For those interested in the cause: The domain dnssec.works, which hosts ns1 and ns2 - both public NS for mailop.org at that time -, had undergone a change in how DNSSEC should be maintained automatically by the name server (read: BIND9). The change was moving from a simple "auto-dnssec maintain" option within a zone to a more elaborate form of "dnssec-policy", which allows to tune many aspects of such a policy.
The defaults for a dnssec-policy forsee a TTL of max. 86400 for certain values and the zone for dnsssec.works had a TTL two times this value. Analysis has shown BIND noticed this and logged it wouldn't apply the policy, but this went unnoticed by the operator. And then the key for dnssec.works wasn't renewed, dnssec.works became a domain, whose replies would be supressed by DNSSEC-validating Resolvers, because the key had expired. The fact that mailop.org's zone including it's DNSSEC status was fully intact all the time didn't count. It was the nameserver's DNSSEC-enabled zone causing the problems. Learning? Read the logs more closely and create new tests for monitoring. And… We think BIND should do "the right thing" instead of breaking the service. This, we think, would be to limit TTLs to what the dnssec-policy says even if the zone would specify a higher limit. We'll suggest that to ISC. p@rick * Patrick Ben Koetter via mailop <p...@sys4.de>: > Greetings, > > we’ve migrated the DNS zone for mailop.org to other nameservers. These are > located in two different TLDs and in two different computing centers. This > should prevent the cause we ran in with the NSes formerly in place. > It will take a while until the news has spread, but the issue should be > resolved if you see this in your output: > > # dig +dnssec +short NS mailop.org > nsx02.sys4.farm. > nsx01.sys4.de. > NS 13 2 600 20240823114232 20240724104232 12161 mailop.org. > XEBJvB9zDngoFACbDZMdKVIRxa1yRSJbu3v/1JedjfNK+fGtYEIIwux7 > BrNT2Fpv664RO6IHBEFZFOzdhL3+ug== > > > The ‚ad‘ flag in the following output flags section indicates ‚authenticated > data‘ proving DNSSEC works: > > ; <<>> DiG 9.10.6 <<>> +dnssec MX mailop.org > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1546 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ;; QUESTION SECTION: > ;mailop.org. IN MX > > ;; ANSWER SECTION: > mailop.org. 290 IN MX 5 mx.mailop.org. > mailop.org. 290 IN RRSIG MX 13 2 300 20240823010723 > 20240724005945 12161 mailop.org. > DTSdBekHXfLRPG8VhlaWtldQhRhp2Fb6y8v2I73ePuiTv04MIr7kSmS6 > L/GvYSQvlcrgvuKm0YfqijVrYgXCtQ== > > ;; Query time: 42 msec > ;; SERVER: > 2001:a61:126c:fe80:de58:bcff:fee0:285a#53(2001:a61:126c:fe80:de58:bcff:fee0:285a) > ;; WHEN: Wed Jul 24 15:43:53 CEST 2024 > ;; MSG SIZE rcvd: 164 > > > Regards, > > Patrick > > > > > > Am 24.07.2024 um 12:55 schrieb Patrick Ben Koetter via mailop > > <mailop@mailop.org>: > > > > Greetings. > > > > > >> Am 24.07.2024 um 11:50 schrieb Serhii via mailop <mailop@mailop.org > >> <mailto:mailop@mailop.org>>: > >> > >> Hello, > >> > >> I have started a migration to a new MX recently and I have discovered that > >> new MX rejects mx.mailop.org <http://mx.mailop.org/> early due to DNS > >> failure. As I can see now, it is related to DNSSEC problems (at a new > >> machine, I have DNSSEC restricted from downgrading). I have checked if it > >> is my resolver being faulty but no, I am able to replicate this problem > >> using Cloudflare DoH: > > > > > > it’s an operational problem at the public nameservers, ns1.dnssec.works and > > ns2.dnssec.works, end. They don’t pick up the new RRSIG signature from the > > hidden primary and their own DNS zone seems to be broken. The log on > > mailop.org <http://mailop.org/>’s primary end tells it notifies the > > machines, but then no AXFR takes place. Firewall settings allow > > communication. Everything from the hidden primaries' side says it SHOULD > > work, but as reality has it it doesn’t. > > > > Unfortunately I can’t notify the person running the two nameservers at the > > moment, as he is offline until Sunday. I’ll drop him a message, but that’s > > all I can do for now. > > > > I will check other options in the meantime. > > > > Patrick > > > > > > > >> > >>> $ curl --silent --http2 --header "accept: application/dns-json" > >>> "https://1.1.1.1/dns-query?name=mx.mailop.org"; | jq . > >>> { > >>> "Status": 2, > >>> "TC": false, > >>> "RD": true, > >>> "RA": true, > >>> "AD": false, > >>> "CD": false, > >>> "Question": [ > >>> { > >>> "name": "mx.mailop.org", > >>> "type": 1 > >>> } > >>> ], > >>> "Comment": [ > >>> "EDE(7): Signature Expired for DNSKEY dnssec.works., id = 41779: RRSIG > >>> dnssec.works., expiration = 1721570770", > >>> "EDE(18): Prohibited" > >>> ] > >>> } > >> > >> > >> > >> -- > >> Send unsolicited bulk mail to carl...@at.encryp.ch > >> _______________________________________________ > >> mailop mailing list > >> mailop@mailop.org > >> https://list.mailop.org/listinfo/mailop > > > > [*] sys4 AG > > > > http://sys4.de <http://sys4.de/>, +49 (89) 30 90 46 64 > > Schleißheimer Straße 26/MG, 80333 München > > > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > > Aufsichtsratsvorsitzender: Florian Kirstein > > > > _______________________________________________ > > mailop mailing list > > mailop@mailop.org <mailto:mailop@mailop.org> > > https://list.mailop.org/listinfo/mailop > > [*] sys4 AG > > http://sys4.de, +49 (89) 30 90 46 64 > Schleißheimer Straße 26/MG, 80333 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer > Aufsichtsratsvorsitzender: Florian Kirstein > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
