I'm forwarding this over to debian-admin, as they're the people who can fix this :)
Neil On Mon, May 29, 2006 at 10:57:06AM +0200, Bjørn Mork wrote: > First, not so serious, but still an error: All debian.org servers have > a mismatch between the delegation and the served data, adding > samosa.debian.org as autoritative (I know samosa is listed as primary > in the SOA record, but it need not, and should not, be listed as > autoritative as long as it's not listed by the delegating servers): > > > Delegation: > > [EMAIL PROTECTED]:~$ dig ns debian.org @tld1.ultradns.net > > ; <<>> DiG 9.3.1 <<>> ns debian.org @tld1.ultradns.net > ; (2 servers found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12930 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3 > > ;; QUESTION SECTION: > ;debian.org. IN NS > > ;; AUTHORITY SECTION: > debian.org. 86400 IN NS spohr.debian.org. > debian.org. 86400 IN NS saens.debian.org. > debian.org. 86400 IN NS klecker.debian.org. > > ;; ADDITIONAL SECTION: > spohr.debian.org. 86400 IN A 140.211.166.43 > saens.debian.org. 86400 IN A 128.101.240.212 > klecker.debian.org. 86400 IN A 194.109.137.218 > > ;; Query time: 51 msec > ;; SERVER: 204.74.112.1#53(204.74.112.1) > ;; WHEN: Mon May 29 10:40:36 2006 > ;; MSG SIZE rcvd: 138 > > > > NS-records from klecker: > > > [EMAIL PROTECTED]:~$ dig ns debian.org @klecker.debian.org > > ; <<>> DiG 9.3.1 <<>> ns debian.org @klecker.debian.org > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53513 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4 > > ;; QUESTION SECTION: > ;debian.org. IN NS > > ;; ANSWER SECTION: > debian.org. 3600 IN NS saens.debian.org. > debian.org. 3600 IN NS spohr.debian.org. > debian.org. 3600 IN NS samosa.debian.org. > debian.org. 3600 IN NS klecker.debian.org. > > ;; ADDITIONAL SECTION: > saens.debian.org. 3600 IN A 128.101.240.212 > spohr.debian.org. 300 IN A 140.211.166.43 > samosa.debian.org. 3600 IN A 192.25.206.57 > klecker.debian.org. 3600 IN A 194.109.137.218 > > ;; Query time: 50 msec > ;; SERVER: 194.109.137.218#53(194.109.137.218) > ;; WHEN: Mon May 29 10:41:25 2006 > ;; MSG SIZE rcvd: 175 > > > > > Second error is much more serious: Some of the servers will sometimes > provide 0.0.0.0 as its own address in the additional data: > > [EMAIL PROTECTED]:~$ dig soa debian.org @saens.debian.org > > ; <<>> DiG 9.3.1 <<>> soa debian.org @saens.debian.org > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20147 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 > > ;; QUESTION SECTION: > ;debian.org. IN SOA > > ;; ANSWER SECTION: > debian.org. 3600 IN SOA samosa.debian.org. > hostmaster.debian.org. 2006051701 10800 3600 604800 3600 > > ;; AUTHORITY SECTION: > debian.org. 3600 IN NS klecker.debian.org. > debian.org. 3600 IN NS saens.debian.org. > debian.org. 3600 IN NS spohr.debian.org. > debian.org. 3600 IN NS samosa.debian.org. > > ;; ADDITIONAL SECTION: > saens.debian.org. 3600 IN A 0.0.0.0 > spohr.debian.org. 300 IN A 140.211.166.43 > samosa.debian.org. 3600 IN A 192.25.206.57 > klecker.debian.org. 3600 IN A 194.109.137.218 > > ;; Query time: 128 msec > ;; SERVER: 128.101.240.212#53(128.101.240.212) > ;; WHEN: Mon May 29 10:47:53 2006 > ;; MSG SIZE rcvd: 222 > > > This in spite of it claiming to have the same zone version as > e.g. klecker: > > [EMAIL PROTECTED]:~$ dig soa debian.org @klecker.debian.org > > ; <<>> DiG 9.3.1 <<>> soa debian.org @klecker.debian.org > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27220 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 > > ;; QUESTION SECTION: > ;debian.org. IN SOA > > ;; ANSWER SECTION: > debian.org. 3600 IN SOA samosa.debian.org. > hostmaster.debian.org. 2006051701 10800 3600 604800 3600 > > ;; AUTHORITY SECTION: > debian.org. 3600 IN NS saens.debian.org. > debian.org. 3600 IN NS spohr.debian.org. > debian.org. 3600 IN NS samosa.debian.org. > debian.org. 3600 IN NS klecker.debian.org. > > ;; ADDITIONAL SECTION: > saens.debian.org. 3600 IN A 128.101.240.212 > spohr.debian.org. 300 IN A 140.211.166.43 > samosa.debian.org. 3600 IN A 192.25.206.57 > klecker.debian.org. 3600 IN A 194.109.137.218 > > ;; Query time: 52 msec > ;; SERVER: 194.109.137.218#53(194.109.137.218) > ;; WHEN: Mon May 29 10:48:59 2006 > ;; MSG SIZE rcvd: 222 > > > I've seen this bug from both saens and spohr, but can only reproduce > it from saens right now. > > Note that this seems to affect *all* names refering to the > authoritative DNS server's own address. For example: > > > [EMAIL PROTECTED]:~$ dig security.debian.org @saens.debian.org > > ; <<>> DiG 9.3.1 <<>> security.debian.org @saens.debian.org > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40968 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4 > > ;; QUESTION SECTION: > ;security.debian.org. IN A > > ;; ANSWER SECTION: > security.debian.org. 3600 IN A 194.109.137.218 > security.debian.org. 3600 IN A 0.0.0.0 > > ;; AUTHORITY SECTION: > debian.org. 3600 IN NS samosa.debian.org. > debian.org. 3600 IN NS klecker.debian.org. > debian.org. 3600 IN NS saens.debian.org. > debian.org. 3600 IN NS spohr.debian.org. > > ;; ADDITIONAL SECTION: > saens.debian.org. 3600 IN A 0.0.0.0 > spohr.debian.org. 300 IN A 140.211.166.43 > samosa.debian.org. 3600 IN A 192.25.206.57 > klecker.debian.org. 3600 IN A 194.109.137.218 > > ;; Query time: 127 msec > ;; SERVER: 128.101.240.212#53(128.101.240.212) > ;; WHEN: Mon May 29 10:50:14 2006 > ;; MSG SIZE rcvd: 216 > > > Which is why I chose to post this to security. This error may not be > possible to abuse, but it will certainly affect peoples ability to > apply security updates in a timely manner... > > > > Bjørn > -- > You're probably Moonie yourself. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- A. Because it breaks the logical sequence of discussion Q. Why is top posting bad? gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]