Tracking down validation failures

Mark Andrews marka at isc.org
Sun Jun 14 23:30:53 UTC 2009 

In message <Prayer.1.3.1.0906132001200.29839 at hermes-2.csi.cam.ac.uk>, Chris Tho
mpson writes:
> On Jun 12 20009, I wrote:
> 
> [...]
> >The debug level 2 messages, which correspond to SERVFAILs, are all
> >associated with "8.84.in-addr.arpa", and it does seem that something
> >is wrong with the (signed) delegation of that from "84.in-addr.arpa".
> >I can reproduce the SERVFAIL effect on other validating nameservers.
> 
> Just to expand on that a bit: the DS record in the parent zone correctly
> describes the KSK in the child zone, and the RRSIGs in 8.84.in-addr.arpa
> appear to be correct ... except that they all expired over 15 months ago!
> 
> -- 
> Chris Thompson
> Email: cet1 at cam.ac.uk

Which you can see if you add "+cd" to the query.

; <<>> DiG 9.3.6-P1 <<>> +dnssec 8.84.in-addr.arpa soa +cd
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22303
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;8.84.in-addr.arpa.		IN	SOA

;; ANSWER SECTION:
8.84.in-addr.arpa.	10750	IN	SOA	aons2.alwaysonvpn.net. techsupport.alwaysongroup.com. 2008020803 86400 7200 3600000 172800
8.84.in-addr.arpa.	10750	IN	RRSIG	SOA 5 4 10800 20080309140727 20080208140727 5526 8.84.in-addr.arpa. Lto5pkqGRLMB02ROqhR1gtxJa2MT6DD94S0umcFg7NqI/o1XuX9bSvtj 9XrG2Xoaz1bn3cLhWElj3QzfqUgZ2Fr/sD9r6STr5nf0BA6z7i3PKyZ/ I5oQX7pagEs6FF0fnx+vOD3TTjki2zwEPCylvH4Ije3u3w/+HT69WxvH HDE=

;; AUTHORITY SECTION:
8.84.in-addr.arpa.	172735	IN	NS	aons1.alwaysonvpn.net.
8.84.in-addr.arpa.	172735	IN	NS	aons2.alwaysonvpn.net.
8.84.in-addr.arpa.	172735	IN	NS	ns.ripe.net.
8.84.in-addr.arpa.	10750	IN	RRSIG	NS 5 4 10800 20080309140727 20080208140727 5526 8.84.in-addr.arpa. KWR7lDQ6RhdzapN92rRBTxTS+sgV79s6d4eedDs3qzT7bzIitNVW/9hq cfaGPtOj4u6+nl5RWFCV+pbsGivljikyt4mkCWsDI1m6V9sdLZY8Zwrb hfa9c2/bm2kjl5HnMMS9dqYlv0xYgoAuV50MJCc8J88TSEgegszF/V7B qM8=

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 15 09:25:44 2009
;; MSG SIZE  rcvd: 542

Or run "dig +trace +dnssec 130.40.8.84.in-addr.arpa ptr" as it talks to the
authoritative servers directly.

; <<>> DiG 9.3.6-P1 <<>> +trace +dnssec 130.40.8.84.in-addr.arpa ptr
;; global options:  printcmd
.			174475	IN	NS	b.root-servers.net.
.			174475	IN	NS	i.root-servers.net.
.			174475	IN	NS	e.root-servers.net.
.			174475	IN	NS	l.root-servers.net.
.			174475	IN	NS	h.root-servers.net.
.			174475	IN	NS	f.root-servers.net.
.			174475	IN	NS	k.root-servers.net.
.			174475	IN	NS	d.root-servers.net.
.			174475	IN	NS	g.root-servers.net.
.			174475	IN	NS	a.root-servers.net.
.			174475	IN	NS	j.root-servers.net.
.			174475	IN	NS	c.root-servers.net.
.			174475	IN	NS	m.root-servers.net.
;; Received 599 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms

84.in-addr.arpa.	86400	IN	NS	SEC1.APNIC.NET.
84.in-addr.arpa.	86400	IN	NS	SEC3.APNIC.NET.
84.in-addr.arpa.	86400	IN	NS	SUNIC.SUNET.SE.
84.in-addr.arpa.	86400	IN	NS	NS-PRI.RIPE.NET.
84.in-addr.arpa.	86400	IN	NS	TINNIE.ARIN.NET.
84.in-addr.arpa.	86400	IN	NS	NS3.NIC.FR.
;; Received 204 bytes from 192.228.79.201#53(b.root-servers.net) in 166 ms

8.84.in-addr.arpa.	172800	IN	NS	ns.ripe.net.
8.84.in-addr.arpa.	172800	IN	NS	aons1.alwaysonvpn.net.
8.84.in-addr.arpa.	172800	IN	NS	aons2.alwaysonvpn.net.
8.84.in-addr.arpa.	172800	IN	DS	38131 5 1 CD1F73DC774814A06F96F8483524BFF696EC3573
8.84.in-addr.arpa.	172800	IN	RRSIG	DS 5 4 172800 20090714213622 20090614213622 14538 84.in-addr.arpa. g0Qt2S26GxtLbGW8XmtpxrGcZZg4uIyE/re0vVg6A5oa1fDb7xH8uI5t nL/u9YMtzDmk9bC8lQOKSlzAF5j9TsSDw9fzLXiKzXRKZRHVW977SLXm udHmFjsEu3qujc3I2BLxM/+o/EZtZkzRCkUq2mpxKA0nfPIt9SFMPi5w OW3cz6doNvFR7nxrkVcnN/54sREaKRNG
;; Received 363 bytes from 2001:dc0:2001:a:4608::59#53(SEC1.APNIC.NET) in 363 ms

40.8.84.in-addr.arpa.	10800	IN	NS	aons2.alwaysonvpn.net.
40.8.84.in-addr.arpa.	10800	IN	NS	aons1.alwaysonvpn.net.
40.8.84.in-addr.arpa.	172800	IN	NSEC	8.8.84.in-addr.arpa. NS RRSIG NSEC
40.8.84.in-addr.arpa.	172800	IN	RRSIG	NSEC 5 5 172800 20080309140727 20080208140727 5526 8.84.in-addr.arpa. HiktSvg8yLJfEhRSGIKSuFwU2GdjDbcOBobwXGv+3UPMsYj1YgLxg89t aUDtdGgH3TrV1yXun6HQSApirTQ4Fa7XY+yBQI14jQokW34+IjqDj2Tf fCJt0q3K/AjIeDMJfLoXh0r9pjJJWbx+eTwPOmb1bVnprNM3K/fIotdE Ivk=
;; Received 326 bytes from 2001:610:240:0:53::193#53(ns.ripe.net) in 325 ms

130.40.8.84.in-addr.arpa. 10800	IN	PTR	realinsurance.net.
40.8.84.in-addr.arpa.	10800	IN	NS	aons1.alwaysonvpn.net.
40.8.84.in-addr.arpa.	10800	IN	NS	aons2.alwaysonvpn.net.
;; Received 168 bytes from 84.8.2.11#53(aons2.alwaysonvpn.net) in 309 ms

> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list