Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On Sun, Apr 28, 2024 at 2:18 AM Walter H. wrote: > > On 27.04.2024 16:54, Lee wrote: > > On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind-users > > wrote: > >> # host dnssec-analyzer.verisignlabs.com > >> dnssec-analyzer.verisignlabs.com is an alias for > >> dnssec-analyzer-gslb.verisignlabs.com. > >> dnssec-analyzer-gslb.verisignlabs.com has address 209.131.158.42 > >> > > Right, the IPv4 address lookup works. Now try looking up the IPv6 address. > > if there was one it would be presented there Try this: $ dig www.github.com ; <<>> DiG 9.16.48-Debian <<>> www.github.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45964 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1432 ; COOKIE: 6e0635047fb42cbf0100662ff80b95c1aaed2c48a54b (good) ;; QUESTION SECTION: ;www.github.com.IN ;; ANSWER SECTION: www.github.com. 3600IN CNAME github.com. ;; AUTHORITY SECTION: github.com. 3600IN SOA dns1.p08.nsone.net. hostmaster.nsone.net. 1656468023 43200 7200 1209600 3600 The query status is NOERROR. Compare that to $ dig dnssec-analyzer-gslb.verisignlabs.com ; <<>> DiG 9.16.48-Debian <<>> dnssec-analyzer-gslb.verisignlabs.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18045 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1432 ; COOKIE: 8dca27caaec9a4740100662ff8ad9cc9bff9bf779d54 (good) ;; QUESTION SECTION: ;dnssec-analyzer-gslb.verisignlabs.com. IN where the query status is SERVFAIL. OK.. noerr vs. servfail doesn't make all that much difference to me, but I *would* like to understand why looking ip the IPv6 address for that name gives me an error. I'm still operating under the (increasingly looking like it's delusional) assumption that I should be able to understand this stuff. > this can't be a matter of DNSSEC, as there are only signed whole zones > and not just single DNS-records ... I dunno. I've seen some weird stuff with servers on AWS not resolving IPv6 addresses but having a CNAME pointing outside the zone. Which I don't understand, but at least it doesn't return an error so I just chalked it up to them deciding that supporting IPv6 was too much of a pain. Regards, Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users wrote: something that I replied to and got this in response: Error Icon Message blocked Your message to Walter.H@[..snip..] has been blocked. See technical details below for more information. The response from the remote server was: 554 5.7.1 : Client host rejected: Use IPv4 Which is strangely appropriate when trying to troubleshoot an issue that applies only to IPv6. But I've forgotten how to turn off IPv6 :( -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
And the SMTP server doesn’t need to listen on IPv6 if it isn’t going to accept messages over that transport. Talk about a way to DoS yourself. -- Mark Andrews > On 30 Apr 2024, at 06:19, Lee wrote: > > On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users > wrote: > > something that I replied to and got this in response: > > Error Icon > Message blocked > Your message to Walter.H@[..snip..] has been blocked. See technical > details below for more information. > > The response from the remote server was: > 554 5.7.1 : Client host rejected: Use IPv4 > > > > Which is strangely appropriate when trying to troubleshoot an issue > that applies only to IPv6. > But I've forgotten how to turn off IPv6 :( > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote: > > It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it > serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is > actually delegated to it. > > % dig dnssec-analyzer-gslb.verisignlabs.com +trace +all > ;; BADCOOKIE, retrying. > > ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com +trace > +all > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27 <.. snip lots ..> > ;; AUTHORITY SECTION: > com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. > 2023030710 10800 3600 604800 60 I did a search for "this.name.is.invalid" and the only results I got were for F5 support pages - eg. The fix in BIG-IP DNS 14.1.0 introduces a new setting, wideip-zone-nameserver, which defaults the WideIP zone nameserver to this.name.is.invalid. Wouldn't a badly configured F5 server be a better explanation? Thanks Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
I prefer to only name and shame when I’m 100% sure of the target. -- Mark Andrews > On 30 Apr 2024, at 06:56, Lee wrote: > > On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote: >> >> It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it >> serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is >> actually delegated to it. >> >> % dig dnssec-analyzer-gslb.verisignlabs.com +trace +all >> ;; BADCOOKIE, retrying. >> >> ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com >> +trace +all >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498 >> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27 > <.. snip lots ..> > >> ;; AUTHORITY SECTION: >> com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. >> 2023030710 10800 3600 604800 60 > > I did a search for "this.name.is.invalid" and the only results I got > were for F5 support pages - eg. > The fix in BIG-IP DNS 14.1.0 introduces a new setting, > wideip-zone-nameserver, which defaults the WideIP zone nameserver to > this.name.is.invalid. > > Wouldn't a badly configured F5 server be a better explanation? > > Thanks > Lee -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On Mon, Apr 29, 2024 at 5:13 PM Mark Andrews wrote: > > I prefer to only name and shame when I’m 100% sure of the target. I was only trying to understand why I was getting a SERVFAIL, there was no intention to name & shame. Regards, Lee "name & shame" was not my intent. > > -- > Mark Andrews > > > On 30 Apr 2024, at 06:56, Lee wrote: > > > > On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote: > >> > >> It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that > >> it serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is > >> actually delegated to it. > >> > >> % dig dnssec-analyzer-gslb.verisignlabs.com +trace +all > >> ;; BADCOOKIE, retrying. > >> > >> ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com > >> +trace +all > >> ;; global options: +cmd > >> ;; Got answer: > >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498 > >> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27 > > <.. snip lots ..> > > > >> ;; AUTHORITY SECTION: > >> com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. > >> 2023030710 10800 3600 604800 60 > > > > I did a search for "this.name.is.invalid" and the only results I got > > were for F5 support pages - eg. > > The fix in BIG-IP DNS 14.1.0 introduces a new setting, > > wideip-zone-nameserver, which defaults the WideIP zone nameserver to > > this.name.is.invalid. > > > > Wouldn't a badly configured F5 server be a better explanation? > > > > Thanks > > Lee > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
On 29.04.2024 22:19, Lee wrote: On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users wrote: something that I replied to and got this in response: Error Icon Message blocked Your message to Walter.H@[..snip..] has been blocked. See technical details below for more information. The response from the remote server was: 554 5.7.1 : Client host rejected: Use IPv4 For explanation: this is MY mail server, which blocks IPv6 connections from Outlook.com Gmail.com ... as these are the biggest SPAM senders smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
> On 30 Apr 2024, at 13:39, Walter H. via bind-users > wrote: > > On 29.04.2024 22:19, Lee wrote: >> On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users >> wrote: >> >> something that I replied to and got this in response: >> >> Error Icon >> Message blocked >> Your message to Walter.H@[..snip..] has been blocked. See technical >> details below for more information. >> >> The response from the remote server was: >> 554 5.7.1 : Client host rejected: Use IPv4 >> >> > For explanation: this is MY mail server, which blocks IPv6 connections from > > Outlook.com > Gmail.com > ... > > as these are the biggest SPAM senders As far as I know they deliver email over both IPv4 and IPv6 (spam and ham) independently of the transport. The only thing that blocking one transport like this does is cause email to be unreliable. The sender has no control over the transport protocol used. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-analyzer.verisignlabs.com aaaa lookup fail
And it has been fixed. % dig dnssec-analyzer.verisignlabs.com ;; BADCOOKIE, retrying. ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer.verisignlabs.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9048 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 9fcb48e259ddaedd010066308ef2d1dcce4f0e1ca7fe (good) ;; QUESTION SECTION: ;dnssec-analyzer.verisignlabs.com. IN ;; ANSWER SECTION: dnssec-analyzer.verisignlabs.com. 3600 IN CNAME dnssec-analyzer-verisignlabs.gslb.verisign.com. ;; AUTHORITY SECTION: gslb.verisign.com. 60 IN SOA gslb.ilg1.verisign.com. hostmaster.gslb.ilg1.verisign.com. 2024041709 10800 3600 604800 60 ;; Query time: 1155 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Tue Apr 30 16:25:54 AEST 2024 ;; MSG SIZE rcvd: 203 % > On 30 Apr 2024, at 06:55, Lee wrote: > > On Sun, Apr 28, 2024 at 7:56 PM Mark Andrews wrote: >> >> It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it >> serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is >> actually delegated to it. >> >> % dig dnssec-analyzer-gslb.verisignlabs.com +trace +all >> ;; BADCOOKIE, retrying. >> >> ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com >> +trace +all >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498 >> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27 > <.. snip lots ..> > >> ;; AUTHORITY SECTION: >> com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. >> 2023030710 10800 3600 604800 60 > > I did a search for "this.name.is.invalid" and the only results I got > were for F5 support pages - eg. > The fix in BIG-IP DNS 14.1.0 introduces a new setting, > wideip-zone-nameserver, which defaults the WideIP zone nameserver to > this.name.is.invalid. > > Wouldn't a badly configured F5 server be a better explanation? > > Thanks > Lee -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
