Hi,
No issue from here :
dig www.numberportability.ch +trace
; <<>> DiG 9.16.33-Debian <<>> www.numberportability.ch +trace ;; global options: +cmd . 83292 IN NS f.root-servers.net. . 83292 IN NS a.root-servers.net. . 83292 IN NS h.root-servers.net. . 83292 IN NS j.root-servers.net. . 83292 IN NS i.root-servers.net. . 83292 IN NS g.root-servers.net. . 83292 IN NS d.root-servers.net. . 83292 IN NS l.root-servers.net. . 83292 IN NS k.root-servers.net. . 83292 IN NS b.root-servers.net. . 83292 IN NS e.root-servers.net. . 83292 IN NS c.root-servers.net. . 83292 IN NS m.root-servers.net. . 83292 IN RRSIG NS 8 0 518400 20230110050000 20221228040000 18733 . BDbOstO6sdTqBP2/ER7rX0vjTSJUR/dtnPUOg2zFbt23YhLlSYAegU78 bF5/KLREwricXZMNI6VcGzu+Hn4tYRf/soE/Iy07AagG5WBawRFPdeAS 6XVLsbyDDpSkV/RxJoy8fnAyzGiAV4B4lEpYrDiHdSMAIEn0aU/6CSle sKTsrdSucbaYTosg3bM28lcpPmpXwDWD05wFkLavfmzqut+wzGCI4ge2 AAi3apWMgDs/Ccr9UlpgblvOqMHnvJuX+YCgSyQbzFqMZRaJpHVB3UVC MJJzNgarSHWtj2E4DZMRiXJUHSHZv0FRCrJg7zmDXIahvlUJEF9LfUC9 CkM5Hw== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 4 ms
ch. 172800 IN NS f.nic.ch. ch. 172800 IN NS a.nic.ch. ch. 172800 IN NS d.nic.ch. ch. 172800 IN NS b.nic.ch. ch. 172800 IN NS e.nic.ch. ch. 86400 IN DS 10 13 2 0E175543A74D9083EA977BAB2BEE98A771995F80982FB796B2B0B9CC 6413D1A6 ch. 86400 IN RRSIG DS 8 1 86400 20230110050000 20221228040000 18733 . BjNNpFn7hCI2Q6QS6f8m26ZFaAjhaYxcFC6W30h5xguJMN9dneex4L+9 E6bTiawb0q6tCfUkfWDj1QX8NprdxxzpNzDFo+Sksysj6vU28gFSTOl/ H84D8BQTlAWvjrQAuNMzUwNlPz1E0OsDzNpMudfhmLp3m89BNzf+ZTBg 0mSQeW4YEOoxjs86A6yVoLlZrV8msJWfotj2jaLAWaFedLLzk43NrUA1 Y1sf8CzTVma7EqHbpWX3CJrgn7ELv9G5NtFVsmNO5yrHh40fl9KJ+hx7 dlxIjuyj+UjiNgwcMC3CsEzukAopbtuZAyYYE0NLVB3qB/YsN9jEl/AC jCFjzg== ;; Received 724 bytes from 192.112.36.4#53(g.root-servers.net) in 76 ms
numberportability.ch. 3600 IN NS dns1.swizzonic.ch. numberportability.ch. 3600 IN NS dns2.swizzonic.ch. numberportability.ch. 3600 IN DS 10556 13 2 2A50FB3DFA2EFE6F2A80F962EA9DE6CDCA3B5B6F09D3C9D7D972902D 173528F8 numberportability.ch. 3600 IN RRSIG DS 13 2 3600 20230123175307 20221226043002 19537 ch. /JgcDzbIftFZ3vNTx5HdzF2V759lA4Cv2uh84ZWP0p1A4y+xs4aLU2ri rN1NrjW4DsMpKlpghPtIWV/m4j0xdA== ;; Received 277 bytes from 2001:678:3::1#53(e.nic.ch) in 0 ms
www.numberportability.ch. 900 IN A 164.128.159.204 www.numberportability.ch. 900 IN RRSIG A 13 3 900 20230105000000 20221215000000 10556 numberportability.ch. FuWo8czeDf/KyCcyYXJF+pYkFJ8HsIX4RrW5a9+fIGqtDUVud7+lxPo9 1oW4H1v69+Mf7rze8SdxAsODJwFUQw== ;; Received 185 bytes from 81.88.58.219#53(dns2.swizzonic.ch) in 8 ms
Also nothing here https://dnsviz.net/d/www.numberportability.ch/dnssec/
Rémy
-----Original Message----- From: Benoit Panizzon via swinog swinog@lists.swinog.ch Sent: Tuesday, 27 December 2022 09:45 To: swinog@swinog.ch Subject: [swinog] DNSSEC issue with swizzonic DNS servers?
Hi List
Fancy another DNS issue hunt?
We have DNSSEC validation enabled on our BIND DNS Servers.
We started seeing:
no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 2a01:8100:2901::1:183:202#53 no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 2a01:8100:2901::1:183:201#53 no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 81.88.58.219#53 no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 195.110.124.196#53
broken trust chain resolving 'www.numberportability.ch/HTTPS/IN': 2a01:8100:2901::1:183:202#53 broken trust chain resolving 'www.numberportability.ch/AAAA/IN': 2a01:8100:2901::1:183:202#53 client @0x803541d60 X.X.X.X#27325 (www.numberportability.ch): query failed (broken trust chain) for www.numberportability.ch/IN/AAAA at query.c:7724
And of course the query fails, disrupting access some some quite important API.
numberportability.ch. 900 IN SOA dns1.swizzonic.ch. hostmaster.swizzonic.ch. 2022121601 10800 3600 604800 86400
$ dig +dnssec RRSIG www.numberportability.ch @dns1.swizzonic.ch ; <<>> DiG 9.16.33-Debian <<>> +dnssec RRSIG www.numberportability.ch @dns1.swizzonic.ch ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 39132 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
So, from my point of view, the authoritative DNS server thinks, this is a recursive query and refuses to answer with the RRSIG, breaking validation of that record.
Do you get to the same conclusion? Can you resolve this host via any other DNSSEC validating nameserver?
I had no success contacting any technical inclined staff willing to look at the issue since the issue started on 16. December via hostmaster@swizzonic.ch by phone or via support@register.it. So if anyone from Swizzonic is reading here, it would be nice to get a direct contact to further investigate that issue.
Mit freundlichen Grüssen
-Benoît Panizzon-