[Pdns-users] DNSSEC-Problems on g.root-servers.net?

Remi Gacogne remi.gacogne at powerdns.com
Mon Sep 17 09:02:55 UTC 2018 

On 9/17/18 10:46 AM, Stephane Bortzmeyer wrote:
>> 	• NSEC3 proving non-existence of admin.ch/DS: No NSEC3 RR matches the SNAME (admin.ch).
>> 	• NSEC3 proving non-existence of admin.ch/DS: No NSEC3 RR matches the SNAME (admin.ch).
>
> The real problem seems to be in .ch.

It indeed does look like h.nic.ch is currently serving invalid denial of
existence proofs.

Sep 17 10:54:12 [1]   admin.ch: Resolved 'ch' NS h.nic.ch to:
2a03:bd80:36::1:203:230, 85.119.5.230
Sep 17 10:54:12 [1]   admin.ch: Trying IP [2a03:bd80:36::1:203:230]:53,
asking 'admin.ch|DS'
Sep 17 10:54:12 [1]   admin.ch: Got 7 answers from h.nic.ch
(2a03:bd80:36::1:203:230), rcode=0 (No Error), aa=1, in 19ms
Sep 17 10:54:12 [1]   admin.ch: accept answer 'ch|SOA|a.nic.ch.
dns-operation.switch.ch. 2018091710 900 600 1123200 900' from 'ch'
nameservers? ttl=900, place=2 YES!
Sep 17 10:54:12 [1]   admin.ch: accept answer 'ch|RRSIG|SOA 8 1 900
20181017072134 20180917070659 43368 ch.
lqiFlvlLzpfZiJtXq2lA7xMEBcDZ8JkBVDyW9eGOiDf50tlSAFf7lfPbNvk4Kr5oGvYEfykiFyNRPbVhB7Q7td2MFc24rDuHmWodO5dHu8CP8npjQFRDVhK16xwe52gi+HhaIBEs3UgoJAhHbw6fUT39eISVq7nKQ+Zbi9H79VmSvsrXIDJpwxXYRxEnG16yUPDEjALs72wjQUVPK1AFqA=='
from 'ch' nameservers? ttl=900, place=2 RRSIG - separate
Sep 17 10:54:12 [1]   admin.ch: accept answer
'b3r86ai7q4714nt11g03efktr8e8uoqn.ch|NSEC3|1 1 2 563f2a03
B3RMRJ5UH7SCR184M2COCF3M5MATJUOU NS SOA RRSIG DNSKEY NSEC3PARAM' from
'ch' nameservers? ttl=900, place=2 YES!
Sep 17 10:54:12 [1]   admin.ch: accept answer
'b3r86ai7q4714nt11g03efktr8e8uoqn.ch|RRSIG|NSEC3 8 2 900 20181004034939
20180916113001 43368 ch.
v+kKyz9cwB8I2FTuEsQ29QqEGCqRsLQPNUKsyqYaX6ehEN2QH0/x8+O/iwAEBuRRV1w1oFJyCUKgDyUEbbZWHJHOICcyJtcZvsbuv2Pk9ZM1IhzpVoDaP/ty5458dinB5cL7+aFWcNflUKJGxFnEXtjwtft3SlB2yY6mXtolDVwDFZVlVDPGhcYcSmPtPkf4SENr0Ys0Ols+dBVE5eIL2g=='
from 'ch' nameservers? ttl=900, place=2 RRSIG - separate
Sep 17 10:54:12 [1]   admin.ch: accept answer
'n18tgf150r26u73788obf8kl1lddpdbm.ch|NSEC3|1 1 2 563f2a03
N19I6GLRO0S7IEK6ESINL5OJS1295DH4 NS DS RRSIG' from 'ch' nameservers?
ttl=900, place=2 YES!
Sep 17 10:54:12 [1]   admin.ch: accept answer
'n18tgf150r26u73788obf8kl1lddpdbm.ch|RRSIG|NSEC3 8 2 900 20181008010305
20180916113001 43368 ch.
n2mL4npemCPuXAgsz3fymS9x/hjVvD1HJc9ZLhF4KajHjjSxmRfL3Ba0WpnAh3is56n7qPtQrIpF2BrOxTj8A6hxWF7m8+TNBJqb/hc9XuLHu1F8mrwF59g/rdM0hKSHvW+9xB0wNIFEZwPtR8cG9WbdSJ/fJTe9T3dQE0eaRDsvcywS/Stu7OTAnEI+wsO7TSvFacuNgwXwUYQxDSv/Hw=='
from 'ch' nameservers? ttl=900, place=2 RRSIG - separate
Sep 17 10:54:12 [1]   admin.ch: OPT answer '.' from 'ch' nameservers

[...]

Sep 17 10:54:12 [1]   admin.ch: got negative caching indication for
'admin.ch|DS'
Sep 17 10:54:12 Do have: n18tgf150r26u73788obf8kl1lddpdbm.ch/NSEC3
Sep 17 10:54:12         1 1 2 563f2a03 N19I6GLRO0S7IEK6ESINL5OJS1295DH4
NS DS RRSIG
Sep 17 10:54:12         query hash: pqnb24ervdukiuq6j0ajbs6eeocm7v67
Sep 17 10:54:12 Do have: b3r86ai7q4714nt11g03efktr8e8uoqn.ch/NSEC3
Sep 17 10:54:12         1 1 2 563f2a03 B3RMRJ5UH7SCR184M2COCF3M5MATJUOU
NS SOA RRSIG DNSKEY NSEC3PARAM
Sep 17 10:54:12         query hash: pqnb24ervdukiuq6j0ajbs6eeocm7v67
Sep 17 10:54:12 Now looking for the closest encloser for admin.ch
Sep 17 10:54:12         1 1 2 563f2a03 N19I6GLRO0S7IEK6ESINL5OJS1295DH4
NS DS RRSIG
Sep 17 10:54:12 Comparing b3r86ai7q4714nt11g03efktr8e8uoqn (ch) against
n18tgf150r26u73788obf8kl1lddpdbm
Sep 17 10:54:12         1 1 2 563f2a03 B3RMRJ5UH7SCR184M2COCF3M5MATJUOU
NS SOA RRSIG DNSKEY NSEC3PARAM
Sep 17 10:54:12 Comparing b3r86ai7q4714nt11g03efktr8e8uoqn (ch) against
b3r86ai7q4714nt11g03efktr8e8uoqn
Sep 17 10:54:12 Closest encloser for admin.ch is ch
Sep 17 10:54:12 Looking for a NSEC3 covering the next closer name admin.ch
Sep 17 10:54:12         1 1 2 563f2a03 N19I6GLRO0S7IEK6ESINL5OJS1295DH4
NS DS RRSIG
Sep 17 10:54:12 Comparing pqnb24ervdukiuq6j0ajbs6eeocm7v67 against
n18tgf150r26u73788obf8kl1lddpdbm -> n19i6glro0s7iek6esinl5ojs1295dh4
Sep 17 10:54:12 Did not cover us (admin.ch),
start=n18tgf150r26u73788obf8kl1lddpdbm.ch,
us=pqnb24ervdukiuq6j0ajbs6eeocm7v67, end=n19i6glro0s7iek6esinl5ojs1295dh4
Sep 17 10:54:12         1 1 2 563f2a03 B3RMRJ5UH7SCR184M2COCF3M5MATJUOU
NS SOA RRSIG DNSKEY NSEC3PARAM
Sep 17 10:54:12 Comparing pqnb24ervdukiuq6j0ajbs6eeocm7v67 against
b3r86ai7q4714nt11g03efktr8e8uoqn -> b3rmrj5uh7scr184m2cocf3m5matjuou
Sep 17 10:54:12 Did not cover us (admin.ch),
start=b3r86ai7q4714nt11g03efktr8e8uoqn.ch,
us=pqnb24ervdukiuq6j0ajbs6eeocm7v67, end=b3rmrj5uh7scr184m2cocf3m5matjuou

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180917/9cb1a0d9/attachment.sig>

More information about the Pdns-users mailing list