Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
> On 1 May 2024, at 22:25, Walter H. via bind-users > wrote: > > On 01.05.2024 01:33, Mark Andrews wrote: >> >>> On 1 May 2024, at 03:32, Lee wrote: >>> >>> On Mon, Apr 29, 2024 at 11:40 PM Walter H. wrote: On 29.04.2024 22:19, Lee wrote: > On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users > wrote: > > something that I replied to and got this in response: > > Error Icon > Message blocked > Your message to Walter.H@[..snip..] has been blocked. See technical > details below for more information. > > The response from the remote server was: > 554 5.7.1 : Client host rejected: Use IPv4 > > For explanation: this is MY mail server, which blocks IPv6 connections from Outlook.com Gmail.com ... as these are the biggest SPAM senders >>> Which is fine .. your server, your rules. >>> But maybe what isn't so fine is me replying only to the list and still >>> getting a 'rejected: Use IPv4' msg. I don't know how the mailing list >>> works; I'm a bit surprised that I can reply only to the list, get the >>> Client host rejected msg and somehow you can still get the msg?? > > there are 2 pair of shoes, mails from the list are not from Outlook.com or > Gmail.com > > but if you put my mail address to "To: ", then its from Gmail.com ;-) > >> This is >> what happens when you put something into the rejection rules which has zero >> relationship whether something is spam or ham. > depends ... >> I just find it interesting that someone using mx01.ipv6help.de as a MX would >> be >> so interested in punishing IPv6 use. > > you are mixing up 2 independent things ... > > IPv6 clients aren't blocked at all, just Outlook.com, Gmail.com, ... > > that is the difference; just for Outlook.com the following fact is true but > bullshit > > # host -t MX outlook.com > outlook.com mail is handled by 5 outlook-com.olc.protection.outlook.com. > # host outlook-com.olc.protection.outlook.com > outlook-com.olc.protection.outlook.com has address 52.101.8.47 > outlook-com.olc.protection.outlook.com has address 52.101.9.15 > outlook-com.olc.protection.outlook.com has address 52.101.40.30 > outlook-com.olc.protection.outlook.com has address 52.101.194.14 > # > > as you see no IPv6 at all; > > why then the need of accepting their SPAM on IPv6 transport? Well lets look at the sender that started this thread. % dig mx gmail.com +short 40 alt4.gmail-smtp-in.l.google.com. 5 gmail-smtp-in.l.google.com. 30 alt3.gmail-smtp-in.l.google.com. 10 alt1.gmail-smtp-in.l.google.com. 20 alt2.gmail-smtp-in.l.google.com. % dig gmail-smtp-in.l.google.com +short 2404:6800:4003:c01::1b % % dig txt gmail.com +short "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8=" "v=spf1 redirect=_spf.google.com" % dig txt _spf.google.com +short "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" dig txt _netblocks2.google.com +short "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all" % Which we verify then sign to say that we have verified the incoming email. But for you email from @gmail.com over IPv6 is “proof” that it is spam and you send back a rejection which says to send it again over IPv4 when none of the senders has any control over the transport being used and no one is going to add special rules to force email to you to go over IPv4 when you advertise MX servers with addresses. Mark > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On 01.05.2024 01:33, Mark Andrews wrote: On 1 May 2024, at 03:32, Lee wrote: On Mon, Apr 29, 2024 at 11:40 PM Walter H. wrote: On 29.04.2024 22:19, Lee wrote: On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users wrote: something that I replied to and got this in response: Error Icon Message blocked Your message to Walter.H@[..snip..] has been blocked. See technical details below for more information. The response from the remote server was: 554 5.7.1 : Client host rejected: Use IPv4 For explanation: this is MY mail server, which blocks IPv6 connections from Outlook.com Gmail.com ... as these are the biggest SPAM senders Which is fine .. your server, your rules. But maybe what isn't so fine is me replying only to the list and still getting a 'rejected: Use IPv4' msg. I don't know how the mailing list works; I'm a bit surprised that I can reply only to the list, get the Client host rejected msg and somehow you can still get the msg?? there are 2 pair of shoes, mails from the list are not from Outlook.com or Gmail.com but if you put my mail address to "To: ", then its from Gmail.com ;-) This is what happens when you put something into the rejection rules which has zero relationship whether something is spam or ham. depends ... I just find it interesting that someone using mx01.ipv6help.de as a MX would be so interested in punishing IPv6 use. you are mixing up 2 independent things ... IPv6 clients aren't blocked at all, just Outlook.com, Gmail.com, ... that is the difference; just for Outlook.com the following fact is true but bullshit # host -t MX outlook.com outlook.com mail is handled by 5 outlook-com.olc.protection.outlook.com. # host outlook-com.olc.protection.outlook.com outlook-com.olc.protection.outlook.com has address 52.101.8.47 outlook-com.olc.protection.outlook.com has address 52.101.9.15 outlook-com.olc.protection.outlook.com has address 52.101.40.30 outlook-com.olc.protection.outlook.com has address 52.101.194.14 # as you see no IPv6 at all; why then the need of accepting their SPAM on IPv6 transport? smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
> On 1 May 2024, at 03:32, Lee wrote: > > On Mon, Apr 29, 2024 at 11:40 PM Walter H. wrote: >> >> On 29.04.2024 22:19, Lee wrote: >>> On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users >>> wrote: >>> >>> something that I replied to and got this in response: >>> >>> Error Icon >>> Message blocked >>> Your message to Walter.H@[..snip..] has been blocked. See technical >>> details below for more information. >>> >>> The response from the remote server was: >>> 554 5.7.1 : Client host rejected: Use IPv4 >>> >>> >> For explanation: this is MY mail server, which blocks IPv6 connections from >> >> Outlook.com >> Gmail.com >> ... >> >> as these are the biggest SPAM senders > > Which is fine .. your server, your rules. > But maybe what isn't so fine is me replying only to the list and still > getting a 'rejected: Use IPv4' msg. I don't know how the mailing list > works; I'm a bit surprised that I can reply only to the list, get the > Client host rejected msg and somehow you can still get the msg?? Presumably ISC sent the list message over IPv6 to them and the rejection rules kicked in. ISC sends email over IPv6 and they accept email over IPv6. This is what happens when you put something into the rejection rules which has zero relationship whether something is spam or ham. I just find it interesting that someone using mx01.ipv6help.de as a MX would be so interested in punishing IPv6 use. > Anyway.. best regards > Lee > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On Tue, Apr 30, 2024 at 2:40 AM Mark Andrews wrote: > > And it has been fixed. Yay! No more error messages in the log because of them :-) Thanks for your help Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On Mon, Apr 29, 2024 at 11:40 PM Walter H. wrote: > > On 29.04.2024 22:19, Lee wrote: > > On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users > > wrote: > > > > something that I replied to and got this in response: > > > > Error Icon > > Message blocked > > Your message to Walter.H@[..snip..] has been blocked. See technical > > details below for more information. > > > > The response from the remote server was: > > 554 5.7.1 : Client host rejected: Use IPv4 > > > > > For explanation: this is MY mail server, which blocks IPv6 connections from > > Outlook.com > Gmail.com > ... > > as these are the biggest SPAM senders Which is fine .. your server, your rules. But maybe what isn't so fine is me replying only to the list and still getting a 'rejected: Use IPv4' msg. I don't know how the mailing list works; I'm a bit surprised that I can reply only to the list, get the Client host rejected msg and somehow you can still get the msg?? Anyway.. best regards Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
And it has been fixed. % dig dnssec-analyzer.verisignlabs.com ;; BADCOOKIE, retrying. ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer.verisignlabs.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9048 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 9fcb48e259ddaedd010066308ef2d1dcce4f0e1ca7fe (good) ;; QUESTION SECTION: ;dnssec-analyzer.verisignlabs.com. IN ;; ANSWER SECTION: dnssec-analyzer.verisignlabs.com. 3600 IN CNAME dnssec-analyzer-verisignlabs.gslb.verisign.com. ;; AUTHORITY SECTION: gslb.verisign.com. 60 IN SOA gslb.ilg1.verisign.com. hostmaster.gslb.ilg1.verisign.com. 2024041709 10800 3600 604800 60 ;; Query time: 1155 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Tue Apr 30 16:25:54 AEST 2024 ;; MSG SIZE rcvd: 203 % > On 30 Apr 2024, at 06:55, Lee wrote: > > On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote: >> >> It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it >> serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is >> actually delegated to it. >> >> % dig dnssec-analyzer-gslb.verisignlabs.com +trace +all >> ;; BADCOOKIE, retrying. >> >> ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com >> +trace +all >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498 >> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27 > <.. snip lots ..> > >> ;; AUTHORITY SECTION: >> com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. >> 2023030710 10800 3600 604800 60 > > I did a search for "this.name.is.invalid" and the only results I got > were for F5 support pages - eg. > The fix in BIG-IP DNS 14.1.0 introduces a new setting, > wideip-zone-nameserver, which defaults the WideIP zone nameserver to > this.name.is.invalid. > > Wouldn't a badly configured F5 server be a better explanation? > > Thanks > Lee -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
> On 30 Apr 2024, at 13:39, Walter H. via bind-users > wrote: > > On 29.04.2024 22:19, Lee wrote: >> On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users >> wrote: >> >> something that I replied to and got this in response: >> >> Error Icon >> Message blocked >> Your message to Walter.H@[..snip..] has been blocked. See technical >> details below for more information. >> >> The response from the remote server was: >> 554 5.7.1 : Client host rejected: Use IPv4 >> >> > For explanation: this is MY mail server, which blocks IPv6 connections from > > Outlook.com > Gmail.com > ... > > as these are the biggest SPAM senders As far as I know they deliver email over both IPv4 and IPv6 (spam and ham) independently of the transport. The only thing that blocking one transport like this does is cause email to be unreliable. The sender has no control over the transport protocol used. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On 29.04.2024 22:19, Lee wrote: On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users wrote: something that I replied to and got this in response: Error Icon Message blocked Your message to Walter.H@[..snip..] has been blocked. See technical details below for more information. The response from the remote server was: 554 5.7.1 : Client host rejected: Use IPv4 For explanation: this is MY mail server, which blocks IPv6 connections from Outlook.com Gmail.com ... as these are the biggest SPAM senders smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On Mon, Apr 29, 2024 at 5:13 PM Mark Andrews wrote: > > I prefer to only name and shame when I’m 100% sure of the target. I was only trying to understand why I was getting a SERVFAIL, there was no intention to name & shame. Regards, Lee "name & shame" was not my intent. > > -- > Mark Andrews > > > On 30 Apr 2024, at 06:56, Lee wrote: > > > > On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote: > >> > >> It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that > >> it serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is > >> actually delegated to it. > >> > >> % dig dnssec-analyzer-gslb.verisignlabs.com +trace +all > >> ;; BADCOOKIE, retrying. > >> > >> ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com > >> +trace +all > >> ;; global options: +cmd > >> ;; Got answer: > >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498 > >> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27 > > <.. snip lots ..> > > > >> ;; AUTHORITY SECTION: > >> com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. > >> 2023030710 10800 3600 604800 60 > > > > I did a search for "this.name.is.invalid" and the only results I got > > were for F5 support pages - eg. > > The fix in BIG-IP DNS 14.1.0 introduces a new setting, > > wideip-zone-nameserver, which defaults the WideIP zone nameserver to > > this.name.is.invalid. > > > > Wouldn't a badly configured F5 server be a better explanation? > > > > Thanks > > Lee > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
I prefer to only name and shame when I’m 100% sure of the target. -- Mark Andrews > On 30 Apr 2024, at 06:56, Lee wrote: > > On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote: >> >> It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it >> serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is >> actually delegated to it. >> >> % dig dnssec-analyzer-gslb.verisignlabs.com +trace +all >> ;; BADCOOKIE, retrying. >> >> ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com >> +trace +all >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498 >> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27 > <.. snip lots ..> > >> ;; AUTHORITY SECTION: >> com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. >> 2023030710 10800 3600 604800 60 > > I did a search for "this.name.is.invalid" and the only results I got > were for F5 support pages - eg. > The fix in BIG-IP DNS 14.1.0 introduces a new setting, > wideip-zone-nameserver, which defaults the WideIP zone nameserver to > this.name.is.invalid. > > Wouldn't a badly configured F5 server be a better explanation? > > Thanks > Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote: > > It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it > serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is > actually delegated to it. > > % dig dnssec-analyzer-gslb.verisignlabs.com +trace +all > ;; BADCOOKIE, retrying. > > ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com +trace > +all > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27 <.. snip lots ..> > ;; AUTHORITY SECTION: > com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. > 2023030710 10800 3600 604800 60 I did a search for "this.name.is.invalid" and the only results I got were for F5 support pages - eg. The fix in BIG-IP DNS 14.1.0 introduces a new setting, wideip-zone-nameserver, which defaults the WideIP zone nameserver to this.name.is.invalid. Wouldn't a badly configured F5 server be a better explanation? Thanks Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
And the SMTP server doesn’t need to listen on IPv6 if it isn’t going to accept messages over that transport. Talk about a way to DoS yourself. -- Mark Andrews > On 30 Apr 2024, at 06:19, Lee wrote: > > On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users > wrote: > > something that I replied to and got this in response: > > Error Icon > Message blocked > Your message to Walter.H@[..snip..] has been blocked. See technical > details below for more information. > > The response from the remote server was: > 554 5.7.1 : Client host rejected: Use IPv4 > > > > Which is strangely appropriate when trying to troubleshoot an issue > that applies only to IPv6. > But I've forgotten how to turn off IPv6 :( > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users wrote: something that I replied to and got this in response: Error Icon Message blocked Your message to Walter.H@[..snip..] has been blocked. See technical details below for more information. The response from the remote server was: 554 5.7.1 : Client host rejected: Use IPv4 Which is strangely appropriate when trying to troubleshoot an issue that applies only to IPv6. But I've forgotten how to turn off IPv6 :( -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On Sun, Apr 28, 2024 at 2:18 AM Walter H. wrote: > > On 27.04.2024 16:54, Lee wrote: > > On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind-users > > wrote: > >> # host dnssec-analyzer.verisignlabs.com > >> dnssec-analyzer.verisignlabs.com is an alias for > >> dnssec-analyzer-gslb.verisignlabs.com. > >> dnssec-analyzer-gslb.verisignlabs.com has address 209.131.158.42 > >> > > Right, the IPv4 address lookup works. Now try looking up the IPv6 address. > > if there was one it would be presented there Try this: $ dig www.github.com ; <<>> DiG 9.16.48-Debian <<>> www.github.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45964 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1432 ; COOKIE: 6e0635047fb42cbf0100662ff80b95c1aaed2c48a54b (good) ;; QUESTION SECTION: ;www.github.com.IN ;; ANSWER SECTION: www.github.com. 3600IN CNAME github.com. ;; AUTHORITY SECTION: github.com. 3600IN SOA dns1.p08.nsone.net. hostmaster.nsone.net. 1656468023 43200 7200 1209600 3600 The query status is NOERROR. Compare that to $ dig dnssec-analyzer-gslb.verisignlabs.com ; <<>> DiG 9.16.48-Debian <<>> dnssec-analyzer-gslb.verisignlabs.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18045 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1432 ; COOKIE: 8dca27caaec9a4740100662ff8ad9cc9bff9bf779d54 (good) ;; QUESTION SECTION: ;dnssec-analyzer-gslb.verisignlabs.com. IN where the query status is SERVFAIL. OK.. noerr vs. servfail doesn't make all that much difference to me, but I *would* like to understand why looking ip the IPv6 address for that name gives me an error. I'm still operating under the (increasingly looking like it's delusional) assumption that I should be able to understand this stuff. > this can't be a matter of DNSSEC, as there are only signed whole zones > and not just single DNS-records ... I dunno. I've seen some weird stuff with servers on AWS not resolving IPv6 addresses but having a CNAME pointing outside the zone. Which I don't understand, but at least it doesn't return an error so I just chalked it up to them deciding that supporting IPv6 was too much of a pain. Regards, Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is actually delegated to it. % dig dnssec-analyzer-gslb.verisignlabs.com +trace +all ;; BADCOOKIE, retrying. ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com +trace +all ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ; COOKIE: c5e52f94b77c61ce0100662edf9c4fed996a259c1d43 (good) ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 277488 IN NS f.root-servers.net. . 277488 IN NS d.root-servers.net. . 277488 IN NS l.root-servers.net. . 277488 IN NS k.root-servers.net. . 277488 IN NS a.root-servers.net. . 277488 IN NS e.root-servers.net. . 277488 IN NS j.root-servers.net. . 277488 IN NS h.root-servers.net. . 277488 IN NS g.root-servers.net. . 277488 IN NS m.root-servers.net. . 277488 IN NS c.root-servers.net. . 277488 IN NS i.root-servers.net. . 277488 IN NS b.root-servers.net. . 277488 IN RRSIG NS 8 0 518400 2024050821 2024042520 5613 . YeVEKbhLW5fUll0QPjIjDWfKbmrnJ/paeh/H86oG17GPeoFRWkecq+iM 8kjxy28AHg7cElZ3w8Lq0GND+DJUCYItS6cOHdQ07XdEFCPAoXMnVQe2 sBwd5nRu8tjH/I6NOn43DtfGkNMxzoHZf/64UeWeMFF8tjlD3y9Y+TQ1 UjBU0kzpsYXkl+QYHsNJ1nABDH3gdlTqpCmtrVA1UUgDjC/12KLSIiQH ykSABJZbHnOsDc7OaRH25QLZadE6zrUwP1xiEZuDfe4xuoz2z5WSBQbv 6JjCGVpm1WDILRra64v4BpO0kVUYE5fvJgAOV2cJwJwhM4gpcBNlMvG7 e3+WFA== ;; ADDITIONAL SECTION: i.root-servers.net. 172568 IN 2001:7fe::53 d.root-servers.net. 172568 IN 2001:500:2d::d h.root-servers.net. 172568 IN 2001:500:1::53 j.root-servers.net. 172568 IN 2001:503:c27::2:30 c.root-servers.net. 172568 IN 2001:500:2::c e.root-servers.net. 172568 IN 2001:500:a8::e g.root-servers.net. 172568 IN 2001:500:12::d0d l.root-servers.net. 172568 IN 2001:500:9f::42 m.root-servers.net. 172568 IN 2001:dc3::35 k.root-servers.net. 172568 IN 2001:7fd::1 a.root-servers.net. 172568 IN 2001:503:ba3e::2:30 f.root-servers.net. 172568 IN 2001:500:2f::f b.root-servers.net. 172568 IN 2801:1b8:10::b i.root-servers.net. 172568 IN A 192.36.148.17 d.root-servers.net. 172568 IN A 199.7.91.13 h.root-servers.net. 172568 IN A 198.97.190.53 j.root-servers.net. 172568 IN A 192.58.128.30 c.root-servers.net. 172568 IN A 192.33.4.12 e.root-servers.net. 172568 IN A 192.203.230.10 g.root-servers.net. 172568 IN A 192.112.36.4 l.root-servers.net. 172568 IN A 199.7.83.42 m.root-servers.net. 172568 IN A 202.12.27.33 k.root-servers.net. 172568 IN A 193.0.14.129 a.root-servers.net. 172568 IN A 198.41.0.4 f.root-servers.net. 172568 IN A 192.5.5.241 b.root-servers.net. 172568 IN A 170.247.170.2 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Mon Apr 29 09:45:32 AEST 2024 ;; MSG SIZE rcvd: 1125 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65435 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;dnssec-analyzer-gslb.verisignlabs.com. IN ;; AUTHORITY SECTION: com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A com. 86400 IN RRSIG DS 8 1 86400 2024051117 2024042816 5613 . LVYx+2et07A9D8yQEvJfEZuAwwa8jIkmPueaMjyyO4lw0IHMYuQMGTMi FGReNSmz9AjHkr6w6c+Xk/mIBM7busd6QppQvtHCwTuVywVZQA1FZUAw nKpmp85aFsQyFQRKAIbbdRT1r1MTf7AOzRoi7d1mRsuKbAvzTAMfaXzB sfI9dL6Hsl7vdGBYrkAWJ1XawlVaJJ+DPPqISBaI5dTboKH3FGV5Kdyd 5Pxf/6JGMm4JF4ojARGutPotyz9cE2GrDDHQEg2nsH0WE5WM6SpsRz4B gyoDolcj2Kg+AA/1xDeh8vspAe0mmf1RPHQ0XJ7Z1TkiSQOINWdgK2J0 f0SrYA== ;; ADDITIONAL SECTION: m.gtld-servers.net. 172800 IN A 192.55.83.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 c.gtld-servers.net. 172800 IN A 192.26.92.30 b.gtld-servers.net. 172800 IN A 192.33.14.30 a.gtld-servers.net. 172800 IN A 192.5.6.30 m.gtld-servers.net. 172800 IN 2001:501:b1f9::30 l.gtld-servers.net. 172800 IN 2001:500:d937::30
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
|Try these four | | | |fail01.dnssec.works| |fail02.dnssec.works| |fail03.dnssec.works| |fail04.dnssec.works| and then with +cd and note the difference; On 28.04.2024 08:17, Walter H. via bind-users wrote: On 27.04.2024 16:54, Lee wrote: On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind-users wrote: # host dnssec-analyzer.verisignlabs.com dnssec-analyzer.verisignlabs.com is an alias for dnssec-analyzer-gslb.verisignlabs.com. dnssec-analyzer-gslb.verisignlabs.com has address 209.131.158.42 Right, the IPv4 address lookup works. Now try looking up the IPv6 address. if there was one it would be presented there see here for full answer # host one.one.one.one one.one.one.one has address 1.1.1.1 one.one.one.one has address 1.0.0.1 one.one.one.one has IPv6 address 2606:4700:4700::1001 one.one.one.one has IPv6 address 2606:4700:4700:: I get a status: SERVFAIL instead of a status: NOERROR $ dig dnssec-analyzer.verisignlabs.com ; <<>> DiG 9.16.48-Debian <<>> dnssec-analyzer.verisignlabs.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60491 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 Lee this can't be a matter of DNSSEC, as there are only signed whole zones and not just single DNS-records ... would it be a problem with just this DNS zone, why are only problems getting the IPv6? smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On 27.04.2024 16:54, Lee wrote: On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind-users wrote: # host dnssec-analyzer.verisignlabs.com dnssec-analyzer.verisignlabs.com is an alias for dnssec-analyzer-gslb.verisignlabs.com. dnssec-analyzer-gslb.verisignlabs.com has address 209.131.158.42 Right, the IPv4 address lookup works. Now try looking up the IPv6 address. if there was one it would be presented there see here for full answer # host one.one.one.one one.one.one.one has address 1.1.1.1 one.one.one.one has address 1.0.0.1 one.one.one.one has IPv6 address 2606:4700:4700::1001 one.one.one.one has IPv6 address 2606:4700:4700:: I get a status: SERVFAIL instead of a status: NOERROR $ dig dnssec-analyzer.verisignlabs.com ; <<>> DiG 9.16.48-Debian <<>> dnssec-analyzer.verisignlabs.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60491 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 Lee this can't be a matter of DNSSEC, as there are only signed whole zones and not just single DNS-records ... would it be a problem with just this DNS zone, why are only problems getting the IPv6? smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind-users wrote: > > # host dnssec-analyzer.verisignlabs.com > dnssec-analyzer.verisignlabs.com is an alias for > dnssec-analyzer-gslb.verisignlabs.com. > dnssec-analyzer-gslb.verisignlabs.com has address 209.131.158.42 > Right, the IPv4 address lookup works. Now try looking up the IPv6 address. I get a status: SERVFAIL instead of a status: NOERROR $ dig dnssec-analyzer.verisignlabs.com ; <<>> DiG 9.16.48-Debian <<>> dnssec-analyzer.verisignlabs.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60491 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
# host dnssec-analyzer.verisignlabs.com dnssec-analyzer.verisignlabs.com is an alias for dnssec-analyzer-gslb.verisignlabs.com. dnssec-analyzer-gslb.verisignlabs.com has address 209.131.158.42 On 27.04.2024 01:35, Lee wrote: dig dnssec-analyzer.verisignlabs.com gives me a SERVFAIL & this in the bind errors_log file: $ grep dnssec-analyzer.verisignlabs.com named-errors.log | tail -1 26-Apr-2024 19:28:37.600 query-errors: info: client @0x7f384488e3c0 127.0.0.1#47121 (dnssec-analyzer.verisignlabs.com): query failed (failure) for dnssec-analyzer.verisignlabs.com/IN/ at query.c:7471 Is that because of the insecure delegation shown at https://dnsviz.net/d/dnssec-analyzer.verisignlabs.com/dnssec/ and me having "dnssec-validation auto;" in named.conf? Thanks Lee (still struggling to understand this stuff) smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec-analyzer.verisignlabs.com aaaa lookup fail
dig dnssec-analyzer.verisignlabs.com gives me a SERVFAIL & this in the bind errors_log file: $ grep dnssec-analyzer.verisignlabs.com named-errors.log | tail -1 26-Apr-2024 19:28:37.600 query-errors: info: client @0x7f384488e3c0 127.0.0.1#47121 (dnssec-analyzer.verisignlabs.com): query failed (failure) for dnssec-analyzer.verisignlabs.com/IN/ at query.c:7471 Is that because of the insecure delegation shown at https://dnsviz.net/d/dnssec-analyzer.verisignlabs.com/dnssec/ and me having "dnssec-validation auto;" in named.conf? Thanks Lee (still struggling to understand this stuff) -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
