DNSSEC server failure with trstech.net

Mark Andrews Mark_Andrews at isc.org
Thu Nov 6 13:46:26 UTC 2008 

In message <20081106130140.GA12114 at nic.fr>, Stephane Bortzmeyer writes:
> dig MX trstech.net 
> 
> makes a SERVFAIL. (The BIND resolver is set to dnssec-validation yes
> and uses the ISC DLV registry).
> 
> The domain is not signed and has no trust anchor at my resolver (BIND
> 9.5.0-P2). I cannot reproduce the problem with other similar (no
> signature, no trust anchor) domains.
> 
> The logfile says:
> 
> Nov  6 12:37:25 lilith named[22431]: not insecure resolving 'trstech.net/ANY/
> IN': 196.200.57.137#53
> Nov  6 12:37:25 lilith named[22431]: not insecure resolving 'trstech.net/ANY/
> IN': 147.28.0.39#53
> Nov  6 12:37:26 lilith named[22431]: not insecure resolving 'trstech.net/ANY/
> IN': 2001:4f8:feec::1#53
> 
> Despite the:
> 
>  logging {
>           channel dnssec_log {             // a DNSSEC log channel
>                   file "/var/tmp/bindlog/dnssec.log" size 20m;
>                   print-time yes;        // timestamp the entries
>                   print-category yes;    // add category name to entries
>                   print-severity yes;    // add severity level to entries
>                   severity debug 3;      
>           };
> 
>     category dnssec  { dnssec_log; };
> 
> There is nothing in /var/tmp/bindlog/dnssec.log.
> 
> This seems BIND specific. Using OARC DNSSEC resolvers, I see the same
> behavior on their BIND resolver (149.20.64.20) but not on the Unbound
> one (149.20.64.21).

	This is what happens when you publish a DLV record but don't
	configure the servers to return DNSSEC information.  Or you
	replace a signed zone with a unsigned zone and fail to
	remove the DS/DLV records prior to the change.  Given the
	procedures to add a DLV record I suspect the later is the
	actual cause.

	The log messages are saying that the validation failed
	because there was no secure to insecure transition and all
	named is getting are insecure responses.

	Mark

; <<>> DiG 9.3.5-P2 <<>> trstech.net.dlv.isc.org dlv
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34801
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 4

;; QUESTION SECTION:
;trstech.net.dlv.isc.org.	IN	DLV

;; ANSWER SECTION:
trstech.net.dlv.isc.org. 3085	IN	DLV	36472 5 2 FB0DA57E6C06EA0CF636C47016DCE1DAC81142A3FCA389D2CBA829FC 2E0EABE0
trstech.net.dlv.isc.org. 3085	IN	DLV	36472 5 1 0B4B9F5A6CA4B0C800D2B432F1D206F176E8E00F

;; AUTHORITY SECTION:
dlv.isc.org.		3480	IN	NS	ns-ext.sth1.isc.org.
dlv.isc.org.		3480	IN	NS	ns-ext.lga1.isc.org.
dlv.isc.org.		3480	IN	NS	ns-ext.nrt1.isc.org.
dlv.isc.org.		3480	IN	NS	sfba.sns-pb.isc.org.
dlv.isc.org.		3480	IN	NS	ns-ext.isc.org.

;; ADDITIONAL SECTION:
sfba.sns-pb.isc.org.	3600	IN	A	149.20.64.3
ns-ext.isc.org.		3600	IN	A	204.152.184.64
sfba.sns-pb.isc.org.	3600	IN	AAAA	2001:4f8:0:2::19
ns-ext.isc.org.		3600	IN	AAAA	2001:4f8:0:2::13

;; Query time: 10 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov  7 00:34:04 2008
;; MSG SIZE  rcvd: 338


; <<>> DiG 9.3.5-P2 <<>> +dnssec +norec @rip.psg.com trstech.net mx
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4086
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;trstech.net.			IN	MX

;; ANSWER SECTION:
trstech.net.		600	IN	MX	5 afribone.trstech.net.

;; AUTHORITY SECTION:
trstech.net.		600	IN	NS	afribone.trstech.net.
trstech.net.		600	IN	NS	rip.psg.com.

;; ADDITIONAL SECTION:
afribone.trstech.net.	600	IN	A	196.200.57.137
afribone.trstech.net.	600	IN	AAAA	2001:4f8:feec::1

;; Query time: 196 msec
;; SERVER: 2001:418:1::39#53(2001:418:1::39)
;; WHEN: Fri Nov  7 00:35:41 2008
;; MSG SIZE  rcvd: 148


; <<>> DiG 9.3.5-P2 <<>> +dnssec +norec @196.200.57.137 mx trstech.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17263
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;trstech.net.			IN	MX

;; ANSWER SECTION:
trstech.net.		600	IN	MX	5 afribone.trstech.net.

;; AUTHORITY SECTION:
trstech.net.		600	IN	NS	rip.psg.com.
trstech.net.		600	IN	NS	afribone.trstech.net.

;; ADDITIONAL SECTION:
afribone.trstech.net.	600	IN	A	196.200.57.137
afribone.trstech.net.	600	IN	AAAA	2001:4f8:feec::1

;; Query time: 429 msec
;; SERVER: 196.200.57.137#53(196.200.57.137)
;; WHEN: Fri Nov  7 00:36:14 2008
;; MSG SIZE  rcvd: 148


; <<>> DiG 9.3.5-P2 <<>> dnskey trstech.net @rip.psg.com +dnssec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13533
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;trstech.net.			IN	DNSKEY

;; AUTHORITY SECTION:
trstech.net.		600	IN	SOA	afribone.trstech.net. aalain.trstech.net. 2007112400 14400 3600 1209600 3600

;; Query time: 189 msec
;; SERVER: 2001:418:1::39#53(2001:418:1::39)
;; WHEN: Fri Nov  7 00:38:54 2008
;; MSG SIZE  rcvd: 92

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list