Re: [dns-operations] Anyone with contacts at Paypal and/or Ultradns?

Sun, 29 Dec 2019 13:10:17 -0800 

On Sat, Dec 28, 2019 at 12:59:34PM -0500, Viktor Dukhovni wrote:

> Another domain served by the same is:
> 
>     sparkblocs.com. IN NS dns1.registrar-servers.com.
>     sparkblocs.com. IN NS dns2.registrar-servers.com.
> 
> here, there's an issue with the RRSIG on the wildcard CNAME record
> (signature fails to verify):
> 
>     https://dnsviz.net/d/_25._tcp.sparkblocs.com/dnssec/
>     https://dnsviz.net/d/%2A.sparkblocs.com/dnssec/

This was before today's refresh of the domains with TLSA DoE issues.
Now I see DoE failure for 330 TLSA RRsets in 322 zones served by:

     253   dns1.registrar-servers.com,   dns2.registrar-servers.com
      68  pdns1.registrar-servers.com,  pdns2.registrar-servers.com
       1 dns101.registrar-servers.com, dns102.registrar-servers.com

which affect email delivery to (at least) 351 domains.  DNSViz reports
the below errors:

    http://imrryr.org/~viktor/dnsviz/registrar-servers.com.html

     222 MISSING_NSEC_FOR_NODATA
         
http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.fucking.beer.html
         ...
     105 WILDCARD_NOT_COVERED
         
http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.mail.baloch.best.html
         ...
       8 MISSING_RRSIG_FOR_ALG_DS
         
http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.denveracrepair.com.html
         ...
       4 SNAME_NOT_COVERED
         
http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.mail.tapthislink.com.html
         ...
       4 MISSING_SEP_FOR_ALG
         
http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.denveracrepair.com.html
         ...

Also, warnings about missing nameserver AAAA glue:

    286 MISSING_GLUE_IPV6
        
http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.31verri.com.html
        ...

because the .com zone has no AAAA glue records for

     dns1.registrar-servers.com,   dns2.registrar-servers.com
    pdns1.registrar-servers.com,  pdns2.registrar-servers.com

even though these have authoritative IPv6 AAAA RRs.

    dns1.registrar-servers.com. IN AAAA 2610:a1:1024::200
    dns2.registrar-servers.com. IN AAAA 2610:a1:1025::200
    pdns1.registrar-servers.com. IN AAAA 2610:a1:1022::200
    pdns2.registrar-servers.com. IN AAAA 2610:a1:1023::200

-- 
    Viktor.

P.S.

In an unrelated note, some of the domains also returned a PMTU_EXCEEDED
warning (one example per TLD):

    
http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.deanbassett.info.html
    
http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.alpaga.hammerle.me.html
    
http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.twilight.one.html
    
http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.burntbunch.org.html
    
http://imrryr.org/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.eamon.science.html

because the .INFO, .ME, .ONE, .ORG and .SCIENCE signed DNSKEY RRsets are
too big for unfragmented UDP.

There are likely other TLDs with the same issue, that did not appear in
the registrar-servers.com DoE breakage dataset.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Reply via email to