No, there was a issue.
Yesterday, they went from:
a@xxxxxx:~ # delv www.numberportabilty.ch
;; resolution failed: ncache nxdomain
; negative response, fully validated
; www.numberportabilty.ch. 900 IN \-ANY ;-$NXDOMAIN
; ch. SOA a.nic.ch. dns-operation.switch.ch. 2022122811 900 600 1123200 900
; ch. RRSIG SOA ...
; ND3E0CGF5OGC08781SOJKFRIOOGBGC7E.ch. RRSIG NSEC3 ...
; ND3E0CGF5OGC08781SOJKFRIOOGBGC7E.ch. NSEC3 1 1 0 -
ND3FVIJ6P2HTHSRMNP8BLKRQO4274IF6 NS SOA RRSIG DNSKEY NSEC3PARAM
; QOC41J1IOE62CS3DTUQ3LGS7FCTNAUAM.ch. RRSIG NSEC3 ...
; QOC41J1IOE62CS3DTUQ3LGS7FCTNAUAM.ch. NSEC3 1 1 0 -
QOC4OII86T8EDR8QICL731093UTED5MJ NS DS RRSIG
; UB1CIAHS4SJVQLK237TVSNLM741LGBVB.ch. RRSIG NSEC3 ...
; UB1CIAHS4SJVQLK237TVSNLM741LGBVB.ch. NSEC3 1 1 0 -
UB1ES2OET0HEP9OTMK4O4BP9RVBE01P6 NS DS RRSIG
to
a@xxxxxx:~ # delv www.numberportability.ch a
; fully validated
www.numberportability.ch. 900 IN A 164.128.159.204
www.numberportability.ch. 900 IN RRSIG A 13 3 900
20230105000000 20221215000000 10556 numberportability.ch.
FuWo8czeDf/KyCcyYXJF+pYkFJ8HsIX4RrW5a9+fIGqtDUVud7+lxPo9
1oW4H1v69+Mf7rze8SdxAsODJwFUQw==
Now they are in the game of deleting customer domains randomly.
Markus
On 28.12.22 11:09, Rémy DUCHET via swinog wrote:
Hi,
No issue from here :
dig www.numberportability.ch +trace
; <<>> DiG 9.16.33-Debian <<>> www.numberportability.ch +trace
;; global options: +cmd
. 83292 IN NS f.root-servers.net.
. 83292 IN NS a.root-servers.net.
. 83292 IN NS h.root-servers.net.
. 83292 IN NS j.root-servers.net.
. 83292 IN NS i.root-servers.net.
. 83292 IN NS g.root-servers.net.
. 83292 IN NS d.root-servers.net.
. 83292 IN NS l.root-servers.net.
. 83292 IN NS k.root-servers.net.
. 83292 IN NS b.root-servers.net.
. 83292 IN NS e.root-servers.net.
. 83292 IN NS c.root-servers.net.
. 83292 IN NS m.root-servers.net.
. 83292 IN RRSIG NS 8 0 518400 20230110050000
20221228040000 18733 . BDbOstO6sdTqBP2/ER7rX0vjTSJUR/dtnPUOg2zFbt23YhLlSYAegU78
bF5/KLREwricXZMNI6VcGzu+Hn4tYRf/soE/Iy07AagG5WBawRFPdeAS
6XVLsbyDDpSkV/RxJoy8fnAyzGiAV4B4lEpYrDiHdSMAIEn0aU/6CSle
sKTsrdSucbaYTosg3bM28lcpPmpXwDWD05wFkLavfmzqut+wzGCI4ge2
AAi3apWMgDs/Ccr9UlpgblvOqMHnvJuX+YCgSyQbzFqMZRaJpHVB3UVC
MJJzNgarSHWtj2E4DZMRiXJUHSHZv0FRCrJg7zmDXIahvlUJEF9LfUC9 CkM5Hw==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 4 ms
ch. 172800 IN NS f.nic.ch.
ch. 172800 IN NS a.nic.ch.
ch. 172800 IN NS d.nic.ch.
ch. 172800 IN NS b.nic.ch.
ch. 172800 IN NS e.nic.ch.
ch. 86400 IN DS 10 13 2
0E175543A74D9083EA977BAB2BEE98A771995F80982FB796B2B0B9CC 6413D1A6
ch. 86400 IN RRSIG DS 8 1 86400 20230110050000
20221228040000 18733 . BjNNpFn7hCI2Q6QS6f8m26ZFaAjhaYxcFC6W30h5xguJMN9dneex4L+9
E6bTiawb0q6tCfUkfWDj1QX8NprdxxzpNzDFo+Sksysj6vU28gFSTOl/
H84D8BQTlAWvjrQAuNMzUwNlPz1E0OsDzNpMudfhmLp3m89BNzf+ZTBg
0mSQeW4YEOoxjs86A6yVoLlZrV8msJWfotj2jaLAWaFedLLzk43NrUA1
Y1sf8CzTVma7EqHbpWX3CJrgn7ELv9G5NtFVsmNO5yrHh40fl9KJ+hx7
dlxIjuyj+UjiNgwcMC3CsEzukAopbtuZAyYYE0NLVB3qB/YsN9jEl/AC jCFjzg==
;; Received 724 bytes from 192.112.36.4#53(g.root-servers.net) in 76 ms
numberportability.ch. 3600 IN NS dns1.swizzonic.ch.
numberportability.ch. 3600 IN NS dns2.swizzonic.ch.
numberportability.ch. 3600 IN DS 10556 13 2
2A50FB3DFA2EFE6F2A80F962EA9DE6CDCA3B5B6F09D3C9D7D972902D 173528F8
numberportability.ch. 3600 IN RRSIG DS 13 2 3600 20230123175307
20221226043002 19537 ch.
/JgcDzbIftFZ3vNTx5HdzF2V759lA4Cv2uh84ZWP0p1A4y+xs4aLU2ri
rN1NrjW4DsMpKlpghPtIWV/m4j0xdA==
;; Received 277 bytes from 2001:678:3::1#53(e.nic.ch) in 0 ms
www.numberportability.ch. 900 IN A 164.128.159.204
www.numberportability.ch. 900 IN RRSIG A 13 3 900 20230105000000
20221215000000 10556 numberportability.ch.
FuWo8czeDf/KyCcyYXJF+pYkFJ8HsIX4RrW5a9+fIGqtDUVud7+lxPo9
1oW4H1v69+Mf7rze8SdxAsODJwFUQw==
;; Received 185 bytes from 81.88.58.219#53(dns2.swizzonic.ch) in 8 ms
Also nothing here https://dnsviz.net/d/www.numberportability.ch/dnssec/
Rémy
-----Original Message-----
From: Benoit Panizzon via swinog <swinog@lists.swinog.ch>
Sent: Tuesday, 27 December 2022 09:45
To: swi...@swinog.ch
Subject: [swinog] DNSSEC issue with swizzonic DNS servers?
Hi List
Fancy another DNS issue hunt?
We have DNSSEC validation enabled on our BIND DNS Servers.
We started seeing:
no valid RRSIG resolving 'www.numberportability.ch/DS/IN':
2a01:8100:2901::1:183:202#53 no valid RRSIG resolving
'www.numberportability.ch/DS/IN': 2a01:8100:2901::1:183:201#53 no valid RRSIG
resolving 'www.numberportability.ch/DS/IN': 81.88.58.219#53 no valid RRSIG
resolving 'www.numberportability.ch/DS/IN': 195.110.124.196#53
broken trust chain resolving 'www.numberportability.ch/HTTPS/IN':
2a01:8100:2901::1:183:202#53 broken trust chain resolving
'www.numberportability.ch/AAAA/IN': 2a01:8100:2901::1:183:202#53 client
@0x803541d60 X.X.X.X#27325 (www.numberportability.ch): query failed (broken
trust chain) for www.numberportability.ch/IN/AAAA at query.c:7724
And of course the query fails, disrupting access some some quite important API.
numberportability.ch. 900 IN SOA dns1.swizzonic.ch.
hostmaster.swizzonic.ch. 2022121601 10800 3600 604800 86400
$ dig +dnssec RRSIG www.numberportability.ch @dns1.swizzonic.ch ; <<>> DiG 9.16.33-Debian
<<>> +dnssec RRSIG www.numberportability.ch @dns1.swizzonic.ch ;; global options: +cmd ;;
Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 39132 ;; flags: qr aa rd;
QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not
available
So, from my point of view, the authoritative DNS server thinks, this is a
recursive query and refuses to answer with the RRSIG, breaking validation of
that record.
Do you get to the same conclusion? Can you resolve this host via any other
DNSSEC validating nameserver?
I had no success contacting any technical inclined staff willing to look at the
issue since the issue started on 16. December via hostmas...@swizzonic.ch by
phone or via supp...@register.it. So if anyone from Swizzonic is reading here,
it would be nice to get a direct contact to further investigate that issue.
Mit freundlichen Grüssen
-Benoît Panizzon-
_______________________________________________
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch
--
Markus Binz, mb...@solnet.ch, MB44-RIPE, PGPKEY-ABC5F050
SolNet, Internet Solution Provider
_______________________________________________
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-le...@lists.swinog.ch
