Re: [dns-operations] .ag outage
> That is fine if you do not want DNSSEC. > > > Do you also see problems with .ag? > Yesterday morning I noticed it was bogus but that is fixed by now. jaap ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] .ag outage
Hi Thomas, FWIW: I can resolve peak.ag from 8.8.8.8 just fine now: ❯ ~ dig peak.ag @8.8.8.8 +dnssec ; <<>> DiG 9.10.6 <<>> peak.ag @8.8.8.8 +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16486 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;peak.ag. IN A ;; ANSWER SECTION: peak.ag.3599IN A 153.92.198.115 ;; Query time: 66 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Nov 27 12:16:32 CET 2020 ;; MSG SIZE rcvd: 52 Frank > On 27 Nov 2020, at 12:09, Thomas Mieslinger wrote: > > Hi, > > I received customer complaints that quad8 and some german broadband > resolvers were unable to resolve .ag secondlevel domains. > > peak.ag > hoevelmann.ag > sonnenschein.ag > hostedoffice.ag > > I run the authoritatives serving the first three examples and we've had > no outage. > > I don't understand the DNSEC keys in .ag and the intended change carried > out with the current setup. > > https://dnsviz.net/d/hoevelmann.ag/dnssec/ > > Do you also see problems with .ag? > > Cheers > > Thomas > > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] .ag outage
--- Begin Message --- > On 20201127, at 13:40, Matthew Richardson wrote: > > DNSvis has recorded two entries for hoevelmann.ag. Whilst the latest one > looks OK, the previous one:- > > https://dnsviz.net/d/hoevelmann.ag/X8DXeQ/dnssec/ > > is showing an amount of bogusness. Apparently Afilias, the registry of .ag, messed up something related to DNSSEC: At least according to: https://twitter.com/aw93053/status/1332298822404497410 Which is why most people missing the +dnssec option to dig will have had fine results, but Google Public DNS will fail (as it should) as it verifies sigs. This is also, when people report something, including data (dig outputs, traceroute, dnsviz, zonemaster checks) as that gives a view from that vantage point. Now in this case... where are the Afilias folks and their write-up what went wrong (nothing at https://twitter.com/Afilias either) Greets, Jeroen --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] .ag outage
On Fri, Nov 27, 2020 at 12:09:08PM +0100, Thomas Mieslinger wrote a message of 28 lines which said: > I received customer complaints that quad8 and some german broadband > resolvers were unable to resolve .ag secondlevel domains. It works for me: % dig @8.8.8.8 peak.ag ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> @8.8.8.8 peak.ag ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16172 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;peak.ag. IN A ;; ANSWER SECTION: peak.ag.3599 IN A 153.92.198.115 ;; Query time: 17 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Nov 27 13:46:06 CET 2020 ;; MSG SIZE rcvd: 52 RIPE Atlas probes in Germany see no issue either. % blaeu-resolve -r 100 --country DE --type A peak.ag [153.92.198.115] : 96 occurrences [ (TRUNCATED - May have to use --ednssize) 153.92.198.115] : 2 occurrences Test #28290912 done at 2020-11-27T12:47:10Z ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] .ag outage
DNSvis has recorded two entries for hoevelmann.ag. Whilst the latest one looks OK, the previous one:- https://dnsviz.net/d/hoevelmann.ag/X8DXeQ/dnssec/ is showing an amount of bogusness. This previous one may be a clue... Best wishes, Matthew -- >From: Thomas Mieslinger >To: dns-operations@lists.dns-oarc.net >Cc: >Date: Fri, 27 Nov 2020 12:09:08 +0100 >Subject: [dns-operations] .ag outage >Hi, > >I received customer complaints that quad8 and some german broadband >resolvers were unable to resolve .ag secondlevel domains. > >peak.ag >hoevelmann.ag >sonnenschein.ag >hostedoffice.ag > >I run the authoritatives serving the first three examples and we've had >no outage. > >I don't understand the DNSEC keys in .ag and the intended change carried >out with the current setup. > >https://dnsviz.net/d/hoevelmann.ag/dnssec/ > >Do you also see problems with .ag? > >Cheers > >Thomas > >___ >dns-operations mailing list >dns-operations@lists.dns-oarc.net >https://lists.dns-oarc.net/mailman/listinfo/dns-operations ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] .ag outage
--- Begin Message --- > On 20201127, at 12:09, Thomas Mieslinger wrote: > > Hi, > > I received customer complaints that quad8 and some german broadband > resolvers were unable to resolve .ag secondlevel domains. Any outputs from 'dig' that show the problem? Note that all DNS for hoevalmann.ag are located in the same ASN, more specifically 217.160.8{1234}.1/24. which seems to be announced as a single /22 (217.160.80.0/22) by AS8560. As such, if there is a routing issue towards 1and1-dns, things will be broken. It is funny that they chose to use different TLDs but put all eggs in the same /22 + ASN :) Seems quite a few people are interested in those IPs looking at the atlas measurements: https://stat.ripe.net/217.160.80.0%2F22#tabId=activity That kind of amount of activity indicates people seeing problems... > peak.ag > hoevelmann.ag > sonnenschein.ag > hostedoffice.ag > > I run the authoritatives serving the first three examples and we've had > no outage. > > I don't understand the DNSEC keys in .ag and the intended change carried > out with the current setup. > > https://dnsviz.net/d/hoevelmann.ag/dnssec/ That just shows that upto .ag it is all signed, but there is no DNSSEC towards hoevelmann.ag. That is fine if you do not want DNSSEC. > Do you also see problems with .ag? Nothing from my POV, dig +trace +dnssec works fine. https://zonemaster.iis.se/en/?resultid=4cfd71ecabb03a16 says the same thing what I mention above: all DNS servers are in one single AS... Greets, Jeroen --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] .ag outage
Hi, I received customer complaints that quad8 and some german broadband resolvers were unable to resolve .ag secondlevel domains. peak.ag hoevelmann.ag sonnenschein.ag hostedoffice.ag I run the authoritatives serving the first three examples and we've had no outage. I don't understand the DNSEC keys in .ag and the intended change carried out with the current setup. https://dnsviz.net/d/hoevelmann.ag/dnssec/ Do you also see problems with .ag? Cheers Thomas ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations