Re: [dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

2022-09-22 Thread Matt Nordhoff via dns-operations 
--- Begin Message ---
On Thu, Sep 22, 2022 at 9:17 AM Warren Kumari  wrote:
> [ - bs ]
>
> There is a very similar issue with 'production.cloudflare.docker.com'
> (https://dnsviz.net/d/production.cloudflare.docker.com/dnssec/):
>
> A query for production.cloudflare.docker.com results in a NOERROR response, 
> while a query for its ancestor, cloudflare.docker.com, returns a name error 
> (NXDOMAIN), which indicates that subdomains of cloudflare.docker.com, 
> including production.cloudflare.docker.com, don't exist.
>
> This broke my ability to use docker for a while — I'd enabled strict qname 
> minimization as a test, and then needed to update some containers in an 
> emergency. It took a while to debug the issues…
>
> W

That's Amazon Route 53 for you. There were at least 2 threads about
ENTs on the old AWS forum (one started by yours truly) before they got
rid of it.

IIRC, they were reluctant to fix it because they were concerned that
changing (correcting) ENT wildcard behavior would break things for
some of their users.

At least one AWS team has deployed the other "fix", a pointless TXT record:

$ dig elb.amazonaws.com txt

(In signed responses, Route 53 uses NSEC black lies. ENTs are handled
appropriately.)
-- 
Matt Nordhoff

--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

2022-09-22 Thread Warren Kumari 
[ - bs ]

There is a very similar issue with 'production.cloudflare.docker.com'
(https://dnsviz.net/d/production.cloudflare.docker.com/dnssec/):

A query for production.cloudflare.docker.com results in a NOERROR response,
while a query for its ancestor, cloudflare.docker.com, returns a name error
(NXDOMAIN), which indicates that subdomains of cloudflare.docker.com,
including production.cloudflare.docker.com, don't exist.

This broke my ability to use docker for a while — I'd enabled strict qname
minimization as a test, and then needed to update some containers in an
emergency. It took a while to debug the issues…

W


On Wed, Sep 21, 2022 at 8:33 AM, Viktor Dukhovni 
wrote:

> The .COM.BS  is an empty non-terminal with various child
> domains registered beneath. The "ns36.cdns.net" nameserver for .BS
> responds with NXDOMAIN to "com.bs" qname-minimised queries.
>
> This in turn can and does sometimes lead to NXDOMAIN inference for the
> child domains.
>
> This nameserver needs to be withdrawn and fixed before it is returned to
> service.
>
> 2001:678:4::24 ns36.cdns.net
> 194.0.1.36 ns36.cdns.net
>
> Example responses:
>
> @194.0.1.36
>
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3297
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;com.bs. IN SOA
>
> ;; AUTHORITY SECTION:
> bs. SOA dns.nic.bs. bsadmin.cob.edu.bs. 2022092000 3600 900 1814400 9000
>
> @2001:678:4::24
>
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39616
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;com.bs. IN SOA
>
> ;; AUTHORITY SECTION:
> bs. SOA dns.nic.bs. bsadmin.cob.edu.bs. 2022092000 3600 900 1814400 9000
>
> --
> Viktor.
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations