DNSSEC error resolving gpo.gov ?
Mark Andrews
marka at isc.org
Wed Mar 15 04:19:45 UTC 2023
> On 15 Mar 2023, at 11:14, Tim Maestas <tmaestas95 at gmail.com> wrote:
>
>
>
> On Tue, Mar 14, 2023 at 4:34 PM Mark Andrews <marka at isc.org> wrote:
>
>
> > On 15 Mar 2023, at 02:08, Alexandra Yang <drayales at gmail.com> wrote:
> >
> > Hi Group,
> >
> > I wonder if anyone can shed some light on this, our nameserver(BIND 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov, here are the errors:
> >
> > Mar 14 10:23:32 ipam-dns-in-1 named[3713]: validating gpo.gov/SOA: got insecure response; parent indicates it should be secure
>
> For some reason you are not getting signed responses. Are you using a forwarder?
>
> For what it's worth, I keep getting:
> Mar 14 23:59:56 cl-dns1 named[19640]: view Caching: validating federalregister.gov/SOA: got insecure response; parent indicates it should be secure
> Mar 14 23:59:56 cl-dns1 named[19640]: no valid RRSIG resolving 'www.federalregister.gov/DS/IN': 162.140.254.200#53
> Mar 14 23:59:56 cl-dns1 named[19640]: view Caching: validating federalregister.gov/SOA: got insecure response; parent indicates it should be secure
> Mar 14 23:59:56 cl-dns1 named[19640]: no valid RRSIG resolving 'www.federalregister.gov/DS/IN': 162.140.15.100#53
> Mar 14 23:59:56 cl-dns1 named[19640]: broken trust chain resolving 'www.federalregister.gov/A/IN': 162.140.15.100#53
>
> ..no forwarders in use. At some point the domain starts to validate as my NTAs drop out unless I use -force, but then it starts to fail again.
Named should be sending queries with DO=1 and it should be getting back signed responses. I suspect that you will need to run packet captures of the traffic to and from 162.140.15.100 and 162.140.254.200 port 53 from the nameserver. Either signed responses will cease or DNSSEC requests will cease. In either case having the traffic around the transition should help to determine what is happening.
e.g. tcpdump -G 100 -w %Y%m%d%H%M%S.pcap port 53 and \( host 162.140.15.100 or host 162.140.254.200 \)
% tcpdump -r 20230315150938.pcap -n -vv
reading from file 20230315150938.pcap, link-type EN10MB (Ethernet), snapshot length 262144
15:10:12.496870 IP (tos 0x0, ttl 64, id 17293, offset 0, flags [none], proto UDP (17), length 88)
172.30.42.109.55290 > 162.140.254.200.53: [udp sum ok] 1494% [1au] A? federalregister.gov. ar: . OPT UDPsize=1232 DO [COOKIE 1a42be4f8b283640] (60)
15:10:12.845984 IP (tos 0x0, ttl 229, id 53065, offset 0, flags [DF], proto UDP (17), length 506)
162.140.254.200.53 > 172.30.42.109.55290: [udp sum ok] 1494*- q: A? federalregister.gov. 3/3/1 federalregister.gov. A 75.2.36.59, federalregister.gov. A 99.83.174.136, federalregister.gov. RRSIG ns: federalregister.gov. NS ns4.gpo.gov., federalregister.gov. NS ns3.gpo.gov., federalregister.gov. RRSIG ar: . OPT UDPsize=4096 DO (478)
15:10:12.851518 IP (tos 0x0, ttl 64, id 27024, offset 0, flags [none], proto UDP (17), length 88)
172.30.42.109.58808 > 162.140.15.100.53: [udp sum ok] 32328% [1au] DNSKEY? federalregister.gov. ar: . OPT UDPsize=1232 DO [COOKIE a8086401dd8eae30] (60)
15:10:13.107025 IP (tos 0x0, ttl 230, id 37446, offset 0, flags [DF], proto UDP (17), length 1134)
162.140.15.100.53 > 172.30.42.109.58808: [udp sum ok] 32328*- q: DNSKEY? federalregister.gov. 5/0/1 federalregister.gov. DNSKEY, federalregister.gov. DNSKEY, federalregister.gov. DNSKEY, federalregister.gov. RRSIG, federalregister.gov. RRSIG ar: . OPT UDPsize=4096 DO (1106)
%
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list