Re: [dns-operations] DNSSEC problem at one.com
From: Stephane Bortzmeyer bortzme...@nic.fr Anyone has more technical and factual information about this problem? Error in .SE, in one.com or in Telia? http://www.one.com/en/info/profile [snip] Does anyone know what they mean by this sentence in their update posted April 29, 2013 1:36 PM CET However, we have become aware of an error in a particular version of the DNS-software BIND, which we know are being used by several ISP's in Sweden like TeliaSonera, Telenor, Tele2, Bredbandsbolaget and Bredband2. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNSSEC problem at one.com
On Apr 29, 2013, at 3:16 PM, wbr...@e1b.org wrote: From: Stephane Bortzmeyer bortzme...@nic.fr Anyone has more technical and factual information about this problem? Error in .SE, in one.com or in Telia? http://www.one.com/en/info/profile [snip] Does anyone know what they mean by this sentence in their update posted April 29, 2013 1:36 PM CET However, we have become aware of an error in a particular version of the DNS-software BIND, which we know are being used by several ISP's in Sweden like TeliaSonera, Telenor, Tele2, Bredbandsbolaget and Bredband2. Short update from .se, One.com has begun to sign all of their .se domains. However, they discovered that some resolver operators in Sweden (most of them do DNSSEC validation) had problems with some of their customer domains. Since then, they have asked some of them to flush their caches, and in the meantime they have also halted their signing process for a while, keeping the already signed domains for the time being. Most problems still comes from PowerDNS. They do PowerDNS with signing on all of their name servers. We have previously seen problems with PowerDNS in combination with BIND resolvers, since PowerDNS with DNSSEC sometimes takes a long time to answer due to signing. This causes EDNS0 blacklisting in BIND. I am not sure that this is the issue this time. One.com are still investigating the issue, and are also applying the latest patches for the software. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNSSEC problem at one.com
On Apr 29, 2013, at 3:58 PM, bert hubert wrote: On Mon, Apr 29, 2013 at 03:31:18PM +0200, Patrik Wallström wrote: Most problems still comes from PowerDNS. They do PowerDNS with signing on all of their name servers. We have previously seen problems with PowerDNS in combination with BIND resolvers, since PowerDNS with DNSSEC sometimes takes a long time to answer due to signing. This causes EDNS0 blacklisting in BIND. I am not sure that this is the issue this time. Hi Patrik, Half of your analysis matches our experiences. The real issue is not that the signing is slow, but that we mess up some answers which BIND interprets as a timeout (correctly so), and then does the EDNS blacklisting (which is more difficult). This issue has been investigated since late 2012, but it has only recently become clear which queries are causing the problems. Note that even with a patched PowerDNS, intermittent timeouts will cause such problems. Brief network interruptions might have prolonged effects this way. Thanks for the clarification Bert. Since the registry is only an administrative middleman between the name servers of the signed domains and the resolver operators, we do not see the traffic or have any other insight in the authoritative name servers and the resolvers. This makes it hard for us to make any proper evaluation of the cause of any of these kind of errors. So thank you for your effort in debugging these problems. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNSSEC problem at one.com
On Mon, Apr 29, 2013 at 04:26:12PM +0200, Patrik Wallström wrote: and the resolvers. This makes it hard for us to make any proper evaluation of the cause of any of these kind of errors. So thank you for your effort in debugging these problems. For completeness, Jimmy Bergman (Sigint), Daniel Norman (Loopia), Shane Kerr (ISC) and Cathy Almond (ISC) did a lot of the work, so thanks! Bert ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDSN0 fallback in the era of DNSSEC
Paul Hoffman writes: Retrying queries without EDNS0 seems sensible before deployment of DNSSEC. Is that still the case now that DNSSEC is more widely deployed? Yes, just not in this case. We definitely still see broken setups where the no-EDNS0 fallback is necessary to get an answer. I agree with Bert in that if a domain indicates it needs DNSSEC, then the resolver shouldn't send itself down a path where it can't get the answers it needs. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDSN0 fallback in the era of DNSSEC
On Mon, Apr 29, 2013 at 07:30:38AM -0700, Paul Hoffman wrote: Retrying queries without EDNS0 seems sensible before deployment of DNSSEC. Is that still the case now that DNSSEC is more widely deployed? Yes. The world still needs *a lot* of EDNS downgrading. But not once you've seen a DS as it makes zero sense. Bert ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS Issue
On Apr 26, 2013, at 8:24, Cihan SUBASI (GARANTI TEKNOLOJI) wrote: Hi, Also can someone explain why tcp53 should be allowed on the firewalls if dns is behind a firewall? In addition to other already posted reasons, TCP isn't susceptible to reflection attacks. (FWIW.) And why auditors do not like tcp53 open to public? Can't read their minds, but, well, the auditor has at least been misinformed on how DNS works. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStarYou can leave a voice message at +1-571-434-5468 There are no answers - just tradeoffs, decisions, and responses. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs