Re: [dns-operations] [Solved] (not just) Quad9 denial of existence for _25._tcp.mx1.p01.antagonist.nl IN TLSA

2019-11-28 Thread Martijn Reening via dns-operations 
--- Begin Message ---
In the first message I forgot to mention that I work for Antagonist.
Thank you for investigating this issue further. We have updated the glue
for this domain accordingly.

Several months ago we moved ns3.antagonist.de to a different server.
Unfortunately we have overlooked glue records for this domain. They were
only updated for ns1.antagonist.nl.

The old glue record pointed to the old nameserver that was still
running, but only served stale data. This server did not have the _tcp
ENT, because the _25._tcp TLSA record did not exist. The updated
nameserver should serve the same fresh data as ns1 and ns2.

Again, thank you for investigating this issue.

On 28/11/2019 03:55, Viktor Dukhovni wrote:
> Root cause found, the antagonist.nl domain has 3 listed nameservers:
> 
> ns1.antagonist.nl.
> ns2.antagonist.net.
> ns3.antagonist.de.
> 
> but the IP address returned by the actual antagonist.de zone:
> 
> ns3.antagonist.de. IN A 139.162.173.192
> 
> differs from the glue record returned from the .DE zone:
> 
> ns3.antagonist.de. IN A 66.228.42.134
> 
> And it is this 66.228.42.134 (returned in the .DE glue) nameserver that is
> serving freshly signed denial of existence for _tcp.mx1.p01.antagonist.nl.
> 

-- 
Kind regards,
Met vriendelijke groet,

Martijn Reening
Systems and Network Engineer
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Quad9 denial of existence for _25._tcp.mx1.p01.antagonist.nl IN TLSA

2019-11-26 Thread Martijn Reening via dns-operations 
--- Begin Message ---
Hello Viktor,

We haven't changed anything on our side in the past days, but I see the 
expected response from Quad9 now:

$ dig +dnssec +noall +comment +ans +auth -t tlsa _25._tcp.mx1.p01.antagonist.nl 
@9.9.9.10
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17089
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; ANSWER SECTION:
_25._tcp.mx1.p01.antagonist.nl.    300 IN    TLSA    2 1 1 
E12D92CF8D801D0FDB21BEDEE1CEC09C15AC2A61E27FA27D6B151312 D2206520
_25._tcp.mx1.p01.antagonist.nl.    300 IN    RRSIG    TLSA 13 6 300 
2019120500 2019111400 47684 antagonist.nl. 
XDMVKwb3MHIwGpRd/sCctO2Jy+VyqdVbmsHnmyhtOwB0WiZ7a73WAFat 
6QOmM53ty4Q6YjpBb+lIHInFR8BAjQ==

I checked our nameservers for the proper ENT responses and there do not seem to 
be any abnormalities.
Do you still see this error, or perhaps know something else to check?

On 26/11/2019 05:27, Viktor Dukhovni wrote:
>
> According DNSViz, and the Cloudflare, Google and Verisign public resolvers the
> qname below has a TLSA record, but Quad returns an apparently valid denial of
> existence.  It is possible that Quad9 is "the guilty party" here only by
> accident, and had I asked at another time, some other server would return the
> unexpected denial of existence.
>
> No idea where the associated RRSIGs and NSEC3 records are coming from.  
> Perhaps
> there are some nameservers (reached via Quad9) for antagonist.nl that have a
> zone file in which the empty-non-terminal "_tcp" is missing...
>
>     $ dig +dnssec +noall +comment +ans +auth -t tlsa 
> _25._tcp.mx1.p01.antagonist.nl @9.9.9.10
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10642
>     ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
>
>     ;; OPT PSEUDOSECTION:
>     ; EDNS: version: 0, flags: do; udp: 512
>     ;; AUTHORITY SECTION:
>     antagonist.nl.  180 IN  SOA ns1.antagonist.nl. 
> hostmaster.antagonist.nl. 2018052300 180 3600 1209600 86400
>     cueh7hkbnbrqk65590909p4r0pq6cd45.antagonist.nl. 43200 IN NSEC3 1 0 1 AB 
> D04COHDERT50P43FHSP1N5F7LDVTORH7 A  RRSIG
>     i33uq5toep0fslekf0mqpnv6pb6s002e.antagonist.nl. 43200 IN NSEC3 1 0 1 AB 
> IDTV8EDH9FRO5UU2OC4N3PUM51SRLDGH A RRSIG
>     g7u4gpdfmf579evnnqmc3v816rafktip.antagonist.nl. 43200 IN NSEC3 1 0 1 AB 
> GFL0IAO83UJDAA6IHCTHFGL6T4KNILQO A RRSIG
>     antagonist.nl.  180 IN  RRSIG   SOA 13 2 180 
> 2019120500 2019111400 47684 antagonist.nl. 
> TjahhD+sFLbHkIAUcUFFo+vC4icQKK2Zh+74BN+eFQ9JhkZaQ6AMYNbT 
> wGfDZuNntzd2C3FS4SiIptAr6fOkvA==
>     cueh7hkbnbrqk65590909p4r0pq6cd45.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 
> 86400 2019120500 2019111400 47684 antagonist.nl. 
> 5KPt3wExlfKg4tZJ1fdR1xhnj8x8DsmgYR2+pCHkcc041thw3E6jQCfY 
> CESVytcQcp6Zb/uJ3zxNXExJkEzZoQ==
>     i33uq5toep0fslekf0mqpnv6pb6s002e.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 
> 86400 2019120500 2019111400 47684 antagonist.nl. 
> Wrzps6dY9zhq14kBiFp0KwDqdkMtceOMV2cMKPkznhxFcsmpsTazZX1Z 
> MAw/565cRwpWRoU5LuGNzGHg3ZstUQ==
>     g7u4gpdfmf579evnnqmc3v816rafktip.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 
> 86400 2019120500 2019111400 47684 antagonist.nl. 
> DBJvz7HbYSFS/PHtTXD2qMwsKuWXoqNj8MPNMIk84Jv4kY1w52EevWIS 
> nIgDknp9DbzYcczQzOOu1cyEYulYPg==
>
>     6d1aa3h9jtqjdp0vjblqej9e17ub81hs. _25._tcp.mx1.p01.antagonist.nl
>     v3rrfku7an9uo5qeuhbdndnruhp9esar. *._tcp.mx1.p01.antagonist.nl
>     i9sp4p909spoci68n9q0r33hk9fes0n4. _tcp.mx1.p01.antagonist.nl    (Covered)
>     g90cq1j49b7nkrom5lcojqals2gittit. *.mx1.p01.antagonist.nl   (Covered)
>     cueh7hkbnbrqk65590909p4r0pq6cd45. mx1.p01.antagonist.nl (Covered, 
> closest encloser)
>     sac7gh66m6avf55q05gbfhh91a48hstf. *.p01.antagonist.nl
>     iupnvfafqalai3eke44m2vi4vr89lgpk. p01.antagonist.nl
>     83jtudmler6j6tailr1f6hktosq1mvc4. *.antagonist.nl
>     29eiirrkt62jjrrigm5ouurhdt4p682u. antagonist.nl
>

-- 
Kind regards,
Met vriendelijke groet,

Martijn Reening
Systems and Network Engineer

--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations