Unusual DNSSEC errors involving g.gtld-servers.net
Wolfgang Nagele
wolfgang.nagele at ausregistry.com.au
Wed Feb 29 02:49:38 UTC 2012
Hi Rob,
VeriSign contact as the operator of g.gtld-servers.net in CC.
I think your resolver is noticing the right thing here. When running multiple queries against this server I occassionally receive a response that indeed has no signatures:
$ dig @192.42.93.30 google.com +dnssec +norec
; <<>> DiG 9.7.3-P3 <<>> @192.42.93.30 google.com +dnssec +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61625
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; AUTHORITY SECTION:
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
;; ADDITIONAL SECTION:
ns2.google.com. 172800 IN A 216.239.34.10
ns1.google.com. 172800 IN A 216.239.32.10
ns3.google.com. 172800 IN A 216.239.36.10
ns4.google.com. 172800 IN A 216.239.38.10
;; Query time: 192 msec
;; SERVER: 192.42.93.30#53(192.42.93.30)
;; WHEN: Wed Feb 29 13:46:17 2012
;; MSG SIZE rcvd: 175
Probably one system in a load balancer setup that is broken. For the record, I seem to end up at their San Francisco site:
$ mtr -r -c 1 -w 192.42.93.30
4.|-- 3842.gi0.br1.cit190.uecomm.net.au 0.0% 1 4.2 4.2 4.2 4.2 0.0
5.|-- vlan323.o3mlc76f05.optus.net.au 0.0% 1 7.3 7.3 7.3 7.3 0.0
6.|-- 61.88.221.71 0.0% 1 19.4 19.4 19.4 19.4 0.0
7.|-- 203.208.148.17 0.0% 1 230.4 230.4 230.4 230.4 0.0
8.|-- xe-4-1-0-0.laxow-dr2.ix.singtel.com 0.0% 1 177.3 177.3 177.3 177.3 0.0
9.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
10.|-- xe-0-2-0.r2.bb-fo.lax2.vrsn.net 0.0% 1 174.4 174.4 174.4 174.4 0.0
11.|-- xe-1-1-0.r2.bb-fo.sfo1.vrsn.net 0.0% 1 184.8 184.8 184.8 184.8 0.0
12.|-- xe-0-2-0.r1.bb-fo.sfo1.vrsn.net 0.0% 1 175.9 175.9 175.9 175.9 0.0
13.|-- xe-1-1-0.r1.edge-fo.sfo1.vrsn.net 0.0% 1 176.6 176.6 176.6 176.6 0.0
14.|-- host-158.edge-fo.sfo1.verisign.com 0.0% 1 185.2 185.2 185.2 185.2 0.0
15.|-- g.gtld-servers.net 0.0% 1 178.8 178.8 178.8 178.8 0.0
Regards,
--
Wolfgang Nagele
Senior Systems and Network Administrator
AusRegistry Pty Ltd
Level 8, 10 Queens Road
Melbourne, Victoria, Australia, 3004
Phone +61 3 9090 1756
Email: wolfgang.nagele at ausregistry.com.au
Web: www.ausregistry.com.au
The information contained in this communication is intended for the named recipients only. It is subject to copyright and may contain legally privileged and confidential information and if you are not an intended recipient you must not use, copy, distribute or take any action in reliance on it. If you have received this communication in error, please delete all copies from your system and notify us immediately.
On Feb 29, 2012, at 10:54 AM, Rob Leslie wrote:
> Hello all,
>
> Recently I’ve started getting numerous errors in my logs of the form:
>
> Feb 24 15:12:50 server named[3511]: validating @0xb8976b78: com SOA: got insecure response; parent indicates it should be secure
> Feb 24 15:12:50 server named[3511]: error (no valid RRSIG) resolving 'google.com/DS/IN': 192.42.93.30#53
>
> These errors have occurred while attempting to resolve many different domains (always under com or net), have occurred on several independent nameservers, always involve SOA/DS RR types, and always mention 192.42.93.30 (g.gtld-servers.net).
>
> The above date and time appears to be one of the earliest occurrences, but it has been occurring consistently, about a few times per hour, ever since.
>
> I’ve not noticed any problems with DNS resolution, and validation otherwise seems to be working normally.
>
> Can anyone point me in the right direction to help me understand what is causing this?
>
> Thanks,
>
> --
> Rob Leslie
> rob at mars.org
More information about the bind-users
mailing list