date:20161229

problem domains host in ns1/ns2.planetdomain.com

2016-12-29 Thread Eric Yiu

Hi,

Someday ago netregistry.com bought planetdomain.com.  And there are a
number of domains (not sure if all) host at ns1/ns2.planetdomain.com
ns point to ns1/ns2/ns3.netregistry.net.  However these netregistry.net do
not host these domain.  Then if the records of these domain expired and
refresh from these netregistry name server, they will get error.  For
example: domain "carlajohnson.com.au":

$ dig +trace ns carlajohnson.com.au

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> +trace ns
carlajohnson.com.au
;; global options: +cmd
.   399916  IN  NS  e.root-servers.net.
.   399916  IN  NS  j.root-servers.net.
.   399916  IN  NS  i.root-servers.net.
.   399916  IN  NS  h.root-servers.net.
.   399916  IN  NS  b.root-servers.net.
.   399916  IN  NS  c.root-servers.net.
.   399916  IN  NS  d.root-servers.net.
.   399916  IN  NS  a.root-servers.net.
.   399916  IN  NS  m.root-servers.net.
.   399916  IN  NS  l.root-servers.net.
.   399916  IN  NS  g.root-servers.net.
.   399916  IN  NS  k.root-servers.net.
.   399916  IN  NS  f.root-servers.net.
;; Received 492 bytes from 10.68.201.185#53(10.68.201.185) in 9 ms

au. 172800  IN  NS  v.au.
au. 172800  IN  NS  w.au.
au. 172800  IN  NS  a.au.
au. 172800  IN  NS  b.au.
au. 172800  IN  NS  x.au.
au. 172800  IN  NS  y.au.
au. 172800  IN  NS  u.au.
au. 172800  IN  NS  z.au.
;; Received 489 bytes from 192.36.148.17#53(192.36.148.17) in 71 ms

carlajohnson.com.au.14400   IN  NS  ns1.planetdomain.com.
carlajohnson.com.au.14400   IN  NS  ns2.planetdomain.com.
;; Received 89 bytes from 37.209.194.5#53(37.209.194.5) in 304 ms

carlajohnson.com.au.3600IN  NS  ns2.netregistry.net.
carlajohnson.com.au.3600IN  NS  ns1.netregistry.net.
carlajohnson.com.au.3600IN  NS  ns3.netregistry.net.
;; Received 106 bytes from 203.55.142.5#53(203.55.142.5) in 327 ms



$ dig @ns1.planetdomain.com soa carlajohnson.com.au

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> @ns1.planetdomain.com
soa carlajohnson.com.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18145
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;carlajohnson.com.au.   IN  SOA

;; ANSWER SECTION:
carlajohnson.com.au.3600IN  SOA ns1.netregistry.net.
dmain.netregistry.net. 2014051416 86400 7200 360 172800

;; Query time: 312 msec
;; SERVER: 203.55.143.4#53(203.55.143.4)
;; WHEN: Thu Dec 29 18:26:37 2016
;; MSG SIZE  rcvd: 98



$ dig @ns1.netregistry.net soa carlajohnson.com.au

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> @ns1.netregistry.net soa
carlajohnson.com.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45598
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;carlajohnson.com.au.   IN  SOA

;; Query time: 316 msec
;; SERVER: 203.55.143.10#53(203.55.143.10)
;; WHEN: Thu Dec 29 18:22:27 2016
;; MSG SIZE  rcvd: 37


I check google dns 8.8.8.8 would really able to fresh the correct records
after expired.  So just wonder bind config is able
to bypass this problem except I make the forward only zones to ask 8.8.8.8.

Eric
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ breaks DNSSEC signed langing page redirect

2016-12-29 Thread Daniel Stirnimann


> Our DNS resolvers are not only used by stub resolvers but by DNS
> resolvers using DNS forwarding as well. I wonder what happens if DNS
> forwarding resolvers do DNSSEC validation? It looks like they would
> return SERVFAIL to the user as the RPZ response omits any RRSIG for the
> landing page.

I tested this out. BIND returns SERVFAIL to the stub resolver.

I also checked out PowerDNS Recursor 4 with RPZ. PowerDNS Recursor 4
returns just the CNAME to the landing page. No A/ record. Thus, the
forwarding DNS resolver needs to do an additional lookup of the CNAME
hostname which succeeds with RRSIGs returned. So, PowerDNS does not
break a DNSSEC signed landing page hostname.

I also tested out knot resolver 1.1.1. knot resolver does currently not
support CNAME response in RPZ. One has to provide an A/ record if
redirection to a landing page is wanted. So, Knot resolver does not
suffer from this problem as well.

My conclusion is that one should not DNSSEC sign the landing page if you
utilize DNS RPZ with BIND.

Daniel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: problem domains host in ns1/ns2.planetdomain.com (Eric Yiu)

2016-12-29 Thread Bob McDonald

On first glance it looks like although the domain registration points to
the DNS servers at planetdomain.com., the actual domain has NS records (and
an MNAME entry in the SOA) which point to DNS servers at netregistry.net.

Anyone else have different results?

Regards,

Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: problem domains host in ns1/ns2.planetdomain.com (Eric Yiu)

2016-12-29 Thread MURTARI, JOHN

Eric,
Thanks for the complete example below, but I'm not sure what you are 
trying to solve?

It looks like the netregistry.net servers don't have zone data loaded 
even though they are supposed to be authoritative.  Your best bet would be to 
contact them and point out it appears some zone data was lost when service was 
transferred.  Trying to use Google isn't going to help if the data isn't on the 
designated authoritative servers.

Hope this helps.
John

-
Date: Thu, 29 Dec 2016 18:27:47 +0800
From: Eric Yiu 
To: bind-users@lists.isc.org
Subject: problem domains host in ns1/ns2.planetdomain.com

Someday ago netregistry.com bought planetdomain.com.  And there are a
number of domains (not sure if all) host at ns1/ns2.planetdomain.com
ns point to ns1/ns2/ns3.netregistry.net.  However these netregistry.net do
not host these domain.  Then if the records of these domain expired and
refresh from these netregistry name server, they will get error.  For
example: domain "carlajohnson.com.au":

$ dig +trace ns carlajohnson.com.au

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> +trace ns
carlajohnson.com.au
;; global options: +cmd
.   399916  IN  NS  e.root-servers.net.
.   399916  IN  NS  j.root-servers.net.
.   399916  IN  NS  i.root-servers.net.
.   399916  IN  NS  h.root-servers.net.
.   399916  IN  NS  b.root-servers.net.
.   399916  IN  NS  c.root-servers.net.
.   399916  IN  NS  d.root-servers.net.
.   399916  IN  NS  a.root-servers.net.
.   399916  IN  NS  m.root-servers.net.
.   399916  IN  NS  l.root-servers.net.
.   399916  IN  NS  g.root-servers.net.
.   399916  IN  NS  k.root-servers.net.
.   399916  IN  NS  f.root-servers.net.
;; Received 492 bytes from 10.68.201.185#53(10.68.201.185) in 9 ms

au. 172800  IN  NS  v.au.
au. 172800  IN  NS  w.au.
au. 172800  IN  NS  a.au.
au. 172800  IN  NS  b.au.
au. 172800  IN  NS  x.au.
au. 172800  IN  NS  y.au.
au. 172800  IN  NS  u.au.
au. 172800  IN  NS  z.au.
;; Received 489 bytes from 192.36.148.17#53(192.36.148.17) in 71 ms

carlajohnson.com.au.14400   IN  NS  ns1.planetdomain.com.
carlajohnson.com.au.14400   IN  NS  ns2.planetdomain.com.
;; Received 89 bytes from 37.209.194.5#53(37.209.194.5) in 304 ms

carlajohnson.com.au.3600IN  NS  ns2.netregistry.net.
carlajohnson.com.au.3600IN  NS  ns1.netregistry.net.
carlajohnson.com.au.3600IN  NS  ns3.netregistry.net.
;; Received 106 bytes from 203.55.142.5#53(203.55.142.5) in 327 ms



$ dig @ns1.planetdomain.com soa carlajohnson.com.au

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> @ns1.planetdomain.com
soa carlajohnson.com.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18145
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;carlajohnson.com.au.   IN  SOA

;; ANSWER SECTION:
carlajohnson.com.au.3600IN  SOA ns1.netregistry.net.
dmain.netregistry.net. 2014051416 86400 7200 360 172800

;; Query time: 312 msec
;; SERVER: 203.55.143.4#53(203.55.143.4)
;; WHEN: Thu Dec 29 18:26:37 2016
;; MSG SIZE  rcvd: 98



$ dig @ns1.netregistry.net soa carlajohnson.com.au


I check google dns 8.8.8.8 would really able to fresh the correct records
after expired.  So just wonder bind config is able
to bypass this problem except I make the forward only zones to ask 8.8.8.8.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

problem domains host in ns1/ns2.planetdomain.com

Re: RPZ breaks DNSSEC signed langing page redirect

RE: problem domains host in ns1/ns2.planetdomain.com (Eric Yiu)

RE: problem domains host in ns1/ns2.planetdomain.com (Eric Yiu)

4 matches

Site Navigation

Mail list logo

Footer information