DANE broken @ addons.mozilla.org?

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Oct 13 22:02:35 CEST 2015 

On Tue, Oct 13, 2015 at 09:42:37PM +0200, Andreas Pothe wrote:

> Can you confirm that addons.mozilla.org has a broken DANE entry?

No, not DANE, in fact no TLSA records published).  Rather, they
have DNS nameserver issues:

    http://dnsviz.net/d/_443._tcp.addons.mozilla.net/dnssec/

The akamai nameservers are returning non-authoritative NXDOMAIN
responses with no SOA record!  The responses should be authoritative
and have an SOA.

    $ dig +nocl +nottl +noall +ans -t ns mozilla.net. | sort
    mozilla.net.            NS      ns1-240.akam.net.
    mozilla.net.            NS      ns4-64.akam.net.
    mozilla.net.            NS      ns5-65.akam.net.
    mozilla.net.            NS      ns7-66.akam.net.

== ns1-240.akam.net. ==
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16722
;; flags: qr ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;_443._tcp.addons.mozilla.net. IN TLSA
7ua25hcif8m3f9dn4r67o9jrq23m3es2.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 7VVRF81RVM4D4L0GND2F4P6GSI7J5U3O
k9eqs0i0lqadl5cpqgag41injcinasl5.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KBFQEIE3OI3RIEOP6DPO0ITJBJPV7Q4B CNAME RRSIG
kcer05tvt52vv1u1nen7sb239uiocqth.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KITA65J7E621QLTTVMM8PJ0L92MQ82AP A RRSIG

== ns4-64.akam.net. ==
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22618
;; flags: qr ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;_443._tcp.addons.mozilla.net. IN TLSA
7ua25hcif8m3f9dn4r67o9jrq23m3es2.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 7VVRF81RVM4D4L0GND2F4P6GSI7J5U3O
k9eqs0i0lqadl5cpqgag41injcinasl5.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KBFQEIE3OI3RIEOP6DPO0ITJBJPV7Q4B CNAME RRSIG
kcer05tvt52vv1u1nen7sb239uiocqth.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KITA65J7E621QLTTVMM8PJ0L92MQ82AP A RRSIG

== ns5-65.akam.net. ==
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44991
;; flags: qr ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;_443._tcp.addons.mozilla.net. IN TLSA
7ua25hcif8m3f9dn4r67o9jrq23m3es2.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 7VVRF81RVM4D4L0GND2F4P6GSI7J5U3O
k9eqs0i0lqadl5cpqgag41injcinasl5.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KBFQEIE3OI3RIEOP6DPO0ITJBJPV7Q4B CNAME RRSIG
kcer05tvt52vv1u1nen7sb239uiocqth.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KITA65J7E621QLTTVMM8PJ0L92MQ82AP A RRSIG

== ns7-66.akam.net. ==
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11058
;; flags: qr ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;_443._tcp.addons.mozilla.net. IN TLSA
7ua25hcif8m3f9dn4r67o9jrq23m3es2.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 7VVRF81RVM4D4L0GND2F4P6GSI7J5U3O
k9eqs0i0lqadl5cpqgag41injcinasl5.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KBFQEIE3OI3RIEOP6DPO0ITJBJPV7Q4B CNAME RRSIG
kcer05tvt52vv1u1nen7sb239uiocqth.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KITA65J7E621QLTTVMM8PJ0L92MQ82AP A RRSIG

-- 
	Viktor.

More information about the dane-users mailing list