Hi,
I recently detected a l root server, be-anr-aa, which was lagging behind.
On 9/5 in the evening, the serial was 2023042601 and the signatures expired
20230509170000 causing dnssec validation to fail.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> -6 -t SOA .
@l.root-servers.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64980
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 13
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN SOA
;; ANSWER SECTION:
. 86400 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2023042601 1800 900 604800 86400
. 86400 IN RRSIG SOA 8 0 86400 20230509170000
20230426160000 60955 . ZAapnzuzu9iBrd5gXC3eskevI6D0VvHuXNeUUS+QaL6OkYqf4mnUthiP
1Zgsc+8ZKtG43KShNlFAQa2ior4XVkPEageKW9cmdZQISGnbYAqGBvb0
ssrfsRoFfiNR3OdG9aLhX8Kfujl2Or9j7s9mKkAaNgboIlEQwv+Ty++r
eUAaWth0pGY4uLlitb3PMln/ILnF39N+WZNh4UkQABwTbOaMKkZwD1zN
4H3ja+NQrn8o0zARbtmEtZw5aaiaX31pAU2azdcR5xDr4+xT54wrnKn8
UvVSe1tzIgGUa1KlkC/snmSoddEmuu/lIBbkZMPD7smIa4OgfCvnDJWr 3bm60A==
After reporting the issue to ICANN, the be-anr-aa server was deactivated.
After that I setup regular checking of the root server serials and since
yesterday we again have a lagging l root server, now fr-bfc-aa
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> -t SOA .
@l.root-servers.net. +dnssec +nsid
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52383
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 13
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID: 66 72 2d 62 66 63 2d 61 61 ("fr-bfc-aa")
;; QUESTION SECTION:
;. IN SOA
;; ANSWER SECTION:
. 86400 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2023051802 1800 900 604800 86400
. 86400 IN RRSIG SOA 8 0 86400 20230531200000
20230518190000 60955 . MAKZKzGYX9gBARWGOGNKohj7CHkmW1PTTGzqr8JI7VBI2ICN8tZgHI2j
0/NZ6jJHrVhXIOf6sre/O6K3lJZi44kyU8TC9kGkdJiGVwj2RIDH6H3E
AJ9nxv5ywLhqZclTS78Op+nUrSlNsM1HOiqeNPAcmY1W/4yInlF0/v9b
vWrdweJkBRzYWaIzTs1q7KXTlDOjibRRrZKMi/eRtxSt7kRRlHRqXfY5
rNC4rQEN/FfYPgWnrBMrp17CqbwRUVmXcE2hO61JQCpW9HAVKg64qtLF
4KsadkCV2ps2c5qwmY1Hi8YBdyk7jhET9erSW90MRLwB9fDGAfzM7EXh bYh/JA==
A lagging root server will probably not cause a big issue immediately, making
mitigation not that urgent.
However, with dnssec validation, it has become important that all root servers
are not lagging too far (beyond the signatures expiration).
Maybe some verification and mitigation processes should be updated to take
dnssec into account ?
--
Thor
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
