Dnssec-validation auto
Ismael Suarez
Ismael_Suarez at coqui.com
Fri Nov 13 15:14:49 UTC 2020
resolv.conf has only itself as dns server
When using dnssec-validation AUTO, and turning on debug, the following is shown when I nslookup from my PC towards the server.
13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201: request is not signed
13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201: recursion available
13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201 (www.popularsba.com): query: www.popularsba.com IN A + (xxx.xxx.xxx.152)
13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201 (www.popularsba.com): query (cache) 'www.popularsba.com/A/IN' approved
13-Nov-2020 11:09:18.998 fetch: www.popularsba.com/A
13-Nov-2020 11:09:18.999 fetch: ha1.markmonitor.zone/A
13-Nov-2020 11:09:18.999 fetch: ha2.markmonitor.zone/A
13-Nov-2020 11:09:18.999 fetch: ha3.markmonitor.zone/A
13-Nov-2020 11:09:18.999 fetch: ha4.markmonitor.zone/A
13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201: request is not signed
13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201: recursion available
13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201 (www.popularsba.com): query: www.popularsba.com IN A + (xxx.xxx.xxx.152)
13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201 (www.popularsba.com): query (cache) 'www.popularsba.com/A/IN' approved
13-Nov-2020 11:09:24.000 fetch: www.popularsba.com/A
13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201 (www.popularsba.com): request failed: duplicate query
13-Nov-2020 11:09:27.051 fetch: popularsba.com/DS
On my client I get:
** server can't find www.popularsba.com: SERVFAIL
masked the IP just in case
-----Original Message-----
From: Petr Menšík <pemensik at redhat.com<mailto:Petr%20%3d%3fUTF-8%3fQ%3fMen%3dC5%3dA1%3dC3%3dADk%3f%3d%20%3cpemensik at redhat.com%3e>>
To: Ismael Suarez <Ismael_Suarez at coqui.com<mailto:Ismael%20Suarez%20%3cIsmael_Suarez at coqui.com%3e>>, bind-users at lists.isc.org <bind-users at lists.isc.org<mailto:%22bind-users at lists.isc.org%22%20%3cbind-users at lists.isc.org%3e>>
Subject: Re: Dnssec-validation auto
Date: Fri, 13 Nov 2020 14:19:47 +0100
I would check what nameservers are in /etc/resolv.conf, and try to
direct delv or dig to its address.
for H in $(awk '$1 == "nameserver" { print $2 }' /etc/resolv.conf); do
dig +dnssec @$H
<http://www.popularsba.com>
www.popularsba.com
; done
Check every server returns reliable and the same results. I had one
NOERROR and one SERVFAIL from our instrastructure. The second server
provides more servers in ADDITIONAL section. Second retry was successful.
It might take a bit more time to fetch and verify addresses of all
authoritative servers of gslb.siteforce.com. domain. Six seems a lot.
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> +dnssec @10.5.30.45
<http://www.popularsba.com>
www.popularsba.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43145
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 13
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.popularsba.com. IN A
;; ANSWER SECTION:
<http://www.popularsba.com>
www.popularsba.com
. 262 IN CNAME
<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com
.
<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com
. 262 IN CNAME
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 82 IN A
13.109.220.200
;; AUTHORITY SECTION:
gslb.siteforce.com. 55886 IN NS dns05.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns01.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns02.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns04.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns06.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns03.salesforce.com.
;; ADDITIONAL SECTION:
dns01.salesforce.com. 53547 IN A 204.74.108.235
dns02.salesforce.com. 53547 IN A 204.74.109.235
dns04.salesforce.com. 53547 IN A 199.7.69.235
dns03.salesforce.com. 53547 IN A 199.7.68.235
dns06.salesforce.com. 53547 IN A 204.74.115.235
dns05.salesforce.com. 53547 IN A 204.74.114.235
dns01.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
fUb+1uVGcdeVSsjTj1O++bcNLZwapzTvLcHLP+tykm3y3ziCSIHtxfCp
3kZqdBQtB3nGd7ySGPEblvBJA4ZHUA==
dns02.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
QOVhwrJ0dwkHRHLr/ytEzmZ04bYaAzN2ooDfJOVJXDCinYGFuNTRmPhs
uFawDGlRlFja8OyiIyJXIFvwXKGSxg==
dns04.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
DXOOYz5odrnY7SkWNvU0NiGOZEWalNT+0VYCYgd7wl6Rj0cOR4slFrvR
ADj5eAgFLybADvTviia/xbqz4u7ueQ==
dns03.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
Rkzv/z9vhnURB8hueZgkQrKFffLB9Zj423ZPHoPXtoECxNVk/ZV/ODv4
BQZLT8+t8W7cLILNyXVVpEjG2ejE9Q==
dns06.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201218220609
20201019213201 2317 salesforce.com.
YcTDijezumyiv+WZcvZqFk/yOJ2r7WdxZ5XFwIjt5R6iDOSQNChxhQ3G
dhR28sLna+rM9yVehyyEyCh4iJUeHg==
dns05.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
gmzIaK0lTolbkUaIGfHTLl2+TzUYQUtxHJ5yevEzdLmaE8z0AW7JBVXf
07osroe/7LxRQO38ZCxNZHVXfQnMHA==
;; Query time: 45 msec
;; SERVER: 10.5.30.45#53(10.5.30.45)
;; WHEN: Fri Nov 13 08:12:49 EST 2020
;; MSG SIZE rcvd: 1076
It seems to me, only dns0?.salesforce.com. hosts are in DNSSEC signed
domain. Try debuging salesforce.com. domain verification instead.
On 11/13/20 1:59 PM, Ismael Suarez wrote:
With "dnssec-validation AUTO;" I get:
# delv +cd
<http://www.popularsba.com>
www.popularsba.com
;; resolution failed: timed out
With "dnssec-validation NO;" I get:
# delv +cd
<http://www.popularsba.com>
www.popularsba.com
;; resolution failed: timed out
; unsigned answer
<http://www.popularsba.com>
www.popularsba.com
. 279 IN CNAME
<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com
.
CAPS just to show the difference in .conf
--
Ismael Suárez Maldonado | UNIX ADM | Coqui.Net Corp / ClaroTV
<mailto:ismael_suarez at coqui.com>
ismael_suarez at coqui.com
<mailto:
<mailto:ismael_suarez at coqui.com>
ismael_suarez at coqui.com
> | T: 787-793-0001 x 4007
-----Original Message-----
From: Petr Menšík <
<mailto:pemensik at redhat.com>
pemensik at redhat.com
<mailto:
<mailto:Petr%20%3d%3fUTF-8%3fQ%3fMen%3dC5%3dA1%3dC3%3dADk%3f%3d%20%3cpemensik at redhat.com>
Petr%20%3d%3fUTF-8%3fQ%3fMen%3dC5%3dA1%3dC3%3dADk%3f%3d%20%3cpemensik at redhat.com
%3e>>
To:
<mailto:bind-users at lists.isc.org>
bind-users at lists.isc.org
<mailto:
<mailto:bind-users at lists.isc.org>
bind-users at lists.isc.org
>
Subject: Re: Dnssec-validation auto
Date: Fri, 13 Nov 2020 11:26:17 +0100
Hi Ismael,
easiest way to check validation is using delv tool from BIND 9.11+. It
uses the same algorithm as BIND server does. If you get SERVFAIL from
your recursive server, try adding +cd parameter to delv or dig. When it
works with +cd, validation is responsible somewhere in recursive servers
chain.
It shows just unsigned to me, today.
$ delv +cd
<
<http://www.popularsba.com>
http://www.popularsba.com
>
<http://www.popularsba.com>
www.popularsba.com
; unsigned answer
<
<http://www.popularsba.com>
http://www.popularsba.com
>
<http://www.popularsba.com>
www.popularsba.com
. 282 IN CNAME
<
<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>
http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com
>
<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com
.
<
<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>
http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com
>
<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com
. 282 IN CNAME
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 102 IN A
161.71.31.253
Cheers,
Petr
On 11/13/20 5:26 AM, Ismael Suarez wrote:
Hi all
The following domain (
<
<http://www.popularsba.com>
http://www.popularsba.com
>
<http://www.popularsba.com>
www.popularsba.com
) does not resolve with dnssec validation set to auto, but when I change the validation off it works.
Why is this? How can I check this validation?
Using bind 9.12
Thanks to all
_______________________________________________
Please visit
<
<https://lists.isc.org/mailman/listinfo/bind-users>
https://lists.isc.org/mailman/listinfo/bind-users
>
<https://lists.isc.org/mailman/listinfo/bind-users>
https://lists.isc.org/mailman/listinfo/bind-users
to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at
<
<https://www.isc.org/contact/>
https://www.isc.org/contact/
>
<https://www.isc.org/contact/>
https://www.isc.org/contact/
for more information.
bind-users mailing list
<mailto:
<mailto:bind-users at lists.isc.org>
bind-users at lists.isc.org
>
<mailto:bind-users at lists.isc.org>
bind-users at lists.isc.org
<
<https://lists.isc.org/mailman/listinfo/bind-users>
https://lists.isc.org/mailman/listinfo/bind-users
>
<https://lists.isc.org/mailman/listinfo/bind-users>
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit
<
<https://lists.isc.org/mailman/listinfo/bind-users>
https://lists.isc.org/mailman/listinfo/bind-users
>
<https://lists.isc.org/mailman/listinfo/bind-users>
https://lists.isc.org/mailman/listinfo/bind-users
to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at
<
<https://www.isc.org/contact/>
https://www.isc.org/contact/
>
<https://www.isc.org/contact/>
https://www.isc.org/contact/
for more information.
bind-users mailing list
<mailto:
<mailto:bind-users at lists.isc.org>
bind-users at lists.isc.org
>
<mailto:bind-users at lists.isc.org>
bind-users at lists.isc.org
<
<https://lists.isc.org/mailman/listinfo/bind-users>
https://lists.isc.org/mailman/listinfo/bind-users
>
<https://lists.isc.org/mailman/listinfo/bind-users>
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list