[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bogus DNS data from several debian.org authoritative servers

I'm forwarding this over to debian-admin, as they're the people who can
fix this :)

Neil

On Mon, May 29, 2006 at 10:57:06AM +0200, Bjørn Mork wrote:
> First, not so serious, but still an error: All debian.org servers have
> a mismatch between the delegation and the served data, adding
> samosa.debian.org as autoritative (I know samosa is listed as primary
> in the SOA record, but it need not, and should not, be listed as
> autoritative as long as it's not listed by the delegating servers):
> 
> 
> Delegation:
> 
> bjorn@obelix:~$ dig ns debian.org @tld1.ultradns.net
> 
> ; <<>> DiG 9.3.1 <<>> ns debian.org @tld1.ultradns.net
> ; (2 servers found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12930
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
> 
> ;; QUESTION SECTION:
> ;debian.org.                    IN      NS
> 
> ;; AUTHORITY SECTION:
> debian.org.             86400   IN      NS      spohr.debian.org.
> debian.org.             86400   IN      NS      saens.debian.org.
> debian.org.             86400   IN      NS      klecker.debian.org.
> 
> ;; ADDITIONAL SECTION:
> spohr.debian.org.       86400   IN      A       140.211.166.43
> saens.debian.org.       86400   IN      A       128.101.240.212
> klecker.debian.org.     86400   IN      A       194.109.137.218
> 
> ;; Query time: 51 msec
> ;; SERVER: 204.74.112.1#53(204.74.112.1)
> ;; WHEN: Mon May 29 10:40:36 2006
> ;; MSG SIZE  rcvd: 138
> 
> 
> 
> NS-records from klecker:
> 
> 
> bjorn@obelix:~$ dig ns debian.org @klecker.debian.org
> 
> ; <<>> DiG 9.3.1 <<>> ns debian.org @klecker.debian.org
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53513
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
> 
> ;; QUESTION SECTION:
> ;debian.org.                    IN      NS
> 
> ;; ANSWER SECTION:
> debian.org.             3600    IN      NS      saens.debian.org.
> debian.org.             3600    IN      NS      spohr.debian.org.
> debian.org.             3600    IN      NS      samosa.debian.org.
> debian.org.             3600    IN      NS      klecker.debian.org.
> 
> ;; ADDITIONAL SECTION:
> saens.debian.org.       3600    IN      A       128.101.240.212
> spohr.debian.org.       300     IN      A       140.211.166.43
> samosa.debian.org.      3600    IN      A       192.25.206.57
> klecker.debian.org.     3600    IN      A       194.109.137.218
> 
> ;; Query time: 50 msec
> ;; SERVER: 194.109.137.218#53(194.109.137.218)
> ;; WHEN: Mon May 29 10:41:25 2006
> ;; MSG SIZE  rcvd: 175
> 
> 
> 
> 
> Second error is much more serious: Some of the servers will sometimes
> provide 0.0.0.0 as its own address in the additional data:
> 
> bjorn@obelix:~$ dig soa debian.org @saens.debian.org
> 
> ; <<>> DiG 9.3.1 <<>> soa debian.org @saens.debian.org
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20147
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
> 
> ;; QUESTION SECTION:
> ;debian.org.                    IN      SOA
> 
> ;; ANSWER SECTION:
> debian.org.             3600    IN      SOA     samosa.debian.org. hostmaster.debian.org. 2006051701 10800 3600 604800 3600
> 
> ;; AUTHORITY SECTION:
> debian.org.             3600    IN      NS      klecker.debian.org.
> debian.org.             3600    IN      NS      saens.debian.org.
> debian.org.             3600    IN      NS      spohr.debian.org.
> debian.org.             3600    IN      NS      samosa.debian.org.
> 
> ;; ADDITIONAL SECTION:
> saens.debian.org.       3600    IN      A       0.0.0.0
> spohr.debian.org.       300     IN      A       140.211.166.43
> samosa.debian.org.      3600    IN      A       192.25.206.57
> klecker.debian.org.     3600    IN      A       194.109.137.218
> 
> ;; Query time: 128 msec
> ;; SERVER: 128.101.240.212#53(128.101.240.212)
> ;; WHEN: Mon May 29 10:47:53 2006
> ;; MSG SIZE  rcvd: 222
> 
> 
> This in spite of it claiming to have the same zone version as
> e.g. klecker: 
> 
> bjorn@obelix:~$ dig soa debian.org @klecker.debian.org
> 
> ; <<>> DiG 9.3.1 <<>> soa debian.org @klecker.debian.org
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27220
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
> 
> ;; QUESTION SECTION:
> ;debian.org.                    IN      SOA
> 
> ;; ANSWER SECTION:
> debian.org.             3600    IN      SOA     samosa.debian.org. hostmaster.debian.org. 2006051701 10800 3600 604800 3600
> 
> ;; AUTHORITY SECTION:
> debian.org.             3600    IN      NS      saens.debian.org.
> debian.org.             3600    IN      NS      spohr.debian.org.
> debian.org.             3600    IN      NS      samosa.debian.org.
> debian.org.             3600    IN      NS      klecker.debian.org.
> 
> ;; ADDITIONAL SECTION:
> saens.debian.org.       3600    IN      A       128.101.240.212
> spohr.debian.org.       300     IN      A       140.211.166.43
> samosa.debian.org.      3600    IN      A       192.25.206.57
> klecker.debian.org.     3600    IN      A       194.109.137.218
> 
> ;; Query time: 52 msec
> ;; SERVER: 194.109.137.218#53(194.109.137.218)
> ;; WHEN: Mon May 29 10:48:59 2006
> ;; MSG SIZE  rcvd: 222
> 
> 
> I've seen this bug from both saens and spohr, but can only reproduce
> it from saens right now.  
> 
> Note that this seems to affect *all* names refering to the
> authoritative DNS server's own address.  For example:
> 
> 
> bjorn@obelix:~$ dig security.debian.org @saens.debian.org
> 
> ; <<>> DiG 9.3.1 <<>> security.debian.org @saens.debian.org
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40968
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4
> 
> ;; QUESTION SECTION:
> ;security.debian.org.           IN      A
> 
> ;; ANSWER SECTION:
> security.debian.org.    3600    IN      A       194.109.137.218
> security.debian.org.    3600    IN      A       0.0.0.0
> 
> ;; AUTHORITY SECTION:
> debian.org.             3600    IN      NS      samosa.debian.org.
> debian.org.             3600    IN      NS      klecker.debian.org.
> debian.org.             3600    IN      NS      saens.debian.org.
> debian.org.             3600    IN      NS      spohr.debian.org.
> 
> ;; ADDITIONAL SECTION:
> saens.debian.org.       3600    IN      A       0.0.0.0
> spohr.debian.org.       300     IN      A       140.211.166.43
> samosa.debian.org.      3600    IN      A       192.25.206.57
> klecker.debian.org.     3600    IN      A       194.109.137.218
> 
> ;; Query time: 127 msec
> ;; SERVER: 128.101.240.212#53(128.101.240.212)
> ;; WHEN: Mon May 29 10:50:14 2006
> ;; MSG SIZE  rcvd: 216
> 
> 
> Which is why I chose to post this to security.  This error may not be
> possible to abuse, but it will certainly affect peoples ability to
> apply security updates in a timely manner...
> 
> 
> 
> Bjørn
> -- 
> You're probably Moonie yourself.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?
gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3
Reply to: