ns.coccaregistry.org <http://ns.coccaregistry.org/> is serving 3 DNSSEC signed ccTLDs (AF, SB, TL) yet it is incapable of returning DNSKEY records for those TLDs. This will break DNSSEC validation for every lookup in those ccTLD if this server is the only one reachable by the DNS clients. This has been going on since at least April 2019.
Mark > Begin forwarded message: > > From: Mark Andrews <ma...@isc.org> > Subject: Why is ns.coccaregistry.org returning REFUSED to DNSKEY queries? > Date: 8 April 2019 at 2:16:28 pm AEST > To: hostmas...@coccaregistry.org > > Why is ns.coccaregistry.org returning REFUSED to DNSKEY queries? > Also why is it echoing back EDNS options when returning REFUSED? > Also why is AD=1 in the REFUSED response? > Also why is AA=1 in the REFUSED response? > > % dig dnskey af. @185.17.236.111 > > ; <<>> DiG 9.15.0-dev <<>> dnskey af. @185.17.236.111 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 16189 > ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ; COOKIE: b1626ff99509b9bf (echoed) > ;; QUESTION SECTION: > ;af. IN DNSKEY > > ;; Query time: 316 msec > ;; SERVER: 185.17.236.111#53(185.17.236.111) > ;; WHEN: Mon Apr 08 14:12:00 AEST 2019 > ;; MSG SIZE rcvd: 43 > > % > > af. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok > edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok > signed=ok,yes ednstcp=refused > af. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok > edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok > signed=ok,yes ednstcp=refused > kn. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok > edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok > signed=ok ednstcp=refused > kn. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok > edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok > signed=ok ednstcp=refused > ms. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok > edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok > signed=ok ednstcp=refused > ms. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok > edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok > signed=ok ednstcp=refused > sb. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok > edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok > signed=ok,yes ednstcp=refused > sb. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok > edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok > signed=ok,yes ednstcp=refused > tl. @185.17.236.111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok > edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok > signed=ok,yes ednstcp=refused > tl. @2a03:dd40:3::111 (ns.coccaregistry.org.): dns=ok edns=ok edns1=ok > edns@512=refused ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok > signed=ok,yes ednstcp=refused > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
