DNSSEC server failure with trstech.net
Mark Andrews
Mark_Andrews at isc.org
Thu Nov 6 13:46:26 UTC 2008
In message <20081106130140.GA12114 at nic.fr>, Stephane Bortzmeyer writes:
> dig MX trstech.net
>
> makes a SERVFAIL. (The BIND resolver is set to dnssec-validation yes
> and uses the ISC DLV registry).
>
> The domain is not signed and has no trust anchor at my resolver (BIND
> 9.5.0-P2). I cannot reproduce the problem with other similar (no
> signature, no trust anchor) domains.
>
> The logfile says:
>
> Nov 6 12:37:25 lilith named[22431]: not insecure resolving 'trstech.net/ANY/
> IN': 196.200.57.137#53
> Nov 6 12:37:25 lilith named[22431]: not insecure resolving 'trstech.net/ANY/
> IN': 147.28.0.39#53
> Nov 6 12:37:26 lilith named[22431]: not insecure resolving 'trstech.net/ANY/
> IN': 2001:4f8:feec::1#53
>
> Despite the:
>
> logging {
> channel dnssec_log { // a DNSSEC log channel
> file "/var/tmp/bindlog/dnssec.log" size 20m;
> print-time yes; // timestamp the entries
> print-category yes; // add category name to entries
> print-severity yes; // add severity level to entries
> severity debug 3;
> };
>
> category dnssec { dnssec_log; };
>
> There is nothing in /var/tmp/bindlog/dnssec.log.
>
> This seems BIND specific. Using OARC DNSSEC resolvers, I see the same
> behavior on their BIND resolver (149.20.64.20) but not on the Unbound
> one (149.20.64.21).
This is what happens when you publish a DLV record but don't
configure the servers to return DNSSEC information. Or you
replace a signed zone with a unsigned zone and fail to
remove the DS/DLV records prior to the change. Given the
procedures to add a DLV record I suspect the later is the
actual cause.
The log messages are saying that the validation failed
because there was no secure to insecure transition and all
named is getting are insecure responses.
Mark
; <<>> DiG 9.3.5-P2 <<>> trstech.net.dlv.isc.org dlv
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34801
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 4
;; QUESTION SECTION:
;trstech.net.dlv.isc.org. IN DLV
;; ANSWER SECTION:
trstech.net.dlv.isc.org. 3085 IN DLV 36472 5 2 FB0DA57E6C06EA0CF636C47016DCE1DAC81142A3FCA389D2CBA829FC 2E0EABE0
trstech.net.dlv.isc.org. 3085 IN DLV 36472 5 1 0B4B9F5A6CA4B0C800D2B432F1D206F176E8E00F
;; AUTHORITY SECTION:
dlv.isc.org. 3480 IN NS ns-ext.sth1.isc.org.
dlv.isc.org. 3480 IN NS ns-ext.lga1.isc.org.
dlv.isc.org. 3480 IN NS ns-ext.nrt1.isc.org.
dlv.isc.org. 3480 IN NS sfba.sns-pb.isc.org.
dlv.isc.org. 3480 IN NS ns-ext.isc.org.
;; ADDITIONAL SECTION:
sfba.sns-pb.isc.org. 3600 IN A 149.20.64.3
ns-ext.isc.org. 3600 IN A 204.152.184.64
sfba.sns-pb.isc.org. 3600 IN AAAA 2001:4f8:0:2::19
ns-ext.isc.org. 3600 IN AAAA 2001:4f8:0:2::13
;; Query time: 10 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 7 00:34:04 2008
;; MSG SIZE rcvd: 338
; <<>> DiG 9.3.5-P2 <<>> +dnssec +norec @rip.psg.com trstech.net mx
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4086
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;trstech.net. IN MX
;; ANSWER SECTION:
trstech.net. 600 IN MX 5 afribone.trstech.net.
;; AUTHORITY SECTION:
trstech.net. 600 IN NS afribone.trstech.net.
trstech.net. 600 IN NS rip.psg.com.
;; ADDITIONAL SECTION:
afribone.trstech.net. 600 IN A 196.200.57.137
afribone.trstech.net. 600 IN AAAA 2001:4f8:feec::1
;; Query time: 196 msec
;; SERVER: 2001:418:1::39#53(2001:418:1::39)
;; WHEN: Fri Nov 7 00:35:41 2008
;; MSG SIZE rcvd: 148
; <<>> DiG 9.3.5-P2 <<>> +dnssec +norec @196.200.57.137 mx trstech.net
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17263
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;trstech.net. IN MX
;; ANSWER SECTION:
trstech.net. 600 IN MX 5 afribone.trstech.net.
;; AUTHORITY SECTION:
trstech.net. 600 IN NS rip.psg.com.
trstech.net. 600 IN NS afribone.trstech.net.
;; ADDITIONAL SECTION:
afribone.trstech.net. 600 IN A 196.200.57.137
afribone.trstech.net. 600 IN AAAA 2001:4f8:feec::1
;; Query time: 429 msec
;; SERVER: 196.200.57.137#53(196.200.57.137)
;; WHEN: Fri Nov 7 00:36:14 2008
;; MSG SIZE rcvd: 148
; <<>> DiG 9.3.5-P2 <<>> dnskey trstech.net @rip.psg.com +dnssec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13533
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;trstech.net. IN DNSKEY
;; AUTHORITY SECTION:
trstech.net. 600 IN SOA afribone.trstech.net. aalain.trstech.net. 2007112400 14400 3600 1209600 3600
;; Query time: 189 msec
;; SERVER: 2001:418:1::39#53(2001:418:1::39)
;; WHEN: Fri Nov 7 00:38:54 2008
;; MSG SIZE rcvd: 92
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list