No, there was a issue.

Yesterday, they went from:

a@xxxxxx:~ # delv www.numberportabilty.ch
;; resolution failed: ncache nxdomain
; negative response, fully validated
; www.numberportabilty.ch. 900    IN    \-ANY    ;-$NXDOMAIN
; ch. SOA a.nic.ch. dns-operation.switch.ch. 2022122811 900 600 1123200 900
; ch. RRSIG SOA ...
; ND3E0CGF5OGC08781SOJKFRIOOGBGC7E.ch. RRSIG NSEC3 ...
; ND3E0CGF5OGC08781SOJKFRIOOGBGC7E.ch. NSEC3 1 1 0 - ND3FVIJ6P2HTHSRMNP8BLKRQO4274IF6 NS SOA RRSIG DNSKEY NSEC3PARAM
; QOC41J1IOE62CS3DTUQ3LGS7FCTNAUAM.ch. RRSIG NSEC3 ...
; QOC41J1IOE62CS3DTUQ3LGS7FCTNAUAM.ch. NSEC3 1 1 0 - QOC4OII86T8EDR8QICL731093UTED5MJ NS DS RRSIG
; UB1CIAHS4SJVQLK237TVSNLM741LGBVB.ch. RRSIG NSEC3 ...
; UB1CIAHS4SJVQLK237TVSNLM741LGBVB.ch. NSEC3 1 1 0 - UB1ES2OET0HEP9OTMK4O4BP9RVBE01P6 NS DS RRSIG

to

a@xxxxxx:~ # delv www.numberportability.ch a
; fully validated
www.numberportability.ch. 900    IN    A    164.128.159.204
www.numberportability.ch. 900 IN RRSIG A 13 3 900 20230105000000 20221215000000 10556 numberportability.ch. FuWo8czeDf/KyCcyYXJF+pYkFJ8HsIX4RrW5a9+fIGqtDUVud7+lxPo9 1oW4H1v69+Mf7rze8SdxAsODJwFUQw==

Now they are in the game of deleting customer domains randomly.

Markus


On 28.12.22 11:09, Rémy DUCHET via swinog wrote:
Hi,

No issue from here :

dig www.numberportability.ch +trace

; <<>> DiG 9.16.33-Debian <<>> www.numberportability.ch +trace
;; global options: +cmd
.                       83292   IN      NS      f.root-servers.net.
.                       83292   IN      NS      a.root-servers.net.
.                       83292   IN      NS      h.root-servers.net.
.                       83292   IN      NS      j.root-servers.net.
.                       83292   IN      NS      i.root-servers.net.
.                       83292   IN      NS      g.root-servers.net.
.                       83292   IN      NS      d.root-servers.net.
.                       83292   IN      NS      l.root-servers.net.
.                       83292   IN      NS      k.root-servers.net.
.                       83292   IN      NS      b.root-servers.net.
.                       83292   IN      NS      e.root-servers.net.
.                       83292   IN      NS      c.root-servers.net.
.                       83292   IN      NS      m.root-servers.net.
.                       83292   IN      RRSIG   NS 8 0 518400 20230110050000 
20221228040000 18733 . BDbOstO6sdTqBP2/ER7rX0vjTSJUR/dtnPUOg2zFbt23YhLlSYAegU78 
bF5/KLREwricXZMNI6VcGzu+Hn4tYRf/soE/Iy07AagG5WBawRFPdeAS 
6XVLsbyDDpSkV/RxJoy8fnAyzGiAV4B4lEpYrDiHdSMAIEn0aU/6CSle 
sKTsrdSucbaYTosg3bM28lcpPmpXwDWD05wFkLavfmzqut+wzGCI4ge2 
AAi3apWMgDs/Ccr9UlpgblvOqMHnvJuX+YCgSyQbzFqMZRaJpHVB3UVC 
MJJzNgarSHWtj2E4DZMRiXJUHSHZv0FRCrJg7zmDXIahvlUJEF9LfUC9 CkM5Hw==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 4 ms

ch.                     172800  IN      NS      f.nic.ch.
ch.                     172800  IN      NS      a.nic.ch.
ch.                     172800  IN      NS      d.nic.ch.
ch.                     172800  IN      NS      b.nic.ch.
ch.                     172800  IN      NS      e.nic.ch.
ch.                     86400   IN      DS      10 13 2 
0E175543A74D9083EA977BAB2BEE98A771995F80982FB796B2B0B9CC 6413D1A6
ch.                     86400   IN      RRSIG   DS 8 1 86400 20230110050000 
20221228040000 18733 . BjNNpFn7hCI2Q6QS6f8m26ZFaAjhaYxcFC6W30h5xguJMN9dneex4L+9 
E6bTiawb0q6tCfUkfWDj1QX8NprdxxzpNzDFo+Sksysj6vU28gFSTOl/ 
H84D8BQTlAWvjrQAuNMzUwNlPz1E0OsDzNpMudfhmLp3m89BNzf+ZTBg 
0mSQeW4YEOoxjs86A6yVoLlZrV8msJWfotj2jaLAWaFedLLzk43NrUA1 
Y1sf8CzTVma7EqHbpWX3CJrgn7ELv9G5NtFVsmNO5yrHh40fl9KJ+hx7 
dlxIjuyj+UjiNgwcMC3CsEzukAopbtuZAyYYE0NLVB3qB/YsN9jEl/AC jCFjzg==
;; Received 724 bytes from 192.112.36.4#53(g.root-servers.net) in 76 ms

numberportability.ch.   3600    IN      NS      dns1.swizzonic.ch.
numberportability.ch.   3600    IN      NS      dns2.swizzonic.ch.
numberportability.ch.   3600    IN      DS      10556 13 2 
2A50FB3DFA2EFE6F2A80F962EA9DE6CDCA3B5B6F09D3C9D7D972902D 173528F8
numberportability.ch.   3600    IN      RRSIG   DS 13 2 3600 20230123175307 
20221226043002 19537 ch. 
/JgcDzbIftFZ3vNTx5HdzF2V759lA4Cv2uh84ZWP0p1A4y+xs4aLU2ri 
rN1NrjW4DsMpKlpghPtIWV/m4j0xdA==
;; Received 277 bytes from 2001:678:3::1#53(e.nic.ch) in 0 ms

www.numberportability.ch. 900   IN      A       164.128.159.204
www.numberportability.ch. 900   IN      RRSIG   A 13 3 900 20230105000000 
20221215000000 10556 numberportability.ch. 
FuWo8czeDf/KyCcyYXJF+pYkFJ8HsIX4RrW5a9+fIGqtDUVud7+lxPo9 
1oW4H1v69+Mf7rze8SdxAsODJwFUQw==
;; Received 185 bytes from 81.88.58.219#53(dns2.swizzonic.ch) in 8 ms

Also nothing here https://dnsviz.net/d/www.numberportability.ch/dnssec/

Rémy

-----Original Message-----
From: Benoit Panizzon via swinog <swinog@lists.swinog.ch>
Sent: Tuesday, 27 December 2022 09:45
To: swi...@swinog.ch
Subject: [swinog] DNSSEC issue with swizzonic DNS servers?

Hi List

Fancy another DNS issue hunt?

We have DNSSEC validation enabled on our BIND DNS Servers.

We started seeing:

no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 
2a01:8100:2901::1:183:202#53 no valid RRSIG resolving 
'www.numberportability.ch/DS/IN': 2a01:8100:2901::1:183:201#53 no valid RRSIG 
resolving 'www.numberportability.ch/DS/IN': 81.88.58.219#53 no valid RRSIG 
resolving 'www.numberportability.ch/DS/IN': 195.110.124.196#53

broken trust chain resolving 'www.numberportability.ch/HTTPS/IN': 
2a01:8100:2901::1:183:202#53 broken trust chain resolving 
'www.numberportability.ch/AAAA/IN': 2a01:8100:2901::1:183:202#53 client 
@0x803541d60 X.X.X.X#27325 (www.numberportability.ch): query failed (broken 
trust chain) for www.numberportability.ch/IN/AAAA at query.c:7724

And of course the query fails, disrupting access some some quite important API.

numberportability.ch.   900     IN      SOA     dns1.swizzonic.ch. 
hostmaster.swizzonic.ch. 2022121601 10800 3600 604800 86400

$ dig +dnssec RRSIG www.numberportability.ch @dns1.swizzonic.ch ; <<>> DiG 9.16.33-Debian 
<<>> +dnssec RRSIG www.numberportability.ch @dns1.swizzonic.ch ;; global options: +cmd ;; 
Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 39132 ;; flags: qr aa rd; 
QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not 
available

So, from my point of view, the authoritative DNS server thinks, this is a 
recursive query and refuses to answer with the RRSIG, breaking validation of 
that record.

Do you get to the same conclusion? Can you resolve this host via any other 
DNSSEC validating nameserver?

I had no success contacting any technical inclined staff willing to look at the 
issue since the issue started on 16. December  via hostmas...@swizzonic.ch by 
phone or via supp...@register.it. So if anyone from Swizzonic is reading here, 
it would be nice to get a direct contact to further investigate that issue.

Mit freundlichen Grüssen

-Benoît Panizzon-


_______________________________________________
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch


--
Markus Binz, mb...@solnet.ch, MB44-RIPE, PGPKEY-ABC5F050
SolNet, Internet Solution Provider
_______________________________________________
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch

Antwort per Email an