Re: [dns-operations] validation problem on 1.1.1.1
Something strange... % dig soa nasa.gov @1.1.1.1 +dnssec ; <<>> DiG 9.9.5 <<>> soa nasa.gov @1.1.1.1 +dnssec +ad ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20334 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ~% dig soa nasa.gov @1.1.1.1 +dnssec +noad ; <<>> DiG 9.9.5 <<>> soa nasa.gov @1.1.1.1 +dnssec +noad ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5374 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ~% drill -D soa nasa.gov @1.1.1.1 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 27047 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; nasa.gov.IN SOA ~% drill -D -o AD soa nasa.gov @1.1.1.1 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 13840 ;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; nasa.gov.IN SOA -- -- T.Suzuki ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] validation problem on 1.1.1.1
On Mon, Feb 03, 2020 at 07:19:16PM +0900, T.Suzuki wrote: > Something strange... > ~% dig soa nasa.gov @1.1.1.1 +dnssec +noad > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 Yes, it seems that Cloudflare do not return the AD bit when it is not requested, even when the DO bit is set. https://tools.ietf.org/html/rfc6840#section-5.8 Section 3.2.3 of [RFC4035] describes under which conditions a validating resolver should set or clear the AD bit in a response. In order to interoperate with legacy stub resolvers and middleboxes that neither understand nor ignore the AD bit, validating resolvers SHOULD only set the AD bit when a response both meets the conditions listed in Section 3.2.3 of [RFC4035], and the request contained either a set DO bit or a set AD bit. And the other public resolvers to set the AD bit when only the DO bit appears in the query, but is or "how wrong" is CF to not do this? Is this causing an observable issue for some stub resolver that uses the AD bit from a remote source like CF? Is the stub resolver doing DoH or DoT (and authenticating the remote cert chain) to secure the channel? It would be interesting to know whether CF ran into some broken client systems that needed AD off when not directly solicited, all the while sending "DO"? -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] c.root-servers.net over IPv6
Hello, c.root-servers.net (2001:500:2::c) is not responding to queries over IPv6 [1]. Regards, -sm 1. The error from DNSViz is "arpa zone: The server(s) were not responsive to queries over UDP. (2001:500:2::c)" ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] c.root-servers.net over IPv6
from what source IP? > On Feb 3, 2020, at 3:02 PM, SM wrote: > > Hello, > > c.root-servers.net (2001:500:2::c) is not responding to queries over IPv6 [1]. > > Regards, > -sm > > 1. The error from DNSViz is "arpa zone: The server(s) were not responsive to > queries over UDP. (2001:500:2::c)" > > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] c.root-servers.net over IPv6
Didn't we discuss this recently? I assume this is the Cogent<->Hurricane Electric IPv6 peering issue. See the long thread that starts here (short summary: dnsviz is singly homed to HE so can't reach Cogent IPv6 servers): https://lists.dns-oarc.net/pipermail/dns-operations/2019-October/019276.html Shumon. On Mon, Feb 3, 2020 at 3:14 PM SM wrote: > Hello, > > c.root-servers.net (2001:500:2::c) is not responding to queries over IPv6 > [1]. > > Regards, > -sm > > 1. The error from DNSViz is "arpa zone: The server(s) were not > responsive to queries over UDP. (2001:500:2::c)" > > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] c.root-servers.net over IPv6
--- Begin Message --- This topic was discussed during October, 2019 in this thread: https://lists.dns-oarc.net/pipermail/dns-operations/2019-October/019276.html On 2/3/20, 3:35 PM, "dns-operations on behalf of Jared Mauch" wrote: from what source IP? > On Feb 3, 2020, at 3:02 PM, SM wrote: > > Hello, > > c.root-servers.net (2001:500:2::c) is not responding to queries over IPv6 [1]. > > Regards, > -sm > > 1. The error from DNSViz is "arpa zone: The server(s) were not responsive to queries over UDP. (2001:500:2::c)" > > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] c.root-servers.net over IPv6
Hi Shumon, At 12:46 PM 03-02-2020, Shumon Huque wrote: Didn't we discuss this recently? Sorry, I missed that thread. I assume this is the Cogent<->Hurricane Electric IPv6 peering issue. See the long thread that starts here (short summary: dnsviz is singly homed to HE so can't reach Cogent IPv6 servers): Thanks for the feedback. Regards, -sm ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] Learn from the DNS experts on Feb 8th in SF, CA
Don't miss out! Tickets are still available. For more info See: https://www.dns-oarc.net/oarc32 We hope to see you there. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
