Re: [dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

[Mark Andrews]

> On 28 Sep 2022, at 06:04, Viktor Dukhovni  wrote:
> 
> On Tue, Sep 27, 2022 at 09:45:26PM +0200, Stephane Bortzmeyer wrote:
> 
>> This specific problem disappeared but there are other funny things in
>> the zone. For instance, the three authoritative name servers for .bs
>> claim that com.bs has three name servers, but they are the same.
>> 
>> % dig @anyns.dns.bs. SOA com.bs  
>> 
>> ; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @anyns.dns.bs. SOA com.bs
>> ; (2 servers found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32202
>> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ; COOKIE: b6dd75980a42dca4e88a412663335275aec889b7585d3e59 (good)
>> ;; QUESTION SECTION:
>> ;com.bs. IN SOA
>> 
>> ;; AUTHORITY SECTION:
>> COM.bs.  21600 IN NS anyns.dns.bs.
>> COM.bs.  21600 IN NS ns36.cdns.net.
>> COM.bs.  21600 IN NS anyns.pch.net.
> 
> More precisely, this is a lame-delegation.  The authoritative
> nameservers of "com.bs" are replying to an SOA query for com.bs with a
> referral to themselves.  Fortunately, this seems to only affect the
> zone apex

Which breaks resolvers using QNAME minimisation using NS queries which
is really the only way to do QNAME minimisation properly.

> queries for delegated subdomains are answered correctly:
> 
>$ dig +norecur +nocmd +nocl +nottl @ns36.cdns.net -t ns mckinney.com.bs
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56722
>;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> 
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags:; udp: 4096
>;; QUESTION SECTION:
>;mckinney.com.bs.   IN NS
> 
>;; AUTHORITY SECTION:
>mckinney.com.bs.NS  ns.sworth.net.
>mckinney.com.bs.NS  ns1.sworth.net.
>mckinney.com.bs.NS  ns2.sworth.net.
>mckinney.com.bs.NS  ns3.sworth.net.
> 
>;; Query time: 146 msec
>;; SERVER: 2001:678:4::24#53(2001:678:4::24)
>;; WHEN: Tue Sep 27 20:00:24 UTC 2022
>;; MSG SIZE  rcvd: 155
> 
> But this is still an odd configuration.  There are NS records, for
> ".com.bs" in the parent pointing to its own nameservers, but no
> zone cut, ...  This is wrong.
> 
> To ensure that ".com.bs" is not an empty-non-terminal, Instead of "NS",
> the parent should have added "TXT", or "RP" records...
> 
> -- 
>Viktor.
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

[Viktor Dukhovni]

On Tue, Sep 27, 2022 at 09:45:26PM +0200, Stephane Bortzmeyer wrote:

> This specific problem disappeared but there are other funny things in
> the zone. For instance, the three authoritative name servers for .bs
> claim that com.bs has three name servers, but they are the same.
> 
> % dig @anyns.dns.bs. SOA com.bs  
> 
> ; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @anyns.dns.bs. SOA com.bs
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32202
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; COOKIE: b6dd75980a42dca4e88a412663335275aec889b7585d3e59 (good)
> ;; QUESTION SECTION:
> ;com.bs.  IN SOA
> 
> ;; AUTHORITY SECTION:
> COM.bs.   21600 IN NS anyns.dns.bs.
> COM.bs.   21600 IN NS ns36.cdns.net.
> COM.bs.   21600 IN NS anyns.pch.net.

More precisely, this is a lame-delegation.  The authoritative
nameservers of "com.bs" are replying to an SOA query for com.bs with a
referral to themselves.  Fortunately, this seems to only affect the
zone apex, queries for delegated subdomains are answered correctly:

$ dig +norecur +nocmd +nocl +nottl @ns36.cdns.net -t ns mckinney.com.bs
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56722
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mckinney.com.bs.   IN NS

;; AUTHORITY SECTION:
mckinney.com.bs.NS  ns.sworth.net.
mckinney.com.bs.NS  ns1.sworth.net.
mckinney.com.bs.NS  ns2.sworth.net.
mckinney.com.bs.NS  ns3.sworth.net.

;; Query time: 146 msec
;; SERVER: 2001:678:4::24#53(2001:678:4::24)
;; WHEN: Tue Sep 27 20:00:24 UTC 2022
;; MSG SIZE  rcvd: 155

But this is still an odd configuration.  There are NS records, for
".com.bs" in the parent pointing to its own nameservers, but no
zone cut, ...  This is wrong.

To ensure that ".com.bs" is not an empty-non-terminal, Instead of "NS",
the parent should have added "TXT", or "RP" records...

-- 
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

[Stephane Bortzmeyer]

On Tue, Sep 27, 2022 at 02:20:11PM +,
 BS Domain Administrator  wrote 
 a message of 229 lines which said:

> Please test again and let us know if the problem still occurs.

This specific problem disappeared but there are other funny things in
the zone. For instance, the three authoritative name servers for .bs
claim that com.bs has three name servers, but they are the same.

% dig @anyns.dns.bs. SOA com.bs  

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @anyns.dns.bs. SOA com.bs
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32202
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: b6dd75980a42dca4e88a412663335275aec889b7585d3e59 (good)
;; QUESTION SECTION:
;com.bs.IN SOA

;; AUTHORITY SECTION:
COM.bs. 21600 IN NS anyns.dns.bs.
COM.bs. 21600 IN NS ns36.cdns.net.
COM.bs. 21600 IN NS anyns.pch.net.

;; Query time: 16 msec
;; SERVER: 2001:500:14:6068:ad::1#53(anyns.dns.bs.) (UDP)
;; WHEN: Tue Sep 27 21:43:49 CEST 2022
;; MSG SIZE  rcvd: 147
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [Ext] Re: ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

[Edward Lewis]

I think there is still something broken.

Using edu.bs, which seems to be working, the name ub.edu.bs can be resolved.  
If one queries for the SOA at edu.bs, the negative answer is the right answer – 
showing the SOA record owned by bs.

Asking for the SOA for com.bs., the responses I see, from all three servers for 
bs., have an authority section pointing towards the NS set for com.bs.  This 
makes little sense as, if there is no soa record for com.bs, It can’t have an 
ns set.

It’s hard to tell remotely, but, you probably want to set up com.bs just like 
edu.bs.  But that’s not very reliable advice, based on not knowing the full 
intentions nor the contents of the zone file.

From: dns-operations  on behalf of BS 
Domain Administrator 
Date: Tuesday, September 27, 2022 at 2:32 PM
To: "dns-operati...@dns-oarc.net" 
Subject: [Ext] Re: [dns-operations] ENT NXDOMAIN problem at .BS nameserver 
ns36.cdns.net

Thank you for your email.
Please test again and let us know if the problem still occurs.

Best regards,

BSNIC
Office of Information Technology
University of The Bahamas
University Drive
PO Box N4912
Nassau, NP
The Bahamas
www.register.bs

From: Viktor Dukhovni 
Sent: Tuesday, September 20, 2022 8:33 PM
To: dns-operati...@dns-oarc.net 
Cc: BS Domain Technical Contact ; BS Domain Administrator 

Subject: ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

The .COM.BS is an empty non-terminal with various child domains
registered beneath.  The "ns36.cdns.net" nameserver for .BS responds
with NXDOMAIN to "com.bs" qname-minimised queries.

This in turn can and does sometimes lead to NXDOMAIN inference for the
child domains.

This nameserver needs to be withdrawn and fixed before it is returned to
service.

2001:678:4::24ns36.cdns.net
194.0.1.36ns36.cdns.net

Example responses:

@194.0.1.36

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3297
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com.bs.IN SOA

;; AUTHORITY SECTION:
bs. SOA dns.nic.bs. bsadmin.cob.edu.bs. 2022092000 
3600 900 1814400 9000

@2001:678:4::24

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39616
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com.bs.IN SOA

;; AUTHORITY SECTION:
bs. SOA dns.nic.bs. bsadmin.cob.edu.bs. 2022092000 
3600 900 1814400 9000

--
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

[BS Domain Administrator]

Thank you for your email.
Please test again and let us know if the problem still occurs.

Best regards,

BSNIC
Office of Information Technology
University of The Bahamas
University Drive
PO Box N4912
Nassau, NP
The Bahamas
www.register.bs

From: Viktor Dukhovni 
Sent: Tuesday, September 20, 2022 8:33 PM
To: dns-operati...@dns-oarc.net 
Cc: BS Domain Technical Contact ; BS Domain Administrator 

Subject: ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

The .COM.BS is an empty non-terminal with various child domains
registered beneath.  The "ns36.cdns.net" nameserver for .BS responds
with NXDOMAIN to "com.bs" qname-minimised queries.

This in turn can and does sometimes lead to NXDOMAIN inference for the
child domains.

This nameserver needs to be withdrawn and fixed before it is returned to
service.

2001:678:4::24ns36.cdns.net
194.0.1.36ns36.cdns.net

Example responses:

@194.0.1.36

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3297
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com.bs.IN SOA

;; AUTHORITY SECTION:
bs. SOA dns.nic.bs. bsadmin.cob.edu.bs. 2022092000 
3600 900 1814400 9000

@2001:678:4::24

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39616
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com.bs.IN SOA

;; AUTHORITY SECTION:
bs. SOA dns.nic.bs. bsadmin.cob.edu.bs. 2022092000 
3600 900 1814400 9000

--
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] REMINDER: Soliciting presentation proposals for ICANN DNS Symposium 2022

[Matt Larson]

[cid:F6133EC5-9373-4081-B023-74DDCFFBDCD0]

Dear colleagues,

We are still soliciting presentation proposals for the ICANN DNS Symposium (IDS 
2022), which will be held on 15-16 November 2022 in Brussels, Belgium. IDS 2022 
will be co-located with the first ever IANA Community Day on 17 November 2022. 
The call for presentations is open until 14 October 2022. Thank you to everyone 
who has already submitted a presentation proposal.

The theme for IDS 2022 is “Examining the effects of both centralization and 
diversification in the DNS”.

There has been a move toward centralization in the Domain Name System (DNS): 
the devices of more than 20% of Internet users are configured to use public 
resolvers, according to some studies; a small set of registry service providers 
are responsible for a large set of top-level domains; an attack against a 
single service provider’s infrastructure can affect a large percentage of 
Internet users. At the same time, there are more public resolver services and 
more top-level domains than ever. This prompts the question, “Is the DNS overly 
centralized or adequately diversified?” ICANN invites speakers to present 
topics on centralization and diversification in the DNS. Presentations could 
include measurements and fact-based predictions, discussions about risk 
mitigation and scalability in relation to either greater or lesser 
centralization, greater or lesser diversity, or both.

If you are interested to present, please send a one-paragraph description of 
your proposed topic to ids-propos...@icann.org 
by 14 October 2022. We will publish a preliminary agenda by 1 November 2022.

IANA Community Day is a half-day workshop focused on key technical evolution 
projects within IANA relating to the DNS. Topics will include a discussion of 
how to perform a DNSSEC algorithm rollover for the DNS root zone, and reviewing 
and updating the TLD technical requirements for root zone changes. TLD 
managers, DNS experts, and other interested parties are encouraged to attend.

For more information on both IDS and IANA Community Day, including schedule, 
venue and registration information, please visit https://www.icann.org/ids.

Thank you and we hope to see you there!

Matt Larson
VP of Research
ICANN Office of the CTO


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations