Mailing List Archive

Just to give a counter example for investigation (not sure where it is
in the zone, replying quickly), my silvermou.se is resolving

On 4 Feb 2022, at 16:25, Jonathan Sélea via Outages wrote:

> Anyone else seeing dnssec issues on unsigned .se domains?
>
> Apparently, if a unsigned domain is followed by a signed domain in the
> .se zone - the domain wont resolve due to NSEC errors.
>
>
>
>
>
> Example:
>
> Sportbladet.se
>
> Kgkfastigheter.se
>
> Deltacity.se
>
>
>
> | | | | | | Med vänlig hälsning / Best Regards?
> ---
> | | | | Jonathan Sélea
> ---
> | | Linux Technician
> ---
> | | | <img src='cid:image129690.png@A5969461.04295B66' width='14' />
> ---
> | | [**+46 70 726 00 50**](<tel:+46%2070%20726%2000%2050>)
> ---
> | <img src='cid:image986362.png@902F1960.1AC22D72' width='14' />
> ---
> |
> [**jonathan.selea@portsgroup.com**](<mailto:jonathan.selea@portsgroup.com>)
> ---
> | <img src='cid:image727723.png@F3F79C3D.E3ADDA24' width='14' />
> ---
> Göteborg, Kungsgatan 42
>
> |
> [](<https://portsgroup.com/>)
> ---
> |
> [](<https://portsgroup.com/webinar/kommande/ports-management-demo/>)
> ---
> | | The General Terms applicable to our services are available on our
> website,
> [**here**](<https://portsgroup.com/en/general-terms-and-conditions/>
> "https://portsgroup.com/en/general-terms-and-conditions/" ). Please
> refer to our [**Privacy
> Policy**](<https://portsgroup.com/en/privacy-policy/>
> "https://portsgroup.com/en/privacy-policy/" ) for information about
> how we process personal data. This e-mail may contain legally
> privileged and confidential information. If you are not the intended
> addressee, you are hereby notified that any reading, distribution,
> copying or other use of this message or attachments is strictly
> prohibited. If you have received this message in error, return to us
> and delete this email. Thank you.
>
> ---


> _______________________________________________
> Outages mailing list
> Outages@outages.org
> https://puck.nether.net/mailman/listinfo/outages

This just came from IIS:



We currently have an incorrect .se zone file published, where approximately 9,000 .se domains have incorrect DNSSEC signatures, ie DNSSEC validated resolvers will not approve naming of these 9,000 domains. Work with troubleshooting and measures is in progress. We will inform again as soon as we have new information about this.



Kind regards,



Registry Services

The Swedish Internet Foundation





I personally have been investigating this since 14:00 – and contacted IIS around 15:00, and it took two more hours for them to actually acknowledge the problem.

https://twitter.com/stiftelsen/status/1489638246648889352










Med vänlig hälsning / Best Regards?






Jonathan Sélea




Linux Technician









<tel:+46%2070%20726%2000%2050> +46 70 726 00 50






<mailto:jonathan.selea@portsgroup.com> jonathan.selea@portsgroup.com





Göteborg, Kungsgatan 42



<https://portsgroup.com/>



From: Outages <outages-bounces@outages.org> On Behalf Of James Lawrie via Outages
Sent: den 4 februari 2022 17:31
To: Outages <outages@outages.org>
Subject: Re: [outages] DNSSEC issues .se



Just to give a counter example for investigation (not sure where it is in the zone, replying quickly), my silvermou.se is resolving

On 4 Feb 2022, at 16:25, Jonathan Sélea via Outages wrote:

Anyone else seeing dnssec issues on unsigned .se domains?

Apparently, if a unsigned domain is followed by a signed domain in the .se zone - the domain wont resolve due to NSEC errors.





Example:

Sportbladet.se

Kgkfastigheter.se

Deltacity.se










Med vänlig hälsning / Best Regards?






Jonathan Sélea




Linux Technician









<tel:+46%2070%20726%2000%2050> +46 70 726 00 50






<mailto:jonathan.selea@portsgroup.com> jonathan.selea@portsgroup.com





Göteborg, Kungsgatan 42



<https://avanan.url-protection.com/v1/url?o=https%3A//portsgroup.com/&g=NjczNjlkMmFjN2M4ZTA3YQ==&h=ZDdjNWRhOTI0NTFjMDY5YmRmZDNlZTEzYjUxOWZhZTliYWVjYjRiNjM1MWZiNDQ0YTU2NzEwZTdhOWI3ZGE3Yw==&p=YXAxZTpwZ255OmE6bzo1NGUyMjI5ZTIxYzY5NjI1MTQ0YzcwMmExOTQ0NTM2Zjp2MTpoOk4=>



<https://avanan.url-protection.com/v1/url?o=https%3A//portsgroup.com/webinar/kommande/ports-management-demo/&g=ZGZiZmJkN2ZkYzlkNzgwNw==&h=ZTc2ZGY5ZTdjMDY4ZDBlNzVkN2EzOWUyYTlmYTIwNjNlNWY2YTU4NjllNTMzMDc0ZDliYjAzNzhlZmNkY2E5Yg==&p=YXAxZTpwZ255OmE6bzo1NGUyMjI5ZTIxYzY5NjI1MTQ0YzcwMmExOTQ0NTM2Zjp2MTpoOk4=>




The General Terms applicable to our services are available on our website, <https://avanan.url-protection.com/v1/url?o=https%3A//portsgroup.com/en/general-terms-and-conditions/&g=MGViOTU4M2YwYTkxNjEwYQ==&h=NGFhZjFjY2I1MTcwYjgxYmQ0N2VjMzhiMzMyYWJiZmMxY2QwNTFmMmZkODUxMDhlN2Y2ZDgxMWUxNTYxMDVmZg==&p=YXAxZTpwZ255OmE6bzo1NGUyMjI5ZTIxYzY5NjI1MTQ0YzcwMmExOTQ0NTM2Zjp2MTpoOk4=> here. Please refer to our <https://avanan.url-protection.com/v1/url?o=https%3A//portsgroup.com/en/privacy-policy/&g=N2RmNmZmYmUzZDBjZTUzYw==&h=ODRhYjNmNzk3YzJjNzE0NTBhMmM0OTJiYzlhYzk2NWIzZWVkMjAyOGNjYTIxYWFjN2Q4MWJmNTc2MWI1MDE5ZA==&p=YXAxZTpwZ255OmE6bzo1NGUyMjI5ZTIxYzY5NjI1MTQ0YzcwMmExOTQ0NTM2Zjp2MTpoOk4=> Privacy Policy for information about how we process personal data. This e-mail may contain legally privileged and confidential information. If you are not the intended addressee, you are hereby notified that any reading, distribution, copying or other use of this message or attachments is strictly prohibited. If you have received this message in error, return to us and delete this email. Thank you.

_______________________________________________
Outages mailing list
Outages@outages.org <mailto:Outages@outages.org>
<https://avanan.url-protection.com/v1/url?o=https%3A//puck.nether.net/mailman/listinfo/outages&g=OWZhNDA3NGYwOTNmM2RkMA==&h=ZjZiYjA1YzJmZDk4NmY4ZTI5ZGI0YmM5MjdjOWEyNzM1NWM1MWE2ZjA1NTIwYTA5NDgyYjZjNjIxMjlkZWU5MA==&p=YXAxZTpwZ255OmE6bzo1NGUyMjI5ZTIxYzY5NjI1MTQ0YzcwMmExOTQ0NTM2Zjp2MTpoOk4=> https://puck.nether.net/mailman/listinfo/outages

On Fri, Feb 04, 2022 at 04:25:57PM +0000,
Jonathan Sélea via Outages <outages@outages.org> wrote
a message of 768 lines which said:

> Anyone else seeing dnssec issues on unsigned .se domains?

Indeed https://dnsviz.net/d/sportbladet.se/Yf1XbQ/dnssec/

> Apparently, if a unsigned domain is followed by a signed domain in the
> .se zone - the domain wont resolve due to NSEC errors.

Indeed, the NSEC signature is strange:

% dig @a.ns.se. +cd +dnssec A Sportbladet.se

; <<>> DiG 9.16.1-Ubuntu <<>> @a.ns.se. +cd +dnssec A Sportbladet.se
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24863
;; flags: qr rd cd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 4e597800e9df28eb0100000061fd57eba6944eceaffbe5ee (good)
;; QUESTION SECTION:
;Sportbladet.se. IN A

;; AUTHORITY SECTION:
sportbladet.se. 86400 IN NS dns04.ports.net.
sportbladet.se. 86400 IN NS dns01.dipcon.com.
sportbladet.se. 86400 IN NS dns02.ports.se.
sportbladet.se. 86400 IN NS dns03.ports.se.
sportbladet.se. 7200 IN NSEC sportbladet-tv.se. NS RRSIG NSEC
sportbladet.se. 7200 IN RRSIG NSEC 8 2 7200 (
20220217023427 20220204111055 30015 se.
AAH/////////////////////////////////////////
////////////////////////////////////////////
////////////////////////////////////////////
////////////////////////////////////////////
////////////////////////////////////////////
////////////////////////////////////////////
////////ADAxMA0GCWCGSAFlAwQCAQUABCDDlM45/p82
gs9EuWI0BODTVEgrkVM5ZrtG98oLVgefGQ== )

;; ADDITIONAL SECTION:
dns03.ports.se. 86400 IN AAAA 2a04:3540:1000:310:287e:f6ff:fe1d:4789
dns02.ports.se. 86400 IN AAAA 2001:19f0:5001:2a:5400:ff:fe38:1e6f
dns03.ports.se. 86400 IN A 94.237.33.102
dns02.ports.se. 86400 IN A 45.63.42.179

;; Query time: 35 msec
;; SERVER: 2a01:3f0:0:301::53#53(2a01:3f0:0:301::53)
;; WHEN: ven. févr. 04 17:44:27 CET 2022
;; MSG SIZE rcvd: 607
_______________________________________________
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

On Fri, Feb 04, 2022 at 04:25:57PM +0000,
Jonathan Sélea via Outages <outages@outages.org> wrote
a message of 768 lines which said:

> Anyone else seeing dnssec issues on unsigned .se domains?

You can see it with RIPE Atlas probes as well:

% blaeu-resolve --requested 100 --displayvalidation --type A deltacity.se
[ERROR: SERVFAIL] : 76 occurrences
[193.234.101.92] : 24 occurrences
Test #38299487 done at 2022-02-04T16:56:37Z

(Only the non-validating resolvers can resolve it.)
_______________________________________________
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

On Fri, Feb 04, 2022 at 04:25:57PM +0000,
Jonathan Sélea via Outages <outages@outages.org> wrote
a message of 768 lines which said:

> Anyone else seeing dnssec issues on unsigned .se domains?
> Apparently, if a unsigned domain is followed by a signed domain in the
> .se zone - the domain wont resolve due to NSEC errors.

Not only. deltacity.se is signed but the DS record also has the
strange signature:

% dig @a.ns.se DS deltacity.se

; <<>> DiG 9.16.1-Ubuntu <<>> @a.ns.se DS deltacity.se
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16734
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 43b7c3680ea3613a0100000061fd5b79523d4d0ce26efd10 (good)
;; QUESTION SECTION:
;deltacity.se. IN DS

;; ANSWER SECTION:
deltacity.se. 3600 IN DS 2371 13 2 (
10D93CDBC66AB7BDAD1B5DAA0C91C3CAC83FC5E5D0D2
9A4D5C5A60C1029C4C90 )
deltacity.se. 3600 IN RRSIG DS 8 2 3600 (
20220218000621 20220204111055 30015 se.
AAH/////////////////////////////////////////
////////////////////////////////////////////
////////////////////////////////////////////
////////////////////////////////////////////
////////////////////////////////////////////
////////////////////////////////////////////
////////ADAxMA0GCWCGSAFlAwQCAQUABCAPBvXtziUA
4hVkukIixa7pw08KxXpzzylxHdz2eM6gfg== )

;; Query time: 39 msec
;; SERVER: 2a01:3f0:0:301::53#53(2a01:3f0:0:301::53)
;; WHEN: ven. févr. 04 17:59:38 CET 2022
;; MSG SIZE rcvd: 407
_______________________________________________
Outages mailing list
Outages@outages.org
https://puck.nether.net/mailman/listinfo/outages

Internetstiftelsen has finally posted about the issue on the website -
https://internetstiftelsen.se/pagaende-problem-se-domaner/


We are currently investigating which domains are affected and have taken
measures to prevent more domains from being affected. We are working hard to
solve the problem.

15:30
Information that NSEC signatures do not work

15:45
.se and .nu updates are turned off

15:50
Confirmed that about 8,000 domains are affected

16: 00-
Troubleshooting and attempts at new signatures are in progress