[swinog] DNSSEC issue with swizzonic DNS servers?

Wed, 28 Dec 2022 01:59:20 -0800 

Hi List

Fancy another DNS issue hunt?

We have DNSSEC validation enabled on our BIND DNS Servers.

We started seeing:

no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 
2a01:8100:2901::1:183:202#53
no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 
2a01:8100:2901::1:183:201#53
no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 81.88.58.219#53
no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 195.110.124.196#53

broken trust chain resolving 'www.numberportability.ch/HTTPS/IN': 
2a01:8100:2901::1:183:202#53
broken trust chain resolving 'www.numberportability.ch/AAAA/IN': 
2a01:8100:2901::1:183:202#53
client @0x803541d60 X.X.X.X#27325 (www.numberportability.ch): query failed 
(broken trust chain) for www.numberportability.ch/IN/AAAA at query.c:7724

And of course the query fails, disrupting access some some quite
important API.

numberportability.ch.   900     IN      SOA     dns1.swizzonic.ch. 
hostmaster.swizzonic.ch. 2022121601 10800 3600 604800 86400

$ dig +dnssec RRSIG www.numberportability.ch @dns1.swizzonic.ch
; <<>> DiG 9.16.33-Debian <<>> +dnssec RRSIG www.numberportability.ch 
@dns1.swizzonic.ch
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 39132
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

So, from my point of view, the authoritative DNS server thinks, this is
a recursive query and refuses to answer with the RRSIG, breaking
validation of that record.

Do you get to the same conclusion? Can you resolve this host via any
other DNSSEC validating nameserver?

I had no success contacting any technical inclined staff willing to
look at the issue since the issue started on 16. December  via
hostmas...@swizzonic.ch by phone or via supp...@register.it. So if
anyone from Swizzonic is reading here, it would be nice to get a direct
contact to further investigate that issue.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G    -    Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29             Tel  +41 61 826 93 00
CH-4133 Pratteln                Fax  +41 61 826 93 01
Schweiz                         Web  http://www.imp.ch
______________________________________________________
_______________________________________________
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

Antwort per Email an