvD1HJc9ZLhF4KajHjjSxmRfL3Ba0WpnAh3is56n7qPtQrIpF2BrOxTj8A6hxWF7m8+TNBJqb/hc9XuLHu1F8mrwF59g/rdM0hKSHvW+9xB0wNIFEZwPtR8cG9WbdSJ/fJTe9T3dQE0eaRDsvcywS/Stu7OTAnEI+wsO7TSvFacuNgwXwUYQxDSv/Hw==' from 'ch' nameservers? ttl=900, place=2 RRSIG - separate Sep 17 10:54:12 [1] admin.ch: OPT answer '.' from 'ch' nameservers [...] Sep 17 10:54:12 [1] admin.ch: got negative caching indication for 'admin.ch|DS' Sep 17 10:54:12 Do have: n18tgf150r26u73788obf8kl1lddpdbm.ch/NSEC3 Sep 17 10:54:12 1 1 2 563f2a03 N19I6GLRO0S7IEK6ESINL5OJS1295DH4 NS DS RRSIG Sep 17 10:54:12 query hash: pqnb24ervdukiuq6j0ajbs6eeocm7v67 Sep 17 10:54:12 Do have: b3r86ai7q4714nt11g03efktr8e8uoqn.ch/NSEC3 Sep 17 10:54:12 1 1 2 563f2a03 B3RMRJ5UH7SCR184M2COCF3M5MATJUOU NS SOA RRSIG DNSKEY NSEC3PARAM Sep 17 10:54:12 query hash: pqnb24ervdukiuq6j0ajbs6eeocm7v67 Sep 17 10:54:12 Now looking for the closest encloser for admin.ch Sep 17 10:54:12 1 1 2 563f2a03 N19I6GLRO0S7IEK6ESINL5OJS1295DH4 NS DS RRSIG Sep 17 10:54:12 Comparing b3r86ai7q4714nt11g03efktr8e8uoqn (ch) against n18tgf150r26u73788obf8kl1lddpdbm Sep 17 10:54:12 1 1 2 563f2a03 B3RMRJ5UH7SCR184M2COCF3M5MATJUOU NS SOA RRSIG DNSKEY NSEC3PARAM Sep 17 10:54:12 Comparing b3r86ai7q4714nt11g03efktr8e8uoqn (ch) against b3r86ai7q4714nt11g03efktr8e8uoqn Sep 17 10:54:12 Closest encloser for admin.ch is ch Sep 17 10:54:12 Looking for a NSEC3 covering the next closer name admin.ch Sep 17 10:54:12 1 1 2 563f2a03 N19I6GLRO0S7IEK6ESINL5OJS1295DH4 NS DS RRSIG Sep 17 10:54:12 Comparing pqnb24ervdukiuq6j0ajbs6eeocm7v67 against n18tgf150r26u73788obf8kl1lddpdbm -> n19i6glro0s7iek6esinl5ojs1295dh4 Sep 17 10:54:12 Did not cover us (admin.ch), start=n18tgf150r26u73788obf8kl1lddpdbm.ch, us=pqnb24ervdukiuq6j0ajbs6eeocm7v67, end=n19i6glro0s7iek6esinl5ojs1295dh4 Sep 17 10:54:12 1 1 2 563f2a03 B3RMRJ5UH7SCR184M2COCF3M5MATJUOU NS SOA RRSIG DNSKEY NSEC3PARAM Sep 17 10:54:12 Comparing pqnb24ervdukiuq6j0ajbs6eeocm7v67 against b3r86ai7q4714nt11g03efktr8e8uoqn -> b3rmrj5uh7scr184m2cocf3m5matjuou Sep 17 10:54:12 Did not cover us (admin.ch), start=b3r86ai7q4714nt11g03efktr8e8uoqn.ch, us=pqnb24ervdukiuq6j0ajbs6eeocm7v67, end=b3rmrj5uh7scr184m2cocf3m5matjuou Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
