Re: [dns-operations] Quad9 denial of existence for _25._tcp.mx1.p01.antagonist.nl IN TLSA
On Tue, Nov 26, 2019 at 10:09:38AM -0500, Viktor Dukhovni wrote: > Yes, I still the DoE response from 9.9.9.10, and also (not always) from > its peer 149.112.112.10: Though I've never succeeded in eliciting an NXDOMAIN for this qname from the authoritative servers, I just observed a DoE also from Cloudflare, from both 1.0.0.1 and 1.1.1.1: ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11156 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1452 ;; AUTHORITY SECTION: antagonist.nl. 180 IN SOA ns1.antagonist.nl. hostmaster.antagonist.nl. 2018052300 180 3600 1209600 86400 antagonist.nl. 180 IN RRSIG SOA 13 2 180 2019120500 2019111400 47684 antagonist.nl. TjahhD+sFLbHkIAUcUFFo+vC4icQKK2Zh+74BN+eFQ9JhkZaQ6AMYNbT wGfDZuNntzd2C3FS4SiIptAr6fOkvA== cueh7hkbnbrqk65590909p4r0pq6cd45.antagonist.nl. 86400 IN NSEC3 1 0 1 AB D04COHDERT50P43FHSP1N5F7LDVTORH7 A RRSIG cueh7hkbnbrqk65590909p4r0pq6cd45.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 86400 2019120500 2019111400 47684 antagonist.nl. 5KPt3wExlfKg4tZJ1fdR1xhnj8x8DsmgYR2+pCHkcc041thw3E6jQCfY CESVytcQcp6Zb/uJ3zxNXExJkEzZoQ== i33uq5toep0fslekf0mqpnv6pb6s002e.antagonist.nl. 86400 IN NSEC3 1 0 1 AB IDTV8EDH9FRO5UU2OC4N3PUM51SRLDGH A RRSIG i33uq5toep0fslekf0mqpnv6pb6s002e.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 86400 2019120500 2019111400 47684 antagonist.nl. Wrzps6dY9zhq14kBiFp0KwDqdkMtceOMV2cMKPkznhxFcsmpsTazZX1Z MAw/565cRwpWRoU5LuGNzGHg3ZstUQ== g7u4gpdfmf579evnnqmc3v816rafktip.antagonist.nl. 86400 IN NSEC3 1 0 1 AB GFL0IAO83UJDAA6IHCTHFGL6T4KNILQO A RRSIG g7u4gpdfmf579evnnqmc3v816rafktip.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 86400 2019120500 2019111400 47684 antagonist.nl. DBJvz7HbYSFS/PHtTXD2qMwsKuWXoqNj8MPNMIk84Jv4kY1w52EevWIS nIgDknp9DbzYcczQzOOu1cyEYulYPg== Once again, oddly the TTL don't change when I ask again, but I may not be hitting the same cache. Never yet from Google or Verisign, but perhaps the issue is upstream, and Quad9 has just been less lucky than the others recently. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Quad9 denial of existence for _25._tcp.mx1.p01.antagonist.nl IN TLSA
Also I’ve forwarded this thread to the Quad9 operations team to look at. -Bill signature.asc Description: Message signed with OpenPGP ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Quad9 denial of existence for _25._tcp.mx1.p01.antagonist.nl IN TLSA
On Tue, Nov 26, 2019 at 02:41:26PM +0100, Martijn Reening wrote: > We haven't changed anything on our side in the past days, but I see the > expected response from Quad9 now: > > $ dig +dnssec +noall +comment +ans +auth -t tlsa > _25._tcp.mx1.p01.antagonist.nl @9.9.9.10 > _25._tcp.mx1.p01.antagonist.nl. 300 IN TLSA 2 1 1 > E12D92CF8D801D0FDB21BEDEE1CEC09C15AC2A61E27FA27D6B151312 D2206520 > > I checked our nameservers for the proper ENT responses and there do not seem > to be any abnormalities. Do you still see this error, or perhaps know > something else to check? Yes, I still the DoE response from 9.9.9.10, and also (not always) from its peer 149.112.112.10: $ dig +dnssec +noall +comment +ans +auth -t tlsa _25._tcp.mx1.p01.antagonist.nl @149.112.112.10 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1327 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; AUTHORITY SECTION: antagonist.nl. 180 IN SOA ns1.antagonist.nl. hostmaster.antagonist.nl. 2018052300 180 3600 1209600 86400 cueh7hkbnbrqk65590909p4r0pq6cd45.antagonist.nl. 43200 IN NSEC3 1 0 1 AB D04COHDERT50P43FHSP1N5F7LDVTORH7 A RRSIG i33uq5toep0fslekf0mqpnv6pb6s002e.antagonist.nl. 43200 IN NSEC3 1 0 1 AB IDTV8EDH9FRO5UU2OC4N3PUM51SRLDGH A RRSIG g7u4gpdfmf579evnnqmc3v816rafktip.antagonist.nl. 43200 IN NSEC3 1 0 1 AB GFL0IAO83UJDAA6IHCTHFGL6T4KNILQO A RRSIG antagonist.nl. 180 IN RRSIG SOA 13 2 180 2019120500 2019111400 47684 antagonist.nl. TjahhD+sFLbHkIAUcUFFo+vC4icQKK2Zh+74BN+eFQ9JhkZaQ6AMYNbT wGfDZuNntzd2C3FS4SiIptAr6fOkvA== cueh7hkbnbrqk65590909p4r0pq6cd45.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 86400 2019120500 2019111400 47684 antagonist.nl. 5KPt3wExlfKg4tZJ1fdR1xhnj8x8DsmgYR2+pCHkcc041thw3E6jQCfY CESVytcQcp6Zb/uJ3zxNXExJkEzZoQ== i33uq5toep0fslekf0mqpnv6pb6s002e.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 86400 2019120500 2019111400 47684 antagonist.nl. Wrzps6dY9zhq14kBiFp0KwDqdkMtceOMV2cMKPkznhxFcsmpsTazZX1Z MAw/565cRwpWRoU5LuGNzGHg3ZstUQ== g7u4gpdfmf579evnnqmc3v816rafktip.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 86400 2019120500 2019111400 47684 antagonist.nl. DBJvz7HbYSFS/PHtTXD2qMwsKuWXoqNj8MPNMIk84Jv4kY1w52EevWIS nIgDknp9DbzYcczQzOOu1cyEYulYPg== The TTLs are remarkably unchanging at: * 180s SOA and RRSIG TTL == origin TTL * 12H NSEC3 TTL == 0.5 origin TTL * 24H RRSIG NSEC3 TTL == origin TTL So either I'm getting uncached data, or something more interesting is happening. It feels like some nodes at Quad9 are caching NSEC3 responses for the full RRSIG validity, and then generating responses with TTLs based on capped by the origin TTL and/or a local limit. Using the signature inception/expiration interval as a cache interval, rather the provided TTL (if that's what this is) is not expected or I believe valid. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Quad9 denial of existence for _25._tcp.mx1.p01.antagonist.nl IN TLSA
--- Begin Message --- Hello Viktor, We haven't changed anything on our side in the past days, but I see the expected response from Quad9 now: $ dig +dnssec +noall +comment +ans +auth -t tlsa _25._tcp.mx1.p01.antagonist.nl @9.9.9.10 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17089 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; ANSWER SECTION: _25._tcp.mx1.p01.antagonist.nl. 300 IN TLSA 2 1 1 E12D92CF8D801D0FDB21BEDEE1CEC09C15AC2A61E27FA27D6B151312 D2206520 _25._tcp.mx1.p01.antagonist.nl. 300 IN RRSIG TLSA 13 6 300 2019120500 2019111400 47684 antagonist.nl. XDMVKwb3MHIwGpRd/sCctO2Jy+VyqdVbmsHnmyhtOwB0WiZ7a73WAFat 6QOmM53ty4Q6YjpBb+lIHInFR8BAjQ== I checked our nameservers for the proper ENT responses and there do not seem to be any abnormalities. Do you still see this error, or perhaps know something else to check? On 26/11/2019 05:27, Viktor Dukhovni wrote: > > According DNSViz, and the Cloudflare, Google and Verisign public resolvers the > qname below has a TLSA record, but Quad returns an apparently valid denial of > existence. It is possible that Quad9 is "the guilty party" here only by > accident, and had I asked at another time, some other server would return the > unexpected denial of existence. > > No idea where the associated RRSIGs and NSEC3 records are coming from. > Perhaps > there are some nameservers (reached via Quad9) for antagonist.nl that have a > zone file in which the empty-non-terminal "_tcp" is missing... > > $ dig +dnssec +noall +comment +ans +auth -t tlsa > _25._tcp.mx1.p01.antagonist.nl @9.9.9.10 > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10642 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 512 > ;; AUTHORITY SECTION: > antagonist.nl. 180 IN SOA ns1.antagonist.nl. > hostmaster.antagonist.nl. 2018052300 180 3600 1209600 86400 > cueh7hkbnbrqk65590909p4r0pq6cd45.antagonist.nl. 43200 IN NSEC3 1 0 1 AB > D04COHDERT50P43FHSP1N5F7LDVTORH7 A RRSIG > i33uq5toep0fslekf0mqpnv6pb6s002e.antagonist.nl. 43200 IN NSEC3 1 0 1 AB > IDTV8EDH9FRO5UU2OC4N3PUM51SRLDGH A RRSIG > g7u4gpdfmf579evnnqmc3v816rafktip.antagonist.nl. 43200 IN NSEC3 1 0 1 AB > GFL0IAO83UJDAA6IHCTHFGL6T4KNILQO A RRSIG > antagonist.nl. 180 IN RRSIG SOA 13 2 180 > 2019120500 2019111400 47684 antagonist.nl. > TjahhD+sFLbHkIAUcUFFo+vC4icQKK2Zh+74BN+eFQ9JhkZaQ6AMYNbT > wGfDZuNntzd2C3FS4SiIptAr6fOkvA== > cueh7hkbnbrqk65590909p4r0pq6cd45.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 > 86400 2019120500 2019111400 47684 antagonist.nl. > 5KPt3wExlfKg4tZJ1fdR1xhnj8x8DsmgYR2+pCHkcc041thw3E6jQCfY > CESVytcQcp6Zb/uJ3zxNXExJkEzZoQ== > i33uq5toep0fslekf0mqpnv6pb6s002e.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 > 86400 2019120500 2019111400 47684 antagonist.nl. > Wrzps6dY9zhq14kBiFp0KwDqdkMtceOMV2cMKPkznhxFcsmpsTazZX1Z > MAw/565cRwpWRoU5LuGNzGHg3ZstUQ== > g7u4gpdfmf579evnnqmc3v816rafktip.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 > 86400 2019120500 2019111400 47684 antagonist.nl. > DBJvz7HbYSFS/PHtTXD2qMwsKuWXoqNj8MPNMIk84Jv4kY1w52EevWIS > nIgDknp9DbzYcczQzOOu1cyEYulYPg== > > 6d1aa3h9jtqjdp0vjblqej9e17ub81hs. _25._tcp.mx1.p01.antagonist.nl > v3rrfku7an9uo5qeuhbdndnruhp9esar. *._tcp.mx1.p01.antagonist.nl > i9sp4p909spoci68n9q0r33hk9fes0n4. _tcp.mx1.p01.antagonist.nl (Covered) > g90cq1j49b7nkrom5lcojqals2gittit. *.mx1.p01.antagonist.nl (Covered) > cueh7hkbnbrqk65590909p4r0pq6cd45. mx1.p01.antagonist.nl (Covered, > closest encloser) > sac7gh66m6avf55q05gbfhh91a48hstf. *.p01.antagonist.nl > iupnvfafqalai3eke44m2vi4vr89lgpk. p01.antagonist.nl > 83jtudmler6j6tailr1f6hktosq1mvc4. *.antagonist.nl > 29eiirrkt62jjrrigm5ouurhdt4p682u. antagonist.nl > -- Kind regards, Met vriendelijke groet, Martijn Reening Systems and Network Engineer --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] Quad9 denial of existence for _25._tcp.mx1.p01.antagonist.nl IN TLSA
According DNSViz, and the Cloudflare, Google and Verisign public resolvers the qname below has a TLSA record, but Quad returns an apparently valid denial of existence. It is possible that Quad9 is "the guilty party" here only by accident, and had I asked at another time, some other server would return the unexpected denial of existence. No idea where the associated RRSIGs and NSEC3 records are coming from. Perhaps there are some nameservers (reached via Quad9) for antagonist.nl that have a zone file in which the empty-non-terminal "_tcp" is missing... $ dig +dnssec +noall +comment +ans +auth -t tlsa _25._tcp.mx1.p01.antagonist.nl @9.9.9.10 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10642 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; AUTHORITY SECTION: antagonist.nl. 180 IN SOA ns1.antagonist.nl. hostmaster.antagonist.nl. 2018052300 180 3600 1209600 86400 cueh7hkbnbrqk65590909p4r0pq6cd45.antagonist.nl. 43200 IN NSEC3 1 0 1 AB D04COHDERT50P43FHSP1N5F7LDVTORH7 A RRSIG i33uq5toep0fslekf0mqpnv6pb6s002e.antagonist.nl. 43200 IN NSEC3 1 0 1 AB IDTV8EDH9FRO5UU2OC4N3PUM51SRLDGH A RRSIG g7u4gpdfmf579evnnqmc3v816rafktip.antagonist.nl. 43200 IN NSEC3 1 0 1 AB GFL0IAO83UJDAA6IHCTHFGL6T4KNILQO A RRSIG antagonist.nl. 180 IN RRSIG SOA 13 2 180 2019120500 2019111400 47684 antagonist.nl. TjahhD+sFLbHkIAUcUFFo+vC4icQKK2Zh+74BN+eFQ9JhkZaQ6AMYNbT wGfDZuNntzd2C3FS4SiIptAr6fOkvA== cueh7hkbnbrqk65590909p4r0pq6cd45.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 86400 2019120500 2019111400 47684 antagonist.nl. 5KPt3wExlfKg4tZJ1fdR1xhnj8x8DsmgYR2+pCHkcc041thw3E6jQCfY CESVytcQcp6Zb/uJ3zxNXExJkEzZoQ== i33uq5toep0fslekf0mqpnv6pb6s002e.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 86400 2019120500 2019111400 47684 antagonist.nl. Wrzps6dY9zhq14kBiFp0KwDqdkMtceOMV2cMKPkznhxFcsmpsTazZX1Z MAw/565cRwpWRoU5LuGNzGHg3ZstUQ== g7u4gpdfmf579evnnqmc3v816rafktip.antagonist.nl. 86400 IN RRSIG NSEC3 13 3 86400 2019120500 2019111400 47684 antagonist.nl. DBJvz7HbYSFS/PHtTXD2qMwsKuWXoqNj8MPNMIk84Jv4kY1w52EevWIS nIgDknp9DbzYcczQzOOu1cyEYulYPg== 6d1aa3h9jtqjdp0vjblqej9e17ub81hs. _25._tcp.mx1.p01.antagonist.nl v3rrfku7an9uo5qeuhbdndnruhp9esar. *._tcp.mx1.p01.antagonist.nl i9sp4p909spoci68n9q0r33hk9fes0n4. _tcp.mx1.p01.antagonist.nl(Covered) g90cq1j49b7nkrom5lcojqals2gittit. *.mx1.p01.antagonist.nl (Covered) cueh7hkbnbrqk65590909p4r0pq6cd45. mx1.p01.antagonist.nl (Covered, closest encloser) sac7gh66m6avf55q05gbfhh91a48hstf. *.p01.antagonist.nl iupnvfafqalai3eke44m2vi4vr89lgpk. p01.antagonist.nl 83jtudmler6j6tailr1f6hktosq1mvc4. *.antagonist.nl 29eiirrkt62jjrrigm5ouurhdt4p682u. antagonist.nl -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
