Re: [dns-operations] ag.gov not providing NXDOMAIN responses

On Tue, Apr 09, 2024 at 01:09:20PM -0500, David Zych wrote a message of 121 lines which said: > The problem: when queried for a record underneath ag.gov. which does > not exist, these nameservers do not return a proper NXDOMAIN > response; instead, they don't answer at all. Funny enough, it

[dns-operations] Testing of SVCB/HTTPS records

Does anyone know a tool (online or local) to test that published SVCB/HTTPS records are correct? At least checking requirments like all parameter keys in order, and ideally try to connect to check the parameters. ___ dns-operations mailing list

[dns-operations] Strange deviation from DNS Operations normal work, just for sunday

On Sun, Mar 03, 2024 at 04:54:24PM +, Turritopsis Dohrnii Teo En Ming wrote a message of 33 lines which said: > > * anyway, nobody knows how many DNS servers are there (except may be > > the NSA?) > > Will the National Security Agency knows how many DNS servers there are in the > whole

Re: [dns-operations] DNS Operations

On Sun, Mar 03, 2024 at 04:05:43PM +, Turritopsis Dohrnii Teo En Ming via dns-operations wrote a message of 98 lines which said: > I define most popular as the largest number of DNS server installed > throughout the whole world. OK but this is very questionable: * some DNS servers have

Re: [dns-operations] .ke - something wrong with DNSKEYs?

On Fri, Mar 01, 2024 at 04:27:03PM +0100, Ondřej Surý wrote a message of 33 lines which said: > does anyone else see this? > > https://dnsviz.net/d/han.ke/ZeHwpA/dnssec/ Zonemaster sees similar .

Re: [dns-operations] .ke - something wrong with DNSKEYs?

On Fri, Mar 01, 2024 at 05:05:30PM +0100, Stephane Bortzmeyer wrote a message of 11 lines which said: > On Fri, Mar 01, 2024 at 04:27:03PM +0100, > Ondřej Surý wrote > a message of 33 lines which said: > > > does anyone else see this? > > > > https://dns

Re: [dns-operations] .RU zone failed ZSK rotation

On Wed, Jan 31, 2024 at 04:37:02PM +0200, Phil Kulin wrote a message of 56 lines which said: > Done. New serial number 4058860. New active ZSK > https://dnsviz.net/d/ru/ZbpWZg/dnssec/ There is now a detailed technical post-mortem. These official explanations fit the facts that we observed.

Re: [dns-operations] .RU zone failed ZSK rotation

On Wed, Jan 31, 2024 at 04:34:40AM +0200, Phil Kulin wrote a message of 45 lines which said: > Timeline: Thanks. I'm not convinced that the subject of this thread is useful. The chain of keys was always correct (unlike many DNSSEC problems, the DS, and DNSKEY were always in sync), the

[dns-operations] [ra...@psg.com: swedish dns zone enumerator]

A domain crawler (nothing catastrophic, just for information). --- Begin Message --- i have blocked a zone enumerator, though i guess they will be a whack-a-mole others have reported them as well /home/randy> sudo tcpdump -pni vtnet0 -c 10 port 53 and net 193.235.141 tcpdump: verbose output

Re: [dns-operations] anchors.atlas.ripe.net/ripe.net - DNSSEC bogus due expiration

On Wed, Nov 01, 2023 at 12:18:42PM -0400, Viktor Dukhovni wrote a message of 67 lines which said: > Specifically, in the case of signed zones, monitoring MUST also include > regular checks of the remaining expiration time of at least the core > zone apex records (DNSKEY, SOA and NS), and

Re: [dns-operations] anchors.atlas.ripe.net/ripe.net - DNSSEC bogus due expiration

On Wed, Nov 01, 2023 at 01:37:14PM +0100, Stephane Bortzmeyer wrote a message of 17 lines which said: > > If looks as if DNSSEC has expired:- > > It seems it has been repaired around 1215 UTC. https://twitter.com/ripencc/status/1719712189496311986 "Our services have been

Re: [dns-operations] anchors.atlas.ripe.net/ripe.net - DNSSEC bogus due expiration

On Wed, Nov 01, 2023 at 11:13:15AM +, Matthew Richardson via dns-operations wrote a message of 64 lines which said: > If looks as if DNSSEC has expired:- It seems it has been repaired around 1215 UTC. ___ dns-operations mailing list

Re: [dns-operations] TLD .ci DNSSEC-down

On Mon, Oct 23, 2023 at 10:26:46AM +0200, Stephane Bortzmeyer wrote a message of 4 lines which said: > .ci has a DS in the root but apparently no longer signs. > > https://zonemaster.net/en/result/9d87233d252a8b60 > https://dnsviz.net/d/ci/ZTYEMQ/dnssec/ Now working a

Re: [dns-operations] xn--mgbai9azgqp6j broken

On Thu, Oct 19, 2023 at 02:02:22PM +, Carr, Brett via dns-operations wrote a message of 265 lines which said: > This may have been mentioned before as I think it has been broken for quite > some time but: > > None of the delegated NS’s for xn--mgbai9azgqp6j (IDN for .pk) seem to be >

[dns-operations] TLD .ci DNSSEC-down

.ci has a DS in the root but apparently no longer signs. https://zonemaster.net/en/result/9d87233d252a8b60 https://dnsviz.net/d/ci/ZTYEMQ/dnssec/ ___ dns-operations mailing list dns-operations@lists.dns-oarc.net

Re: [dns-operations] Signature expired for the DS of .ch at Cloudflare ?

On Wed, Oct 04, 2023 at 10:35:14AM +0200, Stephane Bortzmeyer wrote a message of 57 lines which said: > Other instances of Cloudflare has the correct info: > > % dig +cd +nsid @1.1.1.1 DS ch. https://www.cloudflarestatus.com/ Investigating - Cloudflare is aware of, and investiga

[dns-operations] Signature expired for the DS of .ch at Cloudflare ?

Other instances of Cloudflare has the correct info: % dig +cd +nsid @1.1.1.1 DS ch. ; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> +cd +nsid @1.1.1.1 DS ch. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20816 ;; flags: qr aa rd ra

Re: [dns-operations] MaginotDNS: Attacking the boundary of DNS caching protection

On Wed, Sep 27, 2023 at 05:17:05PM +0200, Petr Špaček wrote a message of 48 lines which said: > If you are interested in the gory details, BIND's description of the issue > can be found here: > https://gitlab.isc.org/isc-projects/bind9/-/issues/2950#note_241893 >

[dns-operations] MaginotDNS: Attacking the boundary of DNS caching protection

I'm reading the paper behind "MaginotDNS: Attacking the boundary of DNS caching protection" . Am I correct to think that forwarding

[dns-operations] Why is DNS still hard to learn?

As usual, a good practical article by Julia Evans: https://jvns.ca/blog/2023/07/28/why-is-dns-still-hard-to-learn/ ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] FYI: Google Public DNS now reports EDEs

On Fri, Jul 21, 2023 at 05:29:10PM -0400, Viktor Dukhovni wrote a message of 17 lines which said: > > https://developers.google.com/speed/public-dns/docs/troubleshooting/domains#edes Note that, depending on your language setup, this page may redirect you to a translation and not all the

Re: [dns-operations] FYI: Google Public DNS now reports EDEs

On Fri, Jul 21, 2023 at 05:29:10PM -0400, Viktor Dukhovni wrote a message of 17 lines which said: > Google Public DNS (also "dns.google", or, colloquially, "Quad8") now > includes EDEs in most error responses. For details see: > > >

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

On Thu, Jul 20, 2023 at 07:25:17AM -0400, Hugo Salgado wrote a message of 148 lines which said: > They are aware and working on this. Thanks! It works now. $ dig NS ve ; <<>> DiG 9.18.14 <<>> NS ve ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

On Thu, Jul 20, 2023 at 09:37:10AM +0200, Stephane Bortzmeyer wrote a message of 6 lines which said: > https://dnsviz.net/d/ve/ZLjinw/dnssec/ > > The DS goes to a key which does not sign (and there is no DS for the > key which is actually signing.) Any contact not in .ve to t

[dns-operations] [DNSSEC] Venezuela ccTLD broken

https://dnsviz.net/d/ve/ZLjinw/dnssec/ The DS goes to a key which does not sign (and there is no DS for the key which is actually signing.) ___ dns-operations mailing list dns-operations@lists.dns-oarc.net

Re: [dns-operations] service.gov.scot erroneous NXDOMAIN from "scot" auth servers

On Tue, Jun 20, 2023 at 01:36:10PM +0200, CORE DNS Support Team wrote a message of 43 lines which said: > since anycast9 is only responsible for scot and not for gov.scot, I > believe the desired answer is a delegation to the name servers of > gov.scot, and not, as you wrote, a "NODATA"

Re: [dns-operations] .GL (Greenland) 2LD DS denial of existence problems

On Mon, Jun 19, 2023 at 10:23:13PM -0400, Viktor Dukhovni wrote a message of 66 lines which said: > The .GL TLD returns bogus NXDOMAIN responses to DS queries for: But it replies properly for NSEC3PARAM :-) % dig +dnssec @d.nic.gl NSEC3PARAM com.gl ; <<>> DiG 9.18.12-1-Debian <<>> +dnssec

[dns-operations] Percentage of DoT/DoH requests for public resolvers?

Hello, I'm looking for the current percentage of encrypted DNS requests vs. in-the-clear ones on public resolvers having DoT/DoH/DoQ. I do not find public information about it. May be I searched too fast? If you work for a public DNS resolver, is there data you can share? If you can/want/prefer

Re: [dns-operations] Query regarding my paid domain communityclinic.ga form freenom

On Mon, Jun 05, 2023 at 02:46:35PM +0100, Mark Rousell wrote a message of 223 lines which said: > It is not clear to me what will become of all of the registered .ga domains > after the registry switch over. It is perfectly clear: "ANINF estimates that there are currently over 7 million

Re: [dns-operations] Query regarding my paid domain communityclinic.ga form freenom

On Mon, Jun 05, 2023 at 06:40:01PM +0530, Amit Singh wrote a message of 157 lines which said: > I raised a ticket with freenom today but they did not provide a > single reply in that matter. I also opened an issue with > google. They pointed me at this list for updates by stating that now >

Re: [dns-operations] Important change for the .ga TLD 6th june 2023

On Fri, Jun 02, 2023 at 09:28:24AM +0200, Stephane Bortzmeyer wrote a message of 56 lines which said: > The .ga TLD will change its mode of operation on 6th june 2023. The majority > of domain names, registered under disputable conditions, will be removed. Do > not be surprise

Re: [dns-operations] Important change for the .ga TLD 6th june 2023

On Fri, Jun 02, 2023 at 11:03:19AM +0300, Frank Habicht wrote a message of 33 lines which said: > I'm not involved at all, but wondering: > no webpage for registrants to check whether their domain will 'survive'? The way I see it (disclaimer: I don't work for ANINF), if you registered

[dns-operations] Important change for the .ga TLD 6th june 2023

The .ga TLD will change its mode of operation on 6th june 2023. The majority of domain names, registered under disputable conditions, will be removed. Do not be surprised if many domains will yield NXDOMAIN. https://mon.ga/english.html See the details in the press release:

Re: [dns-operations] Looking for zones using white lies (RFC 4470)

On Fri, Jan 27, 2023 at 12:19:18AM -0500, Viktor Dukhovni wrote a message of 30 lines which said: > Three sample zones: They all seem to use black lies, not white lies. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net

[dns-operations] Looking for zones using white lies (RFC 4470)

I'm looking for zones in the wild that are signed using the technique of white lies (RFC 4470). [Not the black lies used by Cloudflare.] Do you know some? ___ dns-operations mailing list dns-operations@lists.dns-oarc.net

Re: [dns-operations] What's going on at Microsoft?

On Fri, Oct 21, 2022 at 08:49:16AM +0200, Borja Marcos wrote a message of 41 lines which said: > Right now I have quite a lot of pollution on my recursive error logs due to > two Microsoft operated domains: > > microsoftdnstest.net > msedge.net For microsoftdnstest.net, the two name

Re: [dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

On Tue, Sep 27, 2022 at 02:20:11PM +, BS Domain Administrator wrote a message of 229 lines which said: > Please test again and let us know if the problem still occurs. This specific problem disappeared but there are other funny things in the zone. For instance, the three authoritative

Re: [dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

On Thu, Sep 22, 2022 at 02:12:43PM +, BS Domain Technical Contact wrote a message of 64 lines which said: > Please provide an update regarding the same. Thanks. Which update? Nothing changed. % dig @ns36.cdns.net com.bs ; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @ns36.cdns.net com.bs ;

[dns-operations] ICANN Launches the KINDNS Initiative to Promote DNS Security Best Practices

[I don't have a strong opinion about this project, but it seems relevant and I don't think it has been forwarded here.] The Internet Corporation for Assigned Names and Numbers (ICANN) invites you to participate in the "Knowledge-sharing and Instantiation Norms for DNS and Naming Security"

Re: [dns-operations] Browser Public suffixes list

On Fri, Aug 26, 2022 at 10:25:49PM +, Paul Hoffman wrote a message of 100 lines which said: > There's also, you know, the DNS itself Speaking of DNS, it is time to remind readers that there was a project to express information such as "is it a public suffix?" in the DNS and it

[dns-operations] mail.protection.outlook.com has EDNS issues

The authoritative name servers for mail.protection.outlook.com apparently don't reply if you use EDNS. And it seems many resolvers don't fallback on old-DNS (and rightly so). Seen from the RIPE Atlas probes, many resolvers cannot resolve names under mail.protection.outlook.com (here, the MX of

[dns-operations] Program/library/framework for testing robustness of servers

I maintain an experimental authoritative DNS server and I would like to test its robustness. dnsperf and flamethrower are great to test its performance, zonemaster and dnsviz are perfect to test its correctness in face of legal input but I would like to see how it reacts to *illegal*, malformed

[dns-operations] DNS request for ./NS with two extra bytes at the end

[This has no operational consequences, it is just idle curiosity.] A server receives a few packets/second coming from several IP addresses and querying ./NS (like in priming, or may be in some reflection attacks). The server was never a root server, of course. What is interesting is that all

Re: [dns-operations] .au DNSSEC issues

On Mon, Mar 28, 2022 at 08:56:39AM +, Brett Carr wrote a message of 131 lines which said: > This seems to of gone undiscussed on here which is unusual. It was discussed on australian mailing lists: https://lists.ausnog.net/pipermail/ausnog/2022-March/thread.html

[dns-operations] Running the ua.-top level domain in times of war

Interestng interview: https://www.heise.de/hintergrund/Running-the-ua-top-level-domain-in-times-of-war-6611777.html ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] TLD .fj broken (DNSSEC issue)

Entire TLD down since the DS goes to an unexisting key . % dig @a.root-servers.net fj ds ; <<>> DiG 9.16.22-Debian <<>> @a.root-servers.net fj ds ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR,

[dns-operations] [outa...@outages.org: [outages] DNSSEC issues .se]

Indeed, DNSviz seems to confirm the problem: https://dnsviz.net/d/sportbladet.se/Yf1XbQ/dnssec/ The signature of the NSEC record looks strange to me: % dig @a.ns.se. +dnssec A sportbladet.se ; <<>> DiG 9.16.1-Ubuntu <<>> @a.ns.se. +dnssec A sportbladet.se ; (2 servers found) ;; global options:

[dns-operations] Freenom TLDs not working through Google Public DNS

I did not investigate yet but it may be fun: https://issuetracker.google.com/issues?q=.ml=1 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] What is the reason of J-Root doesn't serve the arpa zone?

On Mon, Dec 06, 2021 at 01:42:42AM +0900, Yasuhiro Orange Morishita / 森下泰宏 wrote a message of 89 lines which said: > And I heard from another person that J-Root holds the arpa zone, but > not delegated. It is also interesting. Indeed. It is funny. % dig @j.root-servers.net NS arpa ; <<>>

Re: [dns-operations] DNSviz and G-root: EDNS issue?

On Tue, Oct 12, 2021 at 01:01:08PM -0400, Matthew Pounsett wrote a message of 11 lines which said: > > This might be a known intermittent IPv6 routing issue with DNSviz, do > > you see this problem for v4 and/or v6 ? > > That would show up as a non-answer over IPv6, rather than an apparent >

Re: [dns-operations] DNSviz and G-root: EDNS issue?

On Tue, Oct 12, 2021 at 11:21:44AM -0400, Keith Mitchell wrote a message of 22 lines which said: > > (192.112.36.4, UDP_-_EDNS0_4096_D_KN)". > > > > Testing G-root/192.112.36.4 > This might be a known intermittent IPv6 routing issue with DNSviz, do you > see this problem for v4 and/or v6 ?

[dns-operations] DNSviz and G-root: EDNS issue?

DNSviz currently always flags the root with a warning "./DNSKEY (alg 8, id 14748): No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size. (192.112.36.4,

Re: [dns-operations] [Fwd: .club TLD appears to be completely down]

On Thu, Oct 07, 2021 at 03:57:33PM +0200, Stephane Bortzmeyer wrote a message of 17 lines which said: > Most RIPE Atlas probes use a resolver which now sees .club (there was 99 > % SERVFAIL before) : It seems it works everywhere now. _

Re: [dns-operations] [Fwd: .club TLD appears to be completely down]

On Thu, Oct 07, 2021 at 03:32:45PM +0200, Peter van Dijk wrote a message of 27 lines which said: > None of those 'some' appear to be in Amsterdam :-) Still nothing for > me. Most RIPE Atlas probes use a resolver which now sees .club (there was 99 % SERVFAIL before) : % blaeu-resolve --type

Re: [dns-operations] [Fwd: .club TLD appears to be completely down]

On Thu, Oct 07, 2021 at 01:54:18PM +0200, Peter van Dijk wrote a message of 16 lines which said: > https://www.namecheap.com/status-updates/archives/63707 > > Update @ 7:45 AM EDT | 11:45 UTC > We have received an update from the registry. They are working to > resolve the issue within the

Re: [dns-operations] Akamai outages possibly related to Edge DNS?

On Thu, Jul 22, 2021 at 09:53:25AM -0700, Mauricio Vergara Ereche wrote a message of 90 lines which said: > Seeing several reports of sites going down > > Some people blaming AWS, others Akamai Edge DNS Clearly Akamai Edge. They acknowledged it on their status site "a software configuration

[dns-operations] Name:Wreck vulnerability

Time for a new vunerability-with-a-catchy-name. Name:Wreck is a bug in some implementations of DNS clients when dereferencing compression pointers, in some cases leading to remote code execution when parsing a malicious packet.

[dns-operations] Spurious (?) DNSSEC SERVFAIL with some (?) versions of BIND for one domain?

Some resolvers cannot resolve the DMARC record _dmarc.prv.se/TXT. They reply SERVFAIL (the correct answer is NXDOMAIN). Running with checking disabled solves the problem. I see nothing that explains this problem. Zonemaster and DNSviz do not see it either. RIPE Atlas probes show that some

Re: [dns-operations] dnspooq

On Tue, Jan 19, 2021 at 03:53:04PM +, Roy Arends wrote a message of 7 lines which said: > fyi > > https://www.jsof-tech.com/disclosures/dnspooq/ Real vulnerabilities and good technical work but why do they feel the need to add references to the "Internet DNS Architecture" (it is not a

Re: [dns-operations] Google DNS hiccups (Toronto, Canada?)

On Fri, Jan 08, 2021 at 10:43:30AM -0500, David Magda wrote a message of 19 lines which said: > Is anyone experiencing timeouts and hangs with Google DNS? It is discussed on the outages mailing list. I quote a Google employee: Google is aware this has recurred over the last 3 days and we

Re: [dns-operations] .ag outage

On Fri, Nov 27, 2020 at 12:09:08PM +0100, Thomas Mieslinger wrote a message of 28 lines which said: > I received customer complaints that quad8 and some german broadband > resolvers were unable to resolve .ag secondlevel domains. It works for me: % dig @8.8.8.8 peak.ag ; <<>> DiG

Re: [dns-operations] How DNS work

On Mon, Nov 09, 2020 at 03:34:32PM +, Jim Reid wrote a message of 60 lines which said: > A well behaved resolving server will only send a handful of queries > (if that) to the root every day - ie whenever it needs to lookup a > TLD that hasn’t been cached. And may be not even so, if they

Re: [dns-operations] How DNS work

On Mon, Nov 09, 2020 at 11:15:12AM +0700, Hoan Vu wrote a message of 122 lines which said: > And we have already do lab, and then the DNS Cache work out of > order, the DNS Root is choiced rondomly. As explained in the APNIC article, it depends on the resolver. BIND, Knot, Unbound and the

Re: [dns-operations] QTYPEs 65 and 65479

On Wed, Sep 16, 2020 at 10:44:00AM +0100, Roy Arends wrote a message of 128 lines which said: > More info: > > https://mailarchive.ietf.org/arch/msg/add/MbOOWPVHRHM_wvbKhfHuzUTwimI/ > And a good Cloudflare paper

Re: [dns-operations] CLI Tool for DoH

On Tue, Sep 29, 2020 at 11:37:29AM +0200, Jeroen Massar via dns-operations wrote a message of 88 lines which said: > one can also test quickly with Stéphane Bortzmeyer's script: > https://www.bortzmeyer.org/files/test-doh.py Now superseded by Homer

Re: [dns-operations] CLI Tool for DoH

On Mon, Sep 28, 2020 at 06:30:33PM -0700, cjc+dns-o...@pumpky.net wrote a message of 9 lines which said: > Looking for a command line tool to do testing of DoH. Something like > dig or drill with DoH support. I suspect there's a Python tool https://framagit.org/bortzmeyer/homer % homer

Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers

On Mon, Sep 14, 2020 at 03:14:59PM +0200, Stephane Bortzmeyer wrote a message of 11 lines which said: > On 1 and 2 September 2020, several French IAPs (Internet Access > Providers), including SFR and Bouygues, were "down". Their DNS > resolvers were offline, and

Re: [dns-operations] Tutanota DNS issues

On Thu, Sep 17, 2020 at 12:11:09PM +0800, Amari CH wrote a message of 17 lines which said: > I have migrated the hosting service with them to other providers. > > And their DNS query always returns SEVRFAIL: I don't know for the old servers at IronDNS but the new ones at AWS work and I get

Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers

On Mon, Sep 14, 2020 at 02:54:42PM -0300, Fernando Gont wrote a message of 19 lines which said: > Any more details about the attack? e.e., what vectors they used, etc.? No, they didn't publish any technical details. Like many people, I saw the effects (DNS resolution down) but not the

Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers

On Mon, Sep 14, 2020 at 01:23:16PM -0700, Damian Menscher wrote a message of 87 lines which said: > > There are a great many public resolvers, the best known ones among > > which are operated by the major US corporations that have cornered > > a large proportion of Internet services and are

[dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers

On 1 and 2 September 2020, several French IAPs (Internet Access Providers), including SFR and Bouygues, were "down". Their DNS resolvers were offline, and it does indeed seem that this was the result of an attack carried out against these resolvers.

Re: [dns-operations] Seeking Advice: RIPEstat no longer recognizes my sub-zone under .university

On Mon, Sep 07, 2020 at 10:43:57AM +0200, Stephane Bortzmeyer wrote a message of 22 lines which said: > Since the main weakness of this domain is the lack of diversity in > authoritative name servers' IP addresses, I guess that your problem > comes from a routing issue between

Re: [dns-operations] Seeking Advice: RIPEstat no longer recognizes my sub-zone under .university

On Mon, Sep 07, 2020 at 02:52:45PM +0700, Pirawat WATANAPONGSE wrote a message of 123 lines which said: > I notice that one of our zones, “kasetsart.university”, is no longer > recognized by the RIPEstat Tool Suite [Reference: >

Re: [dns-operations] Cloudflare public DNS sometimes forwards incomplete subset of NSEC RRs

On Tue, Sep 01, 2020 at 01:48:17AM -0400, Viktor Dukhovni wrote a message of 71 lines which said: > * The apex wildcard record and signature identically ONLY from > Google, Verisign and Quad9. From CloudFlare, I get the munin01 > NSEC record and signature twice, but this

Re: [dns-operations] Nameserver responses from different IP than destination of request

On Tue, Sep 01, 2020 at 02:45:23AM +, P Vixie wrote a message of 22 lines which said: > you know that the plural of anecdote isn't data: I recently discovered this english word and I love it: https://en.wiktionary.org/wiki/anecdata ___

Re: [dns-operations] Strange behavior of covid.cdc.gov

On Mon, Aug 31, 2020 at 10:12:04PM +0900, Yasuhiro Orange Morishita / 森下泰宏 wrote a message of 18 lines which said: > But it seems to be a little bit strange. The auth servers of cdc.gov > zone serve unneed (and unsigned) akam.cdc.gov zone. But they still > have DS RR for real akam.cdc.gov

Re: [dns-operations] Dealing with the bizarre - grantee.fema.gov

On Wed, Jul 08, 2020 at 09:15:02PM +0200, Stephane Bortzmeyer wrote a message of 57 lines which said: > No. My BIND and Unbound personal resolvers (which do not have a NTA) > get a reply and set AD. There are probably several different instances for each authoritative

Re: [dns-operations] Dealing with the bizarre - grantee.fema.gov

On Wed, Jul 08, 2020 at 11:20:27AM -0700, Brian Somers wrote a message of 38 lines which said: > I can only suspect that all 3 of these resolvers have an NTA for > this domain! No. My BIND and Unbound personal resolvers (which do not have a NTA) get a reply and set AD. The truth is

[dns-operations] Fake “DNS Update” emails targeting site owners and admins

Funny, DNSSEC is so successful that you can use it for phishing :-) https://www.helpnetsecurity.com/2020/06/30/fake-dns-update/ ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DNSViz Access to C-root

On Thu, Jul 02, 2020 at 11:51:53AM -0400, Matthew Pounsett wrote a message of 76 lines which said: > We’ve been in discussion with Cogent for a while about finding a > solution to the problem, and last month finally put something in > place. And what is the solution? A static tunnel to a

Re: [dns-operations] dnsviz.net complaining "UDP_-_NOEDNS_" for gtld-servers.net

On Fri, Jun 05, 2020 at 11:26:55AM +0200, Thomas Mieslinger wrote a message of 29 lines which said: > I have a customer complaining being unable to send/receive email. sportsproducts.net appear to DNS-work fine, so the problem is probably elsewhere. >

[dns-operations] About the coincheck.com hijacking

There is something new in the hijacking of the domain name coincheck.com , the hijacker created domain names quite similar to the normal domain names of the namservers. I believe it is the first

Re: [dns-operations] A strange DNS problem (intermittent SERVFAILs)

On Sat, May 30, 2020 at 06:50:53PM +, dagon wrote a message of 41 lines which said: > How can you even load > such a zone in a modern authority server? All modern auth > servers would fail, I believe. It may be that the authority server is correct but there is a firewall

[dns-operations] A strange DNS problem (intermittent SERVFAILs)

Several users on Twitter reported problems accessing Banque Populaire (a French bank) https://www.banquepopulaire.fr https://www.ibps.loirelyonnais.banquepopulaire.fr https://www.ibps.bpaca.banquepopulaire.fr https://www.ibps.mediterranee.banquepopulaire.fr/ >From the limited reports, all errors

Re: [dns-operations] Cloudflare Rose and Rick in .com authoritative Nameserver

On Mon, Apr 20, 2020 at 03:40:56PM +0200, Raffaele Sommese wrote a message of 35 lines which said: > registries do not enforce the consistency between glue records and > the same records served by the authoritative nameservers, right? Some do, some don't. That's the beauty of the Internet:-)

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 09:31:18PM +0800, Tessa Plum wrote a message of 7 lines which said: > I think we can put the devices in our own network to protect such attacks. Commercial boxes are typically optimised for HTTP, DNS is very different. I remember a box which was creating an entry in

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 05:39:48PM +0800, Davey Song wrote a message of 111 lines which said: > You said you are managing DNS for your university and your concern > for secondary DNS is privacy. I'm not sure what exactly the privacy > concerns are. RFC 7626. Also, it may raise issues about

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 11:05:48AM +0100, Tony Finch wrote a message of 30 lines which said: > > ACLs in the server are not enough, you also need ingress filtering > > on the borders of your network, to prevent packets claiming to be > > from your network to get inside. > > That kind of

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 03:06:17PM +0800, Tessa Plum wrote a message of 18 lines which said: > I never knew BCP38 before. I will try to study it. BCP38 is Good, *but* it protects others against you. So, to be protected, you need the *others* to implement it.

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 05:12:29PM +0800, Tessa Plum wrote a message of 11 lines which said: > All the packages were DNS requests, some queries like 'dig domain.com any'. > but their IP address seems spoofed. In that case, yes, RRL would help. ___

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 11:51:05AM +0800, Tessa Plum wrote a message of 37 lines which said: > We were under some attack like UDP flood to the authority servers, DNS or another type? > The traffic size was about 20Gbps Note that for DNS traffic, the useful metric is often

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 03:06:49AM +, Paul Vixie wrote a message of 29 lines which said: > to keep your own recursive servers from amplifying spoofed-source > attacks, you need ACL's that make it unreachable outside your > specific client base. ACLs in the server are not enough, you also

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Wed, Apr 01, 2020 at 07:35:35PM -0700, Fred Morris wrote a message of 10 lines which said: > Depends on what you mean. You might look at "response rate limiting" in for > instance BIND. -- FWM RRL protects people against you (when your name server is used as a reflector) but not really

Re: [dns-operations] solutions for DDoS mitigation of DNS

On Thu, Apr 02, 2020 at 10:14:14AM +0800, Tessa Plum wrote a message of 14 lines which said: > May I ask if there are any solutions for DDoS mitigation of DNS? All solutions that were mentioned here are correct but incomplete: there is no general solution against dDoS, because "it depends".

Re: [dns-operations] question on query to DNS server's IPv6 interface

On Tue, Mar 31, 2020 at 08:37:30PM +0800, Tessa Plum wrote a message of 13 lines which said: > Another question, in DNS server, how to count how many queries were > from IPv6 interface, and how many queries were from IPv4 interface? It depends on the name server. Here, is an example with

[dns-operations] Algorithm but no signature in .in?

Some resolvers protest on .in. It seems they have a RSASHA256 key but no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There MUST be an RRSIG for each RRset using at least one DNSKEY of EACH ALGORITHM". (Cannot show a nice DNSviz picture, DNSviz seems broken at this time.)

[dns-operations] DNS of Turk Telekom

Anyone has more detailed concrete information about this "DNS attack"? https://www.itnews.com.au/news/turk-telekom-says-internet-access-restored-after-cyber-attack-536767 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 07:05:04PM +0800, William C wrote a message of 15 lines which said: > 1. how to check if a zone has a valid DNSSEC key? If you are not a DNSSEC expert, DNSviz is a handy tool > 2. how to validate if the zone has been signed with correct key?

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 08:56:41AM +0800, William C wrote a message of 59 lines which said: > Can you help check why public nameservers (all 8.8.8.8, 1.1.1.1, 9.9.9.9 > etc) can't resolve this domain? As explained by several experts, this domain is DNSSEC-broken. This has nothing to to with

Re: [dns-operations] IPv6 only for nameservers

On Mon, Dec 30, 2019 at 05:18:01PM +0300, Anand Buddhdev wrote a message of 17 lines which said: > If your domain's authoritative name servers have only IPv6 > addresses, then your domain will not be resolvable by many resolvers > on the Internet, because many of them only have IPv4

  1   2   3   >