Bogus DNS data from several debian.org authoritative servers
First, not so serious, but still an error: All debian.org servers have
a mismatch between the delegation and the served data, adding
samosa.debian.org as autoritative (I know samosa is listed as primary
in the SOA record, but it need not, and should not, be listed as
autoritative as long as it's not listed by the delegating servers):
Delegation:
bjorn@obelix:~$ dig ns debian.org @tld1.ultradns.net
; <<>> DiG 9.3.1 <<>> ns debian.org @tld1.ultradns.net
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12930
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;debian.org. IN NS
;; AUTHORITY SECTION:
debian.org. 86400 IN NS spohr.debian.org.
debian.org. 86400 IN NS saens.debian.org.
debian.org. 86400 IN NS klecker.debian.org.
;; ADDITIONAL SECTION:
spohr.debian.org. 86400 IN A 140.211.166.43
saens.debian.org. 86400 IN A 128.101.240.212
klecker.debian.org. 86400 IN A 194.109.137.218
;; Query time: 51 msec
;; SERVER: 204.74.112.1#53(204.74.112.1)
;; WHEN: Mon May 29 10:40:36 2006
;; MSG SIZE rcvd: 138
NS-records from klecker:
bjorn@obelix:~$ dig ns debian.org @klecker.debian.org
; <<>> DiG 9.3.1 <<>> ns debian.org @klecker.debian.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53513
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; QUESTION SECTION:
;debian.org. IN NS
;; ANSWER SECTION:
debian.org. 3600 IN NS saens.debian.org.
debian.org. 3600 IN NS spohr.debian.org.
debian.org. 3600 IN NS samosa.debian.org.
debian.org. 3600 IN NS klecker.debian.org.
;; ADDITIONAL SECTION:
saens.debian.org. 3600 IN A 128.101.240.212
spohr.debian.org. 300 IN A 140.211.166.43
samosa.debian.org. 3600 IN A 192.25.206.57
klecker.debian.org. 3600 IN A 194.109.137.218
;; Query time: 50 msec
;; SERVER: 194.109.137.218#53(194.109.137.218)
;; WHEN: Mon May 29 10:41:25 2006
;; MSG SIZE rcvd: 175
Second error is much more serious: Some of the servers will sometimes
provide 0.0.0.0 as its own address in the additional data:
bjorn@obelix:~$ dig soa debian.org @saens.debian.org
; <<>> DiG 9.3.1 <<>> soa debian.org @saens.debian.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20147
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;debian.org. IN SOA
;; ANSWER SECTION:
debian.org. 3600 IN SOA samosa.debian.org. hostmaster.debian.org. 2006051701 10800 3600 604800 3600
;; AUTHORITY SECTION:
debian.org. 3600 IN NS klecker.debian.org.
debian.org. 3600 IN NS saens.debian.org.
debian.org. 3600 IN NS spohr.debian.org.
debian.org. 3600 IN NS samosa.debian.org.
;; ADDITIONAL SECTION:
saens.debian.org. 3600 IN A 0.0.0.0
spohr.debian.org. 300 IN A 140.211.166.43
samosa.debian.org. 3600 IN A 192.25.206.57
klecker.debian.org. 3600 IN A 194.109.137.218
;; Query time: 128 msec
;; SERVER: 128.101.240.212#53(128.101.240.212)
;; WHEN: Mon May 29 10:47:53 2006
;; MSG SIZE rcvd: 222
This in spite of it claiming to have the same zone version as
e.g. klecker:
bjorn@obelix:~$ dig soa debian.org @klecker.debian.org
; <<>> DiG 9.3.1 <<>> soa debian.org @klecker.debian.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27220
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;debian.org. IN SOA
;; ANSWER SECTION:
debian.org. 3600 IN SOA samosa.debian.org. hostmaster.debian.org. 2006051701 10800 3600 604800 3600
;; AUTHORITY SECTION:
debian.org. 3600 IN NS saens.debian.org.
debian.org. 3600 IN NS spohr.debian.org.
debian.org. 3600 IN NS samosa.debian.org.
debian.org. 3600 IN NS klecker.debian.org.
;; ADDITIONAL SECTION:
saens.debian.org. 3600 IN A 128.101.240.212
spohr.debian.org. 300 IN A 140.211.166.43
samosa.debian.org. 3600 IN A 192.25.206.57
klecker.debian.org. 3600 IN A 194.109.137.218
;; Query time: 52 msec
;; SERVER: 194.109.137.218#53(194.109.137.218)
;; WHEN: Mon May 29 10:48:59 2006
;; MSG SIZE rcvd: 222
I've seen this bug from both saens and spohr, but can only reproduce
it from saens right now.
Note that this seems to affect *all* names refering to the
authoritative DNS server's own address. For example:
bjorn@obelix:~$ dig security.debian.org @saens.debian.org
; <<>> DiG 9.3.1 <<>> security.debian.org @saens.debian.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40968
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;security.debian.org. IN A
;; ANSWER SECTION:
security.debian.org. 3600 IN A 194.109.137.218
security.debian.org. 3600 IN A 0.0.0.0
;; AUTHORITY SECTION:
debian.org. 3600 IN NS samosa.debian.org.
debian.org. 3600 IN NS klecker.debian.org.
debian.org. 3600 IN NS saens.debian.org.
debian.org. 3600 IN NS spohr.debian.org.
;; ADDITIONAL SECTION:
saens.debian.org. 3600 IN A 0.0.0.0
spohr.debian.org. 300 IN A 140.211.166.43
samosa.debian.org. 3600 IN A 192.25.206.57
klecker.debian.org. 3600 IN A 194.109.137.218
;; Query time: 127 msec
;; SERVER: 128.101.240.212#53(128.101.240.212)
;; WHEN: Mon May 29 10:50:14 2006
;; MSG SIZE rcvd: 216
Which is why I chose to post this to security. This error may not be
possible to abuse, but it will certainly affect peoples ability to
apply security updates in a timely manner...
Bjørn
--
You're probably Moonie yourself.
Reply to: