Hello
On 27.12.2022 09:45, Benoit Panizzon via swinog wrote:
Hi List
Fancy another DNS issue hunt?
We have DNSSEC validation enabled on our BIND DNS Servers.
Same for my private servers.
We started seeing:
no valid RRSIG resolving 'www.numberportability.ch/DS/IN':
2a01:8100:2901::1:183:202#53
no valid RRSIG resolving 'www.numberportability.ch/DS/IN':
2a01:8100:2901::1:183:201#53
no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 81.88.58.219#53
no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 195.110.124.196#53
broken trust chain resolving 'www.numberportability.ch/HTTPS/IN':
2a01:8100:2901::1:183:202#53
broken trust chain resolving 'www.numberportability.ch/AAAA/IN':
2a01:8100:2901::1:183:202#53
client @0x803541d60 X.X.X.X#27325 (www.numberportability.ch): query failed
(broken trust chain) for www.numberportability.ch/IN/AAAA at query.c:7724
It all looks fine so far from my end, or did I miss something important?
fabian@flashback:~ % dig -t ns numberportability.ch +dnssec
; <<>> DiG 9.10.6 <<>> -t ns numberportability.ch +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28854
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;numberportability.ch. IN NS
;; ANSWER SECTION:
numberportability.ch. 900 IN NS dns2.swizzonic.ch.
numberportability.ch. 900 IN NS dns1.swizzonic.ch.
numberportability.ch. 900 IN RRSIG NS 13 2 900 20230105000000
20221215000000 10556 numberportability.ch.
YDc8MgSRBZDVlRBaP5RfxeGZdkYvNkci8N2rpxQ5NsvjWz9M/HDasP6P
AAk4H2tJsJyVK0HqghSCuwuTub1opA==
;; Query time: 42 msec
;; SERVER: 2001:8a8:1005:1::2#53(2001:8a8:1005:1::2)
;; WHEN: Wed Dec 28 11:24:10 CET 2022
;; MSG SIZE rcvd: 215
fabian@flashback:~ % dig www.numberportability.ch +dnssec
@dns1.swizzonic.ch.
; <<>> DiG 9.10.6 <<>> www.numberportability.ch +dnssec @dns1.swizzonic.ch.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 669
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1680
;; QUESTION SECTION:
;www.numberportability.ch. IN A
;; ANSWER SECTION:
www.numberportability.ch. 900 IN A 164.128.159.204
www.numberportability.ch. 900 IN RRSIG A 13 3 900 20230105000000
20221215000000 10556 numberportability.ch.
5PpTJZ19GmcEyD8i3iUBWoZdGYECB3Hvdx2JclKfDVKl3KVbuBekf6RL
kP1HRSYPhJZak25YeyhKe1oPemHXrw==
;; Query time: 21 msec
;; SERVER: 2a01:8100:2901::1:183:201#53(2a01:8100:2901::1:183:201)
;; WHEN: Wed Dec 28 11:24:22 CET 2022
;; MSG SIZE rcvd: 185
fabian@flashback:~ % dig www.numberportability.ch +dnssec
@dns2.swizzonic.ch.
; <<>> DiG 9.10.6 <<>> www.numberportability.ch +dnssec @dns2.swizzonic.ch.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14397
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1680
;; QUESTION SECTION:
;www.numberportability.ch. IN A
;; ANSWER SECTION:
www.numberportability.ch. 900 IN A 164.128.159.204
www.numberportability.ch. 900 IN RRSIG A 13 3 900 20230105000000
20221215000000 10556 numberportability.ch.
FuWo8czeDf/KyCcyYXJF+pYkFJ8HsIX4RrW5a9+fIGqtDUVud7+lxPo9
1oW4H1v69+Mf7rze8SdxAsODJwFUQw==
;; Query time: 36 msec
;; SERVER: 2a01:8100:2901::1:183:202#53(2a01:8100:2901::1:183:202)
;; WHEN: Wed Dec 28 11:24:31 CET 2022
;; MSG SIZE rcvd: 185
fabian@flashback:~ %
Also checking at DNSViz it looks fine:
https://dnsviz.net/d/numberportability.ch/dnssec/
So either they fixed it in the meantime or then your server may have
some issue or something bad in cache.
Best regards,
Fabian
_______________________________________________
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch
