Date: Sun, 20 Jan 2019 18:40:20 -0500 From: Jon Radel <jon@radel.com> To: freebsd-questions@freebsd.org Cc: Daniel Feenberg <feenberg@nber.org> Subject: Re: DNS Flag Day Message-ID: <5522b94d-4529-e10e-db65-20a1c172d46a@radel.com> In-Reply-To: <alpine.BSF.2.21.9999.1901201548260.40690@mail2.nber.org> References: <alpine.BSF.2.21.9999.1901201548260.40690@mail2.nber.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms040707050306080109050007 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 1/20/19 15:49, Daniel Feenberg wrote: > > Is DNS Flag Day something that should concern someone using FreeBSD 11.= 2 > for name service? I ran the tester at: > > =C2=A0=C2=A0 https://dnsflagday.net/ > > and it indicated a need for concern, but the details were > unintelligible and there was no suggestion of "what to do". Not enough details are provided by you in the above to have a clear answer.=C2=A0 Are you using the FreeBSD 11.2 server as an authoritative server for one or more DNS zones? (You don't give any hint as to whether you are using it for a recursive server, an authoritative server, or both.)=C2=A0 Are there other authoritative servers involved?=C2=A0 Are yo= u running a firewall or firewalls that mess with EDNS packets?=C2=A0 Bottom line appears to be that if you have one or more authoritative servers which don't implement certain aspects of EDNS properly the life of people trying to resolve the contents of your zone will start to degrade more quickly in a bit over a week.=C2=A0 So who runs your authoritative DNS servers? ---------- If the zone you are worried about is nber.org [as an aside, this business of being freaking coy about what domain you're talking about and what the "need for concern" actually is achieves very little other than wasting the time of people attempting to answer your question--you're publishing this stuff to the world in DNS, IT IS NOT A SECRET!], then the test at https://ednscomp.isc.org/ednscomp/ gives the result > > Checking: 'nber.org' as at 2019-01-20T23:12:14Z > > nber.org. @66.251.72.1 > (ns1old.nber.org.):=C2=A0*dns=3Dtimeout*=C2=A0*edns=3Dtimeout*=C2=A0*ed= ns1=3Dtimeout*=C2=A0*edns@512=3Dtimeout*=C2=A0*ednsopt=3Dtimeout*=C2=A0*e= dns1opt=3Dtimeout*=C2=A0*do=3Dtimeout*=C2=A0*ednsflags=3Dtimeout**docooki= e=3Dtimeout*=C2=A0*edns512tcp=3Dtimeout*=C2=A0*optlist=3Dtimeout*=C2=A0 > > nber.org. @198.71.6.1 (ns1.nber.org.): dns=3Dok edns=3Dok edns1=3Dok > edns@512=3Dok ednsopt=3Dok edns1opt=3Dok do=3Dok ednsflags=3Dok > docookie=3Dok,cookie edns512tcp=3Dok optlist=3Dok,expire,cookie,subnet=C2= =A0 > > nber.org. @198.71.6.3 (ns3.nber.org.): dns=3Dok edns=3Dok edns1=3Dok > edns@512=3Dok ednsopt=3Dok edns1opt=3Dok do=3Dok ednsflags=3Dok docooki= e=3Dok > edns512tcp=3Dok optlist=3Dok=C2=A0 > > nber.org. @64.112.178.60 (ns1.basespace.net.): dns=3Dok edns=3Dok edns1= =3Dok > edns@512=3Dok ednsopt=3Dok edns1opt=3Dok do=3Dok ednsflags=3Dok docooki= e=3Dok > edns512tcp=3Dok optlist=3Dok=C2=A0 > > which indicates that there are 4 authoritative DNS servers for nber.org found by that test, 3 of which appear to be fine (all tests are "ok") and 1 of which doesn't answer at all (all tests "timeout").=C2=A0 Digging= a bit further shows that you've got a delegation of 3 nameservers at your parent (that's driven by what you tell your domain registrar): nber.org.=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 86400=C2=A0=C2=A0=C2=A0 IN= =C2=A0=C2=A0=C2=A0 NS=C2=A0=C2=A0=C2=A0 ns1.basespace.net. nber.org.=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 86400=C2=A0=C2=A0=C2=A0 IN= =C2=A0=C2=A0=C2=A0 NS=C2=A0=C2=A0=C2=A0 ns3.nber.org. nber.org.=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 86400=C2=A0=C2=A0=C2=A0 IN= =C2=A0=C2=A0=C2=A0 NS=C2=A0=C2=A0=C2=A0 ns1.nber.org. h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN NSEC3 1 1 1 D399EAAB H9PARR669T6U8O1GSG9E1LMITK4DEM0T=C2=A0 NS SOA RRSIG DNSKEY NSEC3PARAM h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN RRSIG NSEC3 7 2 86400 20190210232117 20190120222117 45404 org. USaVbdxbrfaLzm+YzPfAvPE1SBUqU7wWBohEn//1h8ieDHy/ss2n35+K ZpHlToowfaC63D+EvQDVjNz1we2DXRLGSFChKNtpfVTBg7vjehznwpml JuxyY3EmRwchgIBs5sfQjJBx3NdqIaSthpEXqTYoFHMlIRX4zJqzMBv8 Gtg=3D 3uqemnrnh81uabs2702d7fq097q7aanc.org. 86400 IN NSEC3 1 1 1 D399EAAB 3UQSUQNPC70J298TT0MJ82F98PLD7MD8=C2=A0 NS DS RRSIG 3uqemnrnh81uabs2702d7fq097q7aanc.org. 86400 IN RRSIG NSEC3 7 2 86400 20190207152537 20190117142537 45404 org. QKUZwTKC1Nz1L8P39RYWHDsdwSNSAQlkIAA3rFTPBM2eYLrDozGj7yxx j4cMjQfjn7IOMsV+vQ/v/UpTU7A5GDATjaOzmcourwqJw0ZvJI7jq294 Tw6vJsyn1DIyH2pOdQDYBx1MijafvgXzeqbc32lfVLdrobj54dZhlCyI fHI=3D ;; Received 629 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 186= ms But at least one of the servers for the zone itself lists a greater number of nameservers: nber.org.=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 300=C2=A0=C2=A0=C2=A0 IN=C2= =A0=C2=A0=C2=A0 NS=C2=A0=C2=A0=C2=A0 ns1.nber.org. nber.org.=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 300=C2=A0=C2=A0=C2=A0 IN=C2= =A0=C2=A0=C2=A0 NS=C2=A0=C2=A0=C2=A0 ns3.nber.org. nber.org.=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 300=C2=A0=C2=A0=C2=A0 IN=C2= =A0=C2=A0=C2=A0 NS=C2=A0=C2=A0=C2=A0 ns1.basespace.net. nber.org.=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 300=C2=A0=C2=A0=C2=A0 IN=C2= =A0=C2=A0=C2=A0 NS=C2=A0=C2=A0=C2=A0 ns1old.nber.org. ;; Received 205 bytes from 64.112.178.60#53(ns1.basespace.net) in 24 ms one of which is apparently a pretty bad idea, given that it appears to be dead and gone.=C2=A0=C2=A0 Even the name "ns1old" is pretty suggestive= , what? So the solution would be to clean up the zone data and discard the NS record that refers to a server that doesn't exist.=C2=A0 Note that I've n= ot confirmed that the matching A records between the glue records at your parent and the records in the zone itself are consistent, in other words, I'd suggest checking that you've told the registrar the same thing that you've got in your DNS data and that that is the same thing that all servers involved are actually configured as. An alternate view at another test site that tests for a different set of things, but also catches your current issue:=C2=A0 http://dnsviz.net/d/nber.org/dnssec/=C2=A0 That keeps historical records = and shows that you've had this issue for over a year now. --=20 --Jon Radel jon@radel.com --------------ms040707050306080109050007 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC C9owggXmMIIDzqADAgECAhBqm+E4O/8ra58B1dm4p1JWMA0GCSqGSIb3DQEBDAUAMIGFMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkGA1UEAxMiQ09NT0RPIFJTQSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMzAxMTAwMDAwMDBaFw0yODAxMDkyMzU5NTla MIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQH EwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RP IFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6znlesKHZ1QBbHOAOY08YYdiFQ8yV5C0y1oNF9 Olg+nKcxLqf2NHbZhGra0D00SOTq9bus3/mxgUsg/Wh/eXQ0pnp8tZ8XZWAnlyKMpjL+qUBy RjXCA6RQyDMqVaVUkbIr5SU0RDX/kSsKwer3H1pT/HUrBN0X8sKtPTdGX8XAWt/VdMLBrZBl gvnkCos+KQWWCo63OTTqRvaq8aWccm+KOMjTcE6s2mj6RkalweyDI7X+7U5lNo6jzC8RTXtV V4/Vwdax720YpMPJQaDaElmOupyTf1Qib+cpukNJnQmwygjD8m046DQkLnpXNCAGjuJy1F5N ATksUsbfJAr7FLUCAwEAAaOCATwwggE4MB8GA1UdIwQYMBaAFLuvfgI9+qbxPISOre44mOzZ MjLUMB0GA1UdDgQWBBSCr2yM+MX+lmF86B89K3FIXsSLwDAOBgNVHQ8BAf8EBAMCAYYwEgYD VR0TAQH/BAgwBgEB/wIBADARBgNVHSAECjAIMAYGBFUdIAAwTAYDVR0fBEUwQzBBoD+gPYY7 aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0 eS5jcmwwcQYIKwYBBQUHAQEEZTBjMDsGCCsGAQUFBzAChi9odHRwOi8vY3J0LmNvbW9kb2Nh LmNvbS9DT01PRE9SU0FBZGRUcnVzdENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au Y29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQB4XLKBKDRPPO5fVs6fl1bsj6JrF/bz 9kkIBtTYLzXN30D+03Hj6OxCDBEaIeNmsBhrJmuubvyE7HtoSmR809AgcYboW+rcTNZ/8u/H v+GTrNI/AhqX2/kiQNxmgUPt/eJPs92Qclj0HnVyy9TnSvGkSDU7I5Px+TbO+88G4zipA2ps ZaWeEykgzClZlPz1FjTCkk77ZXp5cQYYexE6zeeN4/0OqqoAloFrjAF4o50YJafX8mnahjp3 I2Y2mkjhk0xQfhNqbzlLWPoT3m7j7U26u7zg6swjOq8hITYc3/np5tM5aVyu6t99p17bTbY7 +1RTWBviN9YJzK8HxzObXYWBf/L+VGOYNsQDTxAk0Hbvb1j6KjUhg7fO294F29QIhhmiNOr8 4JHoy+fNLpfvYc/Q9EtFOI5ISYgOxLk3nD/whbUe9rmEQXLp8MB933Ij474gwwCPUpwv9mj2 PMnXoc7mbrS22XUSeTwxCTP9bcmUdp4jmIoWfhQm7X9w/Zgddg+JZ/YnIHOwsGsaTUgj7fIv xqith7DoJC91WJ8Lce3CVJqb1XWeKIJ84F7YLXZN0oa7TktYgDdmQVxYkZo1c5noaDKH9Oq9 cbm/vOYRUM1cWcef20Wkyk5S/GFyyPJwG0fR1nRas3DqAf4cXxMiEKcff7PNa4M3RGTqH0pW R8p6EjCCBewwggTUoAMCAQICEHQDryTAYaEsgncP8aGW6o4wDQYJKoZIhvcNAQELBQAwgZcx CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1Nh bGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNB IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE4MDMwNDAw MDAwMFoXDTIxMDMwMzIzNTk1OVowgfoxCzAJBgNVBAYTAlVTMQ4wDAYDVQQREwUyMjE1MDEL MAkGA1UECBMCVkExFDASBgNVBAcTC1NwcmluZ2ZpZWxkMRowGAYDVQQJExE2OTE3IFJpZGdl d2F5IERyLjEVMBMGA1UEChMMSm9uIFQuIFJhZGVsMTIwMAYDVQQLEylJc3N1ZWQgdGhyb3Vn aCBKb24gVC4gUmFkZWwgRS1QS0kgTWFuYWdlcjEfMB0GA1UECxMWQ29ycG9yYXRlIFNlY3Vy ZSBFbWFpbDESMBAGA1UEAxMJSm9uIFJhZGVsMRwwGgYJKoZIhvcNAQkBFg1qb25AcmFkZWwu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtK/dFQxMTnVPcP1TI09m30v8 rSG/VWSFWfFvu/2jzPkNL+ivx6A4LNUbqw4CS73GIKcbp8IrpNQz2oQV6mTv+KVJzJMf8GjA y8EzZjhc2tAXL+Q57omCTuAc6cw2KDYFL0aNWX4CEe/LqfoBDKpJF7HCrwwus55+tTEkAY8j tRkQRMHf47YQVJjD/4pdC/h+7jjI0oSgh1npT7Q3K47g6IkVzjhiH8LCsCSVYaLzRZfgcl3s 0GLE858PV/84l5d/hUVD0u9J2EdKpf+hnFqZnA3qw9R0xFQIE6yOkUvhALw1zxXaiGj0047a gBE2Bhv2UIlj6Q0zPa5kRYDy9vBI6QIDAQABo4IBzTCCAckwHwYDVR0jBBgwFoAUgq9sjPjF /pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFHS/Ewun4pYC9Lla5kkmj4zo7tKcMA4GA1UdDwEB /wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjBG BgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3Vy ZS5jb21vZG8ubmV0L0NQUzBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLmNvbW9kb2Nh LmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3Js MIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKGSWh0dHA6Ly9jcnQuY29tb2RvY2EuY29t L0NPTU9ET1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYI KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAYBgNVHREEETAPgQ1qb25AcmFk ZWwuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBUNLBptNFZRBkOUPOCI9TPM6QauLK6jojtbxZO XWvZfKvq8ukWUZTPtaDS5UjsMhlxLf/Crv8HkiVXSzC36cVQyjNjl1u+u/Sbl/6q/TfQk+aK 5jzDd4onQVzlfE33ymtZJgh+4dMPWKuXjRS0OyMLzv3mYCvFO83l1G9rBiaCEfFJHKgVGY1z 3ZU/gsPCQ2a0xf3908lwl5H3SPB3ZzLWDf41o5zV70HXfsgP862KzxU9t46XBGZ8TRl/5fl+ Xj2KQdpyWlNZUS00/UHznxeFO5+bkNaOg24BjwfBOWi0D47CE+6BRWvtrmgciWxefUuYeeIy Qr58KK8DlBCkVF06MYIENTCCBDECAQEwgawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJH cmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBD QSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBh bmQgU2VjdXJlIEVtYWlsIENBAhB0A68kwGGhLIJ3D/GhluqOMA0GCWCGSAFlAwQCAQUAoIIC WTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xOTAxMjAyMzQw MjBaMC8GCSqGSIb3DQEJBDEiBCCggPsK5d1SClGXpVnBB6NGWB0FQh1jaG0aTP75Vz+dLjBs BgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcw DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo MIG9BgkrBgEEAYI3EAQxga8wgawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVy IE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1p dGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj dXJlIEVtYWlsIENBAhB0A68kwGGhLIJ3D/GhluqOMIG/BgsqhkiG9w0BCRACCzGBr6CBrDCB lzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH U2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBS U0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEHQDryTAYaEs gncP8aGW6o4wDQYJKoZIhvcNAQEBBQAEggEAb5yEPvQAulJhZ0byXPRJXLc6QrcEOj/t34J+ mwd0gH9uqTlpJP6QfuvAsDDOjH1/tp/R4FwbrHeW63TCfkv9xtsaRJSV6yJ6aLfOjG27EYyf qGENok67EhD3VmMmAGPby1ruXxCrxCAK7mO83VuG2azFnAkQTMzG8qMY7vgMp7tmAKLetkPR sHhY/DyO2HBsX1nMWFkXYdJTKZ6B4K/8/HGZXEmWUYLj9TbToiwaz/oY/5f8R0bRa1i0RbTl /I1y/O0fabgD/p1Gt+x+vRvRqkaluACpWSeHH7So0GA6zO2w91EdiU9BfysztXgM50UoOBUi WPGmpUM4C+TZwISjMAAAAAAAAA== --------------ms040707050306080109050007--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5522b94d-4529-e10e-db65-20a1c172d46a>