DNSSEC error resolving gpo.gov ?
Mark Andrews
marka at isc.org
Wed Mar 15 22:00:18 UTC 2023
> On 15 Mar 2023, at 16:49, Mark Andrews <marka at isc.org> wrote:
>
>
>
>> On 15 Mar 2023, at 15:42, Tim Maestas <tmaestas95 at gmail.com> wrote:
>>
>> Named should be sending queries with DO=1 and it should be getting back signed responses. I suspect that you will need to run packet captures of the traffic to and from 162.140.15.100 and 162.140.254.200 port 53 from the nameserver. Either signed responses will cease or DNSSEC requests will cease. In either case having the traffic around the transition should help to determine what is happening.
>>
>> I've found that, after a fresh restart of named, if I query for "federalregister.gov A" I get a good AD response, and then subsequent queries for "www.federalregister.gov" are successful as well. If however after a restart of named I begin with a query for www.federalregister.gov A then I get servfail, and subsequent queries for federealregister.gov servfail as well. Here is the tcpdump from the 2nd (failed) case of an initial query for www.federalregister.gov:
>>
>>
>> reading from file dns.cap, link-type EN10MB (Ethernet), snapshot length 262144
>> 04:30:01.114458 IP (tos 0x0, ttl 64, id 35832, offset 0, flags [none], proto UDP (17), length 92)
>> 10.0.0.159.43263 > 162.140.254.200.53: [udp sum ok] 15013 [1au] A? www.federalregister.gov. ar: . OPT UDPsize=512 DO [COOKIE 352538a87bde87a5] (64)
>> 04:30:01.204863 IP (tos 0x0, ttl 229, id 4936, offset 0, flags [DF], proto UDP (17), length 80)
>> 162.140.254.200.53 > 10.0.0.159.43263: [udp sum ok] 15013*-| q: A? www.federalregister.gov. 3/0/1 . OPT UDPsize=4096 DO [|domain]
>
> This is a malformed DNS response. It looks like the server tried to send a truncated response with an OPT record but failed to correctly update the answer count field to zero.
>
> % dig www.federalregister.gov @162.140.15.100 +dnssec +bufsize=512 +ignore +qr +norec
>
> ; <<>> DiG 9.19.11-dev <<>> www. @162.140.15.100 +dnssec +bufsize=512 +ignore +qr +norec
> ;; global options: +cmd
> ;; Sending:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919
> ;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ; COOKIE: 4a67cc813cfe03eb
> ;; QUESTION SECTION:
> ;www.federalregister.gov. IN A
>
> ;; QUERY SIZE: 64
>
> ;; Warning: Message parser reports malformed message packet.
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919
> ;; flags: qr aa tc; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;www.federalregister.gov. IN A
>
> ;; ANSWER SECTION:
> . 32768 CLASS4096 OPT
> ;; Query time: 271 msec
> ;; SERVER: 162.140.15.100#53(162.140.15.100) (UDP)
> ;; WHEN: Wed Mar 15 16:30:22 AEDT 2023
> ;; MSG SIZE rcvd: 52
What I should have said about this is that this tells named that the server DOES NOT SUPPORT EDNS and hence DNSSEC as there is no OPT record in the ADDITIONAL section in a response where the port, query id and question match the request.
Now I have reported this via the web site but whether they take it seriously or not only time will tell. It’s very hit and miss trying to report broken DNS servers. The automated response is below.
Mark
Your request (42885) has been received and is being reviewed by our support staff.
Thank you for contacting the Office of the Federal Register (OFR).
The OFR publishes on behalf of more than 300 Federal entities and can only accept documents from Federal agencies. We have no involvement with, or control over, their policies or programs. The OFR is responsible for the accuracy of the content of the Federal Register and CFR, which must reflect what the agency submitted for publication in the Federal Register. Federal regulations do not permit OFR staff to provide assistance for requests asking the OFR to:
- evaluate or interpret material published in the Federal Register;
- provide legal analysis of material published in the Federal Register;
- explain or provide compliance guidance of material published in the Federal Register.
In addition, we are not permitted to perform research or make detailed suggestions to locate material published on specific topics. We will not respond to those emails.
If you have a question about our office or one of our publications, we will respond within 10 business days. Otherwise, use the information below to find an appropriate contact.
1. For problems with ecfr.gov:
- use this help system
- to correct a content error that was incorrect in the Federal Register rule, contact the agency that maintains the regulations
2. To find regulations or requirements or material on specific topics:
- use the terms you have included in this message in the search feature at https://www.ecfr.gov/search, to search across all CFR titles,
- use the terms you have included in this message in the search features at https://www.federalregister.gov, or
- search the U.S. Government’s official web portal, https://www.usa.gov <https://www.usa.gov/>
3. To ask questions about an agency document:
- contact the issuing agency. To find contact information:
- search the agency's regulations (using the search feature at https://www.ecfr.gov/search)
- look in either ADDRESSES or FOR FURTHER INFORMATION CONTACT sections of the relevant Federal Register document
- visit the agency’s website to find contact information
- search the U.S. Government’s official web portal, https://www.usa.gov <https://www.usa.gov/>
4. For help with research, visit a local Federal Depository Library (https://www.fdlp.gov/about-the-fdlp/federal-depository-libraries).
ecfr.gov does not link to outside interests and we do not accept or respond to solicitations.
———
Mark Andrews
Mar 15, 2023, 1:47 AM EDT
Your DNS servers are sending malformed DNS responses. The server attempted to send a truncated DNS response but the answer count was NOT set to zero in the DNS header causing the OPT record to appear in the answer section rather that the additional section. You will need to contact your DNS vendor for a fix. This is causing DNS resolution failures in some circumstances.
% dig www.federalregister.gov @162.140.15.100 +dnssec +bufsize=512 +ignore +qr +norec
; <<>> DiG 9.19.11-dev <<>> www.federalregister.gov @162.140.15.100 +dnssec +bufsize=512 +ignore +qr +norec
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57844
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
; COOKIE: ba894ad3a75d0394
;; QUESTION SECTION:
;www.federalregister.gov. IN A
;; QUERY SIZE: 64
;; Warning: Message parser reports malformed message packet.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57844
;; flags: qr aa tc; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;www.federalregister.gov. IN A
;; ANSWER SECTION:
. 32768 CLASS4096 OPT
;; Query time: 329 msec
;; SERVER: 162.140.15.100#53(162.140.15.100) (UDP)
;; WHEN: Wed Mar 15 16:41:53 AEDT 2023
;; MSG SIZE rcvd: 52
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list