Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: DNS queries to ns[1-5].he.net - Type "ANY"  (Read 4970 times)

snarked

  • Hero Member
  • *****
  • Posts: 774
DNS queries to ns[1-5].he.net - Type "ANY"
« on: July 16, 2010, 01:48:36 PM »

Queries for RR-type "ANY" seem to return SERVFAIL, while queries for the same label for specific RR-types return success (for those which exist).

If RR-type "ANY" queries won't be answered, isn't the appropriate response REFUSED, not SERVFAIL?

If someone is having problems with the DNS service, they are likely to test it by manually querying some records, and it is likely that at least some queries will be for any record for a label.  Returning SERVFAIL instead of REFUSED leads them in the wrong direction for diagnosing the problem.

I recognize that HE may need to refer this issue to its DNS software vendor.

PS:  Your web display of a zone doesn't seem to know that RR-types 50 and 51 are called NSEC3 and NSEC3PARAM, so as long as you have to deal with your vendor, ....
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1735
Re: DNS queries to ns[1-5].he.net - Type "ANY"
« Reply #1 on: July 16, 2010, 02:20:25 PM »

Was this sent to dnsadmin@he.net?
Logged

snarked

  • Hero Member
  • *****
  • Posts: 774
Re: DNS queries to ns[1-5].he.net - Type "ANY"
« Reply #2 on: July 16, 2010, 05:26:27 PM »

Not yet.  I wanted to verify the behavior here first - plus sending it to the dnsadmin mailbox does nothing to alert others of a possible problem or issue.
Logged

lorenzoz

  • Newbie
  • *
  • Posts: 9
Re: DNS queries to ns[1-5].he.net - Type "ANY"
« Reply #3 on: July 17, 2010, 12:39:43 PM »

I don't have any problem with ANY queries.
This is a DIG ANY to ns1.he.net: http://pastebin.com/Sws3sQcN
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1735
Re: DNS queries to ns[1-5].he.net - Type "ANY"
« Reply #4 on: July 17, 2010, 02:08:21 PM »

I don't have any problem with ANY queries.
This is a DIG ANY to ns1.he.net: http://pastebin.com/Sws3sQcN

Only slightly curious why you X'ed out the IPs, when someone can just rerun the query and get them :)
Logged

patrickdk

  • Jr. Member
  • **
  • Posts: 67
Re: DNS queries to ns[1-5].he.net - Type "ANY"
« Reply #5 on: July 17, 2010, 02:34:33 PM »

I always wonder why people bother doing that ever. It's not like an ip is private information, or a password.

It's public, and registered, and indexed.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 774
Re: DNS queries to ns[1-5].he.net - Type "ANY"
« Reply #6 on: July 17, 2010, 03:33:27 PM »

Here's what I get - First, a query for "ANY" (for one of my own domains):
Quote
; <<>> DiG 9.7.1-P2 <<>> snarked.org any @ns1.he.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39379
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;snarked.org.                   IN      ANY

;; Query time: 12 msec
;; SERVER: 216.218.130.2#53(216.218.130.2)
;; WHEN: Sat Jul 17 22:20:03 2010
;; MSG SIZE  rcvd: 29
Next, a query for just the SOA:
Quote
; <<>> DiG 9.7.1-P2 <<>> snarked.org soa @ns1.he.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39818
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;snarked.org.                   IN      SOA

;; ANSWER SECTION:
snarked.org.            21600   IN      SOA     ns.snarked.org. hostmaster.snarked.org. 2010071600 43200 7200 2419200 10800

;; Query time: 12 msec
;; SERVER: 216.218.130.2#53(216.218.130.2)
;; WHEN: Sat Jul 17 22:21:04 2010
;; MSG SIZE  rcvd: 90
As demonstrated, the "ANY" query indicates server failure, while a query for a specific record type succeeds (any specific type - doesn't matter which).

The results are the same whether I query directly on my server (West Coast and as above) or from http://network-tools.com/nslook/Default.asp (near NYC).  As the zone is DNSSEC signed with NSEC3, could that be the problem?
Logged

gshaver

  • Administrator
  • Newbie
  • *****
  • Posts: 16
Re: DNS queries to ns[1-5].he.net - Type "ANY"
« Reply #7 on: July 19, 2010, 02:22:56 PM »

NSEC3 is causing the backend to throw an exception and bail on the request. 
They have added support for NSEC3 in their DNSSEC build, but it is not stable enough for production use.

Hopefully it won't be too much longer before we can start playing around with the dnssec stuff.

Gary
Logged

snarked

  • Hero Member
  • *****
  • Posts: 774
Re: DNS queries to ns[1-5].he.net - Type "ANY"
« Reply #8 on: July 19, 2010, 07:52:13 PM »

Well, I'm glad to know that I in fact discovered a problem. ;)  Since normal operations generally don't query for "ANY", I can live with this for the meantime (until it's fixed).

This also explains why my IPv6-HE-routed reverse zone works - I haven't signed it yet.
Logged