The anycast server is misconfigured. Some instances return DNS COOKIE
responses and some don’t.
[beetle:~/git/bind9] marka% dig dnskey @2001:500:b::1 org +nsi
; <<>> DiG 9.15.4 <<>> dnskey @2001:500:b::1 org +nsi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33145
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 6e 73 30 30 30 62 2e 61 70 70 37 2e 6e 72 74 31 2e 61 66 69 6c 69 61 73
2d 6e 73 74 2e 69 6e 66 6f ("ns000b.app7.nrt1.afilias-nst.info")
;; QUESTION SECTION:
;org. IN DNSKEY
;; ANSWER SECTION:
org. 900 IN DNSKEY 257 3 8
AwEAAexZJ/1wfyNCxNPrTZizaG7UlibGhP+AyogR6bqjptKweEgE4gD8
GxRQJkt+Fn5pCoNqzmm1ZnEoKqvm93uOYtbKkYQDGH+W69J66MSKpgIy
S+mT/4iaXn+lpb5o99l/sf7lHMa975O/fqN6aPUll4hUbN2T1LHv6HzQ
uQCtNRJA8jHGwX5q0NMmh2Z+yaG6B9cISerje9l5L+ID2ydJ6zXquYte
oIUvX2xzqnXCdHPSvD+oL6R/weW+tztdFS1hok/1z3tn5NzmcaOLll9n
XniCozEpLFEGPswyvtphWgCYhI8bBTqhUsIwfIwLSBQTEg2oCX7sS5Cb Xg44OqwhIW8=
org. 900 IN DNSKEY 256 3 8
AwEAAeyU2rU2Fpatuu5eJ0htiV+vSA/dLoM4ID73SBkI5AOuc/gdpxFq
gDzDyU7oQRbWSvz2oAXThIC7jw81fsCovYnS3a+VOQnqWK19TOPputZe
1JsNCJYpcvDCf8vevCc7R8ciA+cuGvW/fM6mmiHVG4Haka9SHQXXbk6K ktkPtDUt
org. 900 IN DNSKEY 256 3 8
AwEAAeLN9V09yYMX1uJe79mgf5GvynVUNsbzm32kD1quIZlVfx1k3I3Y
TT0bJPAVv8BggG2U6hSNlTvfb3AbnzRxyiJCJmzQ+JIzVAWI3EeiVHWF
7eLJHxsYsyz2Vx+kxmIQDQ1Efn14JmcoWHrd0I+c+drAYyW+vNn2xP1j G32efk7l
;; Query time: 335 msec
;; SERVER: 2001:500:b::1#53(2001:500:b::1)
;; WHEN: Tue Nov 03 12:03:23 AEDT 2020
;; MSG SIZE rcvd: 641
[beetle:~/git/bind9] marka% dig dnskey @2001:500:b::1 org +nsi
; <<>> DiG 9.15.4 <<>> dnskey @2001:500:b::1 org +nsi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54031
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 6e 73 30 30 30 62 2e 61 70 70 32 32 2e 6e 72 74 31 2e 61 66 69 6c 69 61
73 2d 6e 73 74 2e 69 6e 66 6f ("ns000b.app22.nrt1.afilias-nst.info")
;; QUESTION SECTION:
;org. IN DNSKEY
;; ANSWER SECTION:
org. 900 IN DNSKEY 256 3 8
AwEAAeyU2rU2Fpatuu5eJ0htiV+vSA/dLoM4ID73SBkI5AOuc/gdpxFq
gDzDyU7oQRbWSvz2oAXThIC7jw81fsCovYnS3a+VOQnqWK19TOPputZe
1JsNCJYpcvDCf8vevCc7R8ciA+cuGvW/fM6mmiHVG4Haka9SHQXXbk6K ktkPtDUt
org. 900 IN DNSKEY 256 3 8
AwEAAeLN9V09yYMX1uJe79mgf5GvynVUNsbzm32kD1quIZlVfx1k3I3Y
TT0bJPAVv8BggG2U6hSNlTvfb3AbnzRxyiJCJmzQ+JIzVAWI3EeiVHWF
7eLJHxsYsyz2Vx+kxmIQDQ1Efn14JmcoWHrd0I+c+drAYyW+vNn2xP1j G32efk7l
org. 900 IN DNSKEY 257 3 8
AwEAAexZJ/1wfyNCxNPrTZizaG7UlibGhP+AyogR6bqjptKweEgE4gD8
GxRQJkt+Fn5pCoNqzmm1ZnEoKqvm93uOYtbKkYQDGH+W69J66MSKpgIy
S+mT/4iaXn+lpb5o99l/sf7lHMa975O/fqN6aPUll4hUbN2T1LHv6HzQ
uQCtNRJA8jHGwX5q0NMmh2Z+yaG6B9cISerje9l5L+ID2ydJ6zXquYte
oIUvX2xzqnXCdHPSvD+oL6R/weW+tztdFS1hok/1z3tn5NzmcaOLll9n
XniCozEpLFEGPswyvtphWgCYhI8bBTqhUsIwfIwLSBQTEg2oCX7sS5Cb Xg44OqwhIW8=
;; Query time: 769 msec
;; SERVER: 2001:500:b::1#53(2001:500:b::1)
;; WHEN: Tue Nov 03 12:03:28 AEDT 2020
;; MSG SIZE rcvd: 642
[beetle:~/git/bind9] marka% dig dnskey @2001:500:b::1 org +nsi
; <<>> DiG 9.15.4 <<>> dnskey @2001:500:b::1 org +nsi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51346
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 6e 73 30 30 30 62 2e 61 70 70 31 36 2e 6e 72 74 31 2e 61 66 69 6c 69 61
73 2d 6e 73 74 2e 69 6e 66 6f ("ns000b.app16.nrt1.afilias-nst.info")
; COOKIE: 338c8cd8104e76067db04fd75fa0ac624af12950ec015e70 (good)
;; QUESTION SECTION:
;org. IN DNSKEY
;; ANSWER SECTION:
org. 900 IN DNSKEY 256 3 8
AwEAAeyU2rU2Fpatuu5eJ0htiV+vSA/dLoM4ID73SBkI5AOuc/gdpxFq
gDzDyU7oQRbWSvz2oAXThIC7jw81fsCovYnS3a+VOQnqWK19TOPputZe
1JsNCJYpcvDCf8vevCc7R8ciA+cuGvW/fM6mmiHVG4Haka9SHQXXbk6K ktkPtDUt
org. 900 IN DNSKEY 257 3 8
AwEAAexZJ/1wfyNCxNPrTZizaG7UlibGhP+AyogR6bqjptKweEgE4gD8
GxRQJkt+Fn5pCoNqzmm1ZnEoKqvm93uOYtbKkYQDGH+W69J66MSKpgIy
S+mT/4iaXn+lpb5o99l/sf7lHMa975O/fqN6aPUll4hUbN2T1LHv6HzQ
uQCtNRJA8jHGwX5q0NMmh2Z+yaG6B9cISerje9l5L+ID2ydJ6zXquYte
oIUvX2xzqnXCdHPSvD+oL6R/weW+tztdFS1hok/1z3tn5NzmcaOLll9n
XniCozEpLFEGPswyvtphWgCYhI8bBTqhUsIwfIwLSBQTEg2oCX7sS5Cb Xg44OqwhIW8=
org. 900 IN DNSKEY 256 3 8
AwEAAeLN9V09yYMX1uJe79mgf5GvynVUNsbzm32kD1quIZlVfx1k3I3Y
TT0bJPAVv8BggG2U6hSNlTvfb3AbnzRxyiJCJmzQ+JIzVAWI3EeiVHWF
7eLJHxsYsyz2Vx+kxmIQDQ1Efn14JmcoWHrd0I+c+drAYyW+vNn2xP1j G32efk7l
;; Query time: 580 msec
;; SERVER: 2001:500:b::1#53(2001:500:b::1)
;; WHEN: Tue Nov 03 12:03:30 AEDT 2020
;; MSG SIZE rcvd: 670
[beetle:~/git/bind9] marka%
> On 3 Nov 2020, at 11:43, Jim Popovitch via dns-operations
> <[email protected]> wrote:
>
>
> From: Jim Popovitch <[email protected]>
> Subject: which breakage is this? *.org
> Date: 3 November 2020 at 11:43:30 AEDT
> To: [email protected]
>
>
>
> From: https://dnsviz.net/d/freebsd.org/dnssec/
>
> freebsd.org/DS (alg 8, id 32359): The server appears to support DNS cookies
> but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> freebsd.org/DS (alg 8, id 32359): The server appears to support DNS cookies
> but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY (alg 8, id 26974): The server appears to support DNS cookies but
> did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY (alg 8, id 34266): The server appears to support DNS cookies but
> did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY (alg 8, id 63858): The server appears to support DNS cookies but
> did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY: The server appears to support DNS cookies but did not return a
> COOKIE option. (2001:500:b::1, UDP_-_EDNS0_512_D_K)
>
> and from: https://dnsviz.net/d/netcool.org/dnssec/
>
> netcool.org/DS (alg 13, id 50687): The server appears to support DNS cookies
> but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> netcool.org/DS (alg 13, id 50687): The server appears to support DNS cookies
> but did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY (alg 8, id 26974): The server appears to support DNS cookies but
> did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY (alg 8, id 34266): The server appears to support DNS cookies but
> did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY (alg 8, id 63858): The server appears to support DNS cookies but
> did not return a COOKIE option. (2001:500:b::1, UDP_-_EDNS0_4096_D_K)
> org/DNSKEY: The server appears to support DNS cookies but did not return a
> COOKIE option. (2001:500:b::1, UDP_-_EDNS0_512_D_K)
>
> Is .org having issues?
>
>
> -Jim P.
>
>
>
> _______________________________________________
> dns-operations mailing list
> [email protected]
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
