[arin-tech-discuss] FW: [ARIN-20131116.48] SERVFAIL replies in 174.in-addr.arpa. - Ref Ticket 7871618

Matt Rowley matt at arin.net
Sun Nov 17 01:52:48 EST 2013 

Hi Dani,

Sorry for this problem.  The fix has been published.  You can see the
fixed chain of trust via:
http://dnssec-debugger.verisignlabs.com/174.in-addr.arpa

Again our apologies for this, and thanks for reaching out to us to let
us know.  Please let us know if you have any questions.  Incidentally,
you can also reach us at dns-ops at arin.net.

cheers,
Matt Rowley


> From: Dani Roisman <droisman at softlayer.com>
> Date: Sat, Nov 16, 2013 at 11:10 PM
> Subject: [arin-tech-discuss] FW: [ARIN-20131116.48] SERVFAIL replies in
> 174.in-addr.arpa. - Ref Ticket 7871618
> To: "arin-tech-discuss at arin.net" <arin-tech-discuss at arin.net>
> Cc: NOC - SoftLayer <noc at softlayer.com>
> 
> 
>  Greetings,
> 
> 
> 
> We have not seen a reply from ARIN yet on this ticket, I’m sending to the
> tech-discuss list to see if anyone else has experienced this today and can
> offer some guidance?  Please note that our NOC isn’t on this distro, so as
> you reply, please copy noc at softlayer.com
> 
> 
> 
> 
> 
> *----*
> 
> Dani Roisman
> 
> VP, Network Operations
> 
> 
> 
> *SoftLayer, an IBM Company*
> 
> 315 Capitol Street Suite 205, Houston, TX 77002
> 
> 
> 
> 
> 
> *From:* ARIN Ticketing System [mailto:do-not-reply at arin.net]
> *Sent:* Saturday, November 16, 2013 10:33
> *To:* Ticket Logger
> *Cc:* NOC - SoftLayer
> *Subject:* Re:[ARIN-20131116.48] SERVFAIL replies in 174.in-addr.arpa. -
> Ref Ticket 7871618
> 
> 
> 
> There appears to have been some sort of key roll over issue with
> 174.in-addr.arpa.  This is causing SERVFAIL replies from validating DNS
> resolvers for anything in 174.in-addr.arpa.
> 
> 
> 
> The in-addr.arpa zone contains a single DS key with the ID 7353.  This is
> true for the zone that is currently being served.  Truncated dig(1) output:
> 
> 
> 
> 174.in-addr.arpa.  86400 IN
> 
> DS 7353 5 1 2096BD9C5612836870ADCCBDD68A957CB6487F34
> 
> ;; Received 70 bytes from 2001:500:87::87#53(2001:500:87::87) in 60 ms
> 
> 
> 
> This same record appears on line 946 (byte offset: 85175) in the
> in-addr.arpa zone file that's available ftp.internic.net (time stamp: Nov
> 16 04:34):
> 
> 
> 
> 174.in-addr.arpa.  86400 IN
> 
> DS 7353 5 1 2096BD9C5612836870ADCCBDD68A957CB6487F34
> 
> 
> 
> 
> 
> Unfortunately, the two keys that are available in the 174.in-addr.arpa
> zone, as served by z.arin.net, have id's of 19034 and 39420:
> 
> 
> 
> 174.in-addr.arpa.  14400 IN DNSKEY 256 3 5 (
> 
> BQEAAAABtReA/SI3OKJpKhRDt5FfaXAsrQSO9a2zpxVY
> 
> ZqP0z+ONdbw7aBaibwSC5Itly1foVXeZbTx3TkF8AAT3
> 
> 0Aa/8au4KV26TDQ6o3awY087f7rspZld8OR/fh44HV3o
> 
> puzIkeyh8PEb91rkCkAjkxqNavuEbL1OzT8wf8x+2L3p
> 
> x5c=
> 
> ) ; key id = 19034
> 
> 174.in-addr.arpa.  14400 IN DNSKEY 257 3 5 (
> 
> BQEAAAABqELZSV55GgyN/BvBbtLlz7xzP341SyAcBqkI
> 
> 87QVGiFt3PzKdNlw7NU5BeZ9Oo7aMih/5afr2RfZB50M
> 
> cREP1TUhCOf2WSoCA2l7VFpC/eG0NO1EFSiqmxJVOJ61
> 
> XNZG0c0yPvmvz6jVbwLUGeIzEOHQy2bZNYc9lzP7fbKQ
> 
> 4WLIwqQnS7iwkVaZtmub0WI+2ybCe27Xr+W/b1CwhTww
> 
> mgCJegmb/xQMGwF3zR059i+adsPy8meveGKczf7R26mV
> 
> pyynDJHFDTdBzVQH2ubGCZ3Qfnby1xq6xoNkcMUGMopQ
> 
> mHDcPQFW2IZf667ijh2oSrns18vugXlFPtT33IFMNw==
> 
> ) ; key id = 39420
> 
> I have verified my findings with two DNSSEC validation tools:
> 
> 
> 
> Sandia National Labs:
> 
> http://dnsviz.net/d/174.in-addr.arpa/dnssec/
> 
> 
> 
> Verisign:
> 
> http://dnssec-debugger.verisignlabs.com/174.in-addr.arpa
> 
> 
> 
> 
> 
> Finally, ICANN's in-addr.arpa DNSSEC Report for 15 and 16 Nov indicate an
> issue with the zone (Signed NO, DS Key YES):
> 
> 
> 
> 15th:
> 
> http://stats.research.icann.org/dns/inaddr_report/archive/20131115.003001.html
> 
> 
> 
> 16th:
> 
> http://stats.research.icann.org/dns/inaddr_report/archive/20131116.003001.html
> 
> 
> 
> While the report from the 14th says everything was working fine (Signed
> YES, DS Key YES):
> 
> http://stats.research.icann.org/dns/inaddr_report/archive/20131114.003002.html
> 
> 
> 
> I don't have historical copies of the zones to know for sure what has
> happened, but my educated guess is that the DNSKEY records changed in
> 174.in-addr.arpa during key roll-over, but the DS key in the parent zone
> hasn't been updated.
> 
> 
> 
> If that is what has happened, then either publishing a new DS key in the
> parent (in-addr.arpa.) zone, or publishing 7353 dns key and re-signing
> 174.in-addr.arpa zone correct the issue.
> 
> 
> 
> 
> 
> Thank you for your time and attention to this matter.
> 
> 
> 
> ---
> 
> *Christopher Price*
> 
> Network Operations Center
> 
> 
> 
> *SoftLayer, an IBM Company*
> 
> +1(281)714-3555 direct | +1(214)442-0600 main | noc at softlayer.com
> 
> 
> 
> _______________________________________________
> arin-tech-discuss mailing list
> arin-tech-discuss at arin.net
> http://lists.arin.net/mailman/listinfo/arin-tech-discuss
>

More information about the arin-tech-discuss mailing list