.biz DNSSEC borked

Jared Mauch jared at puck.Nether.net
Mon Jun 24 00:31:02 UTC 2013


On Sun, Jun 23, 2013 at 07:49:14PM -0400, Valdis.Kletnieks at vt.edu wrote:
> On Sat, 22 Jun 2013 20:45:44 +0200, Andre Tomt said:
> > Seems the entire .biz tld is failing DNSSEC validation now.
> > All of my DNSSEC validating resolvers are tossing all domains in .biz.
> > The non-signed domains too of course because trust of the tld itself
> > cannot be established.
> >
> > http://dnssec-debugger.verisignlabs.com/nic.biz
> 
> So which event caused more disruption?  50K .com's in a failed DDoS
> mitigation, or every single .biz lookup by something that actually does
> dnssec?

	I think two different things happened here:

1) biz breakage reinforces the fact that validation can cause disruption.
   if it were .com and not fixed for a few hours, every major ISP would
   likely turn off validation for a year or more.

2) com issue shows some major "brands" they need to be more demanding from
   their providers.

   some really interesting data here, i ran a few domains through some
   dns server lists i have lying around, and saw stuff like this:

8.23.128.129/53/www.usps.com^IN^CNAME^www.usps.com.edgekey.net|www.usps.com.edgekey.net^IN^CNAME^usps.georedirector.usps.com.akadns.net|usps.georedirector.usps.com.akadns.net^IN^CNAME^e7154.dscb.akamaiedge.net|e7154.dscb.akamaiedge.net^IN^A^23.35.198.219//usps.com^IN^NS^ns1621.ztomy.com|usps.com^IN^NS^ns2621.ztomy.com

so, you see www.usps.com points at edgekey, but the authority for 
usps.com was still held as ztomy for some time.

(I don't have it printing the TTLs, but could add that...)

This excludes DNS servers that are *very* broken, such as will replace 
existing authority/delegation w/ stuff returned in an unrelated query 
(as seen above) or other unsolicited data. (i get many servers that tell 
me stuff I *really* didn't ask for)

(i queried for openresolverproject and got back something about betterbricks.com)

190.51.146.2/21528/betterbricks.com^IN^MX^30 betterbricks.com.s10b1.psmtp.com|betterbricks.com^IN^MX^40 betterbricks.com.s10b2.psmtp.com|betterbricks.com^IN^MX^10 betterbricks.com.s10a1.psmtp.com|betterbricks.com^IN^MX^20 betterbricks.com.s10a2.psmtp.com//

or this that seems to delegate root to some nipr.mil host.

214.4.226.2/53//con2.nipr.mil^IN^A^199.252.162.234|con1.nipr.mil^IN^A^207.132.116.25/.^IN^NS^con2.nipr.mil|.^IN^NS^con1.nipr.mil

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.




More information about the NANOG mailing list