Lame ipv6 reverse delegations


#1

Just noticed that a number of zones delegated to a.ns.uk0.bigv.io and b.ns.uk0.bigv.io is missing from these servers, making them return REFUSED. This in turn results in SERVFAIL from caches following the lame delegations.

Examples:

louie:~# dig soa 0.0.0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa @a.ns.bytemark.co.uk

; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> soa 0.0.0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa @a.ns.bytemark.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50112
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;0.0.0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa. IN SOA

;; AUTHORITY SECTION:
0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa. 259200 IN NS a.ns.uk0.bigv.io.
0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa. 259200 IN NS b.ns.uk0.bigv.io.

;; ADDITIONAL SECTION:
a.ns.uk0.bigv.io.       259200  IN      A       213.138.96.11
b.ns.uk0.bigv.io.       259200  IN      A       213.138.96.12

;; Query time: 2 msec
;; SERVER: 2001:41c8:2::3#53(2001:41c8:2::3)
;; WHEN: Thu Mar 02 13:31:37 GMT 2017
;; MSG SIZE  rcvd: 136

louie:~# dig soa 0.0.0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa @a.ns.uk0.bigv.io.  

; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> soa 0.0.0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa @a.ns.uk0.bigv.io.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 11177
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;0.0.0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa. IN SOA

;; Query time: 28 msec
;; SERVER: 2001:41c8:50:0:4::1#53(2001:41c8:50:0:4::1)
;; WHEN: Thu Mar 02 13:31:59 GMT 2017
;; MSG SIZE  rcvd: 69

louie:~# dig soa 0.0.0.0.0.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa @a.ns.uk0.bigv.io.  

; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> soa 0.0.0.0.0.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa @a.ns.uk0.bigv.io.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 32093
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;0.0.0.0.0.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa. IN SOA

;; Query time: 1 msec
;; SERVER: 2001:41c8:50:0:4::1#53(2001:41c8:50:0:4::1)
;; WHEN: Thu Mar 02 13:32:54 GMT 2017
;; MSG SIZE  rcvd: 69

One noticable bad effect of this is that any attempt to look up the IPv6 addresses of the a.ns.uk0.bigv.io and b.ns.uk0.bigv.io servers themselves end up with SERVFAIL:

louie:~# host a.ns.uk0.bigv.io.
a.ns.uk0.bigv.io has address 213.138.96.11
a.ns.uk0.bigv.io has IPv6 address 2001:41c8:50:0:4::1
louie:~# dig -x 2001:41c8:50:0:4::1

; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> -x 2001:41c8:50:0:4::1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12762
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;1.0.0.0.0.0.0.0.0.0.0.0.4.0.0.0.0.0.0.0.0.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa. IN PTR

;; Query time: 98 msec
;; SERVER: 2001:41c8:2::1#53(2001:41c8:2::1)
;; WHEN: Thu Mar 02 13:34:41 GMT 2017
;; MSG SIZE  rcvd: 90

#2

Thanks for that. I’ll look into it.


#3

This issue is still present. A number of reverse zones are delegated from {a,b,c}.ns.bytemark.co.uk to {a,b}.ns.uk0.bigv.io but not configured on the latter. For example:

bjorn@miraculix:~$ dig ns 0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa @a.ns.bytemark.co.uk

; <<>> DiG 9.11.5-P4-1-Debian <<>> ns 0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa @a.ns.bytemark.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32314
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa. IN NS

;; AUTHORITY SECTION:
0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa. 259200 IN NS a.ns.uk0.bigv.io.
0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa. 259200 IN NS b.ns.uk0.bigv.io.

;; ADDITIONAL SECTION:
a.ns.uk0.bigv.io.       259200  IN      A       213.138.96.11
b.ns.uk0.bigv.io.       259200  IN      A       213.138.96.12

;; Query time: 61 msec
;; SERVER: 2001:41c8:2::3#53(2001:41c8:2::3)
;; WHEN: Tue Feb 26 12:57:42 CET 2019
;; MSG SIZE  rcvd: 132

bjorn@miraculix:~$ dig ns 0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa @a.ns.uk0.bigv.io

; <<>> DiG 9.11.5-P4-1-Debian <<>> ns 0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa @a.ns.uk0.bigv.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 15184
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;0.0.1.5.0.0.8.c.1.4.1.0.0.2.ip6.arpa. IN NS

;; Query time: 259 msec
;; SERVER: 2001:41c8:50:0:4::1#53(2001:41c8:50:0:4::1)
;; WHEN: Tue Feb 26 12:57:51 CET 2019
;; MSG SIZE  rcvd: 65

Looks like some (all?) the actual contents of these zones is published by {a,b,c}.ns.bytemark.co.uk, so I guess this might just be some leftover stale NS records in the 8.c.1.4.1.0.0.2.ip6.arpa zone?

Please fix. Thanks