Interesting new dns failures
Mark_Andrews at isc.org
Mon May 21 09:10:20 UTC 2007
In article <20070521081322.GA741 at nic.fr> you write:
>On Sun, May 20, 2007 at 09:25:37PM -0700,
> Roger Marquis <marquis at roble.com> wrote
> a message of 15 lines which said:
>> >If not, have any root nameservers been hacked?
>> To partly answer my own question, no.
>I cannot find the original message in my mailbox. (Not on NANOG
>mailing list archives.) What was the issue?
>> The data returned by root (gtld) nameservers is not changing
>Now, I understand nothing. Is there a problem with the root
>nameservers or with some gTLD nameservers???
There isn't a problem with the root or tld servers.
There is a problem with the server for these zones.
They don't speak RFC 1034, hence the error messages
about garbage responses.
Note the answer doesn't match the question.
; <<>> DiG 9.5.0a2 <<>> @184.108.40.206 ns6.loptran.com +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36800
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ns6.loptran.com. IN A
;; ANSWER SECTION:
loptran.com. 0 IN A 220.127.116.11
;; Query time: 212 msec
;; SERVER: 18.104.22.168#53(22.214.171.124)
;; WHEN: Mon May 21 19:05:58 2007
;; MSG SIZE rcvd: 60
There is a problem with the whole delegation process in
that no one involved in the delegation seems to care that
absolute garbage is being injected into the DNS. A few
simple checks, like above, would have show that the servers
were not RFC 1034 compliant. That the glue was not a copy
of the records in the child zone. The parent *is* required
by RFC 1034 to check this.
RFC 1034, 4.2.2. Administrative considerations, paragraph 3.
As the last installation step, the delegation NS RRs and glue RRs
necessary to make the delegation effective should be added to the parent
zone. The administrators of both zones should insure that the NS and
glue RRs which mark both sides of the cut are consistent and remain so.
These zones should be pulled.
More information about the NANOG