Dnssec-validation auto

Ismael Suarez Ismael_Suarez at coqui.com
Fri Nov 13 15:14:49 UTC 2020 

resolv.conf has only itself as dns server

When using dnssec-validation AUTO, and turning on debug, the following is shown when I nslookup from my PC towards the server.



13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201: request is not signed

13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201: recursion available

13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201 (www.popularsba.com): query: www.popularsba.com IN A + (xxx.xxx.xxx.152)

13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201 (www.popularsba.com): query (cache) 'www.popularsba.com/A/IN' approved

13-Nov-2020 11:09:18.998 fetch: www.popularsba.com/A

13-Nov-2020 11:09:18.999 fetch: ha1.markmonitor.zone/A

13-Nov-2020 11:09:18.999 fetch: ha2.markmonitor.zone/A

13-Nov-2020 11:09:18.999 fetch: ha3.markmonitor.zone/A

13-Nov-2020 11:09:18.999 fetch: ha4.markmonitor.zone/A

13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201: request is not signed

13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201: recursion available

13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201 (www.popularsba.com): query: www.popularsba.com IN A + (xxx.xxx.xxx.152)

13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201 (www.popularsba.com): query (cache) 'www.popularsba.com/A/IN' approved

13-Nov-2020 11:09:24.000 fetch: www.popularsba.com/A

13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201 (www.popularsba.com): request failed: duplicate query

13-Nov-2020 11:09:27.051 fetch: popularsba.com/DS



On my client I get:

** server can't find www.popularsba.com: SERVFAIL



masked the IP just in case



-----Original Message-----
From: Petr Menšík <pemensik at redhat.com<mailto:Petr%20%3d%3fUTF-8%3fQ%3fMen%3dC5%3dA1%3dC3%3dADk%3f%3d%20%3cpemensik at redhat.com%3e>>
To: Ismael Suarez <Ismael_Suarez at coqui.com<mailto:Ismael%20Suarez%20%3cIsmael_Suarez at coqui.com%3e>>, bind-users at lists.isc.org <bind-users at lists.isc.org<mailto:%22bind-users at lists.isc.org%22%20%3cbind-users at lists.isc.org%3e>>
Subject: Re: Dnssec-validation auto
Date: Fri, 13 Nov 2020 14:19:47 +0100


I would check what nameservers are in /etc/resolv.conf, and try to

direct delv or dig to its address.


for H in $(awk '$1 == "nameserver" { print $2 }' /etc/resolv.conf); do

dig +dnssec @$H

<http://www.popularsba.com>

www.popularsba.com

; done


Check every server returns reliable and the same results. I had one

NOERROR and one SERVFAIL from our instrastructure. The second server

provides more servers in ADDITIONAL section. Second retry was successful.


It might take a bit more time to fetch and verify addresses of all

authoritative servers of gslb.siteforce.com. domain. Six seems a lot.



; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> +dnssec @10.5.30.45

<http://www.popularsba.com>

www.popularsba.com


; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43145

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 13


;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;www.popularsba.com.            IN      A


;; ANSWER SECTION:

<http://www.popularsba.com>

www.popularsba.com

.       262     IN      CNAME

<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com

.

<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com

. 262 IN CNAME

4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.

4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 82 IN A

13.109.220.200


;; AUTHORITY SECTION:

gslb.siteforce.com.     55886   IN      NS      dns05.salesforce.com.

gslb.siteforce.com.     55886   IN      NS      dns01.salesforce.com.

gslb.siteforce.com.     55886   IN      NS      dns02.salesforce.com.

gslb.siteforce.com.     55886   IN      NS      dns04.salesforce.com.

gslb.siteforce.com.     55886   IN      NS      dns06.salesforce.com.

gslb.siteforce.com.     55886   IN      NS      dns03.salesforce.com.


;; ADDITIONAL SECTION:

dns01.salesforce.com.   53547   IN      A       204.74.108.235

dns02.salesforce.com.   53547   IN      A       204.74.109.235

dns04.salesforce.com.   53547   IN      A       199.7.69.235

dns03.salesforce.com.   53547   IN      A       199.7.68.235

dns06.salesforce.com.   53547   IN      A       204.74.115.235

dns05.salesforce.com.   53547   IN      A       204.74.114.235

dns01.salesforce.com.   53547   IN      RRSIG   A 13 3 86400 20201130021251

20201001013506 2317 salesforce.com.

fUb+1uVGcdeVSsjTj1O++bcNLZwapzTvLcHLP+tykm3y3ziCSIHtxfCp

3kZqdBQtB3nGd7ySGPEblvBJA4ZHUA==

dns02.salesforce.com.   53547   IN      RRSIG   A 13 3 86400 20201130021251

20201001013506 2317 salesforce.com.

QOVhwrJ0dwkHRHLr/ytEzmZ04bYaAzN2ooDfJOVJXDCinYGFuNTRmPhs

uFawDGlRlFja8OyiIyJXIFvwXKGSxg==

dns04.salesforce.com.   53547   IN      RRSIG   A 13 3 86400 20201130021251

20201001013506 2317 salesforce.com.

DXOOYz5odrnY7SkWNvU0NiGOZEWalNT+0VYCYgd7wl6Rj0cOR4slFrvR

ADj5eAgFLybADvTviia/xbqz4u7ueQ==

dns03.salesforce.com.   53547   IN      RRSIG   A 13 3 86400 20201130021251

20201001013506 2317 salesforce.com.

Rkzv/z9vhnURB8hueZgkQrKFffLB9Zj423ZPHoPXtoECxNVk/ZV/ODv4

BQZLT8+t8W7cLILNyXVVpEjG2ejE9Q==

dns06.salesforce.com.   53547   IN      RRSIG   A 13 3 86400 20201218220609

20201019213201 2317 salesforce.com.

YcTDijezumyiv+WZcvZqFk/yOJ2r7WdxZ5XFwIjt5R6iDOSQNChxhQ3G

dhR28sLna+rM9yVehyyEyCh4iJUeHg==

dns05.salesforce.com.   53547   IN      RRSIG   A 13 3 86400 20201130021251

20201001013506 2317 salesforce.com.

gmzIaK0lTolbkUaIGfHTLl2+TzUYQUtxHJ5yevEzdLmaE8z0AW7JBVXf

07osroe/7LxRQO38ZCxNZHVXfQnMHA==


;; Query time: 45 msec

;; SERVER: 10.5.30.45#53(10.5.30.45)

;; WHEN: Fri Nov 13 08:12:49 EST 2020

;; MSG SIZE  rcvd: 1076



It seems to me, only dns0?.salesforce.com. hosts are in DNSSEC signed

domain. Try debuging salesforce.com. domain verification instead.


On 11/13/20 1:59 PM, Ismael Suarez wrote:

With "dnssec-validation AUTO;" I get:


# delv +cd

<http://www.popularsba.com>

www.popularsba.com


;; resolution failed: timed out



With "dnssec-validation NO;" I get:


# delv +cd

<http://www.popularsba.com>

www.popularsba.com


;; resolution failed: timed out

; unsigned answer

<http://www.popularsba.com>

www.popularsba.com

.     279     IN      CNAME

<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com

.



CAPS just to show the difference in .conf



--


Ismael Suárez Maldonado | UNIX ADM | Coqui.Net Corp / ClaroTV

<mailto:ismael_suarez at coqui.com>

ismael_suarez at coqui.com

<mailto:

<mailto:ismael_suarez at coqui.com>

ismael_suarez at coqui.com

> | T: 787-793-0001 x 4007


-----Original Message-----

From: Petr Menšík <

<mailto:pemensik at redhat.com>

pemensik at redhat.com

<mailto:

<mailto:Petr%20%3d%3fUTF-8%3fQ%3fMen%3dC5%3dA1%3dC3%3dADk%3f%3d%20%3cpemensik at redhat.com>

Petr%20%3d%3fUTF-8%3fQ%3fMen%3dC5%3dA1%3dC3%3dADk%3f%3d%20%3cpemensik at redhat.com

%3e>>

To:

<mailto:bind-users at lists.isc.org>

bind-users at lists.isc.org

<mailto:

<mailto:bind-users at lists.isc.org>

bind-users at lists.isc.org

>

Subject: Re: Dnssec-validation auto

Date: Fri, 13 Nov 2020 11:26:17 +0100



Hi Ismael,



easiest way to check validation is using delv tool from BIND 9.11+. It


uses the same algorithm as BIND server does. If you get SERVFAIL from


your recursive server, try adding +cd parameter to delv or dig. When it


works with +cd, validation is responsible somewhere in recursive servers


chain.



It shows just unsigned to me, today.



$ delv +cd


<

<http://www.popularsba.com>

http://www.popularsba.com

>


<http://www.popularsba.com>

www.popularsba.com




; unsigned answer


<

<http://www.popularsba.com>

http://www.popularsba.com

>


<http://www.popularsba.com>

www.popularsba.com



.       282     IN      CNAME


<

<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com

>


<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com



.


<

<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com

>


<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com



. 282 IN CNAME


4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.


4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 102 IN A


161.71.31.253



Cheers,


Petr



On 11/13/20 5:26 AM, Ismael Suarez wrote:


Hi all



The following domain (


<

<http://www.popularsba.com>

http://www.popularsba.com

>


<http://www.popularsba.com>

www.popularsba.com



) does not resolve with dnssec validation set to auto, but when I change the validation off it works.



Why is this? How can I check this validation?



Using bind 9.12



Thanks to all


_______________________________________________


Please visit


<

<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users

>


<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users



 to unsubscribe from this list



ISC funds the development of this software with paid support subscriptions. Contact us at


<

<https://www.isc.org/contact/>

https://www.isc.org/contact/

>


<https://www.isc.org/contact/>

https://www.isc.org/contact/



 for more information.




bind-users mailing list


<mailto:

<mailto:bind-users at lists.isc.org>

bind-users at lists.isc.org

>


<mailto:bind-users at lists.isc.org>

bind-users at lists.isc.org




<

<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users

>


<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users






_______________________________________________


Please visit


<

<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users

>


<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users



 to unsubscribe from this list



ISC funds the development of this software with paid support subscriptions. Contact us at


<

<https://www.isc.org/contact/>

https://www.isc.org/contact/

>


<https://www.isc.org/contact/>

https://www.isc.org/contact/



 for more information.




bind-users mailing list


<mailto:

<mailto:bind-users at lists.isc.org>

bind-users at lists.isc.org

>


<mailto:bind-users at lists.isc.org>

bind-users at lists.isc.org




<

<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users

>


<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list