Tracking down validation failures
Mark Andrews
marka at isc.org
Sun Jun 14 23:30:53 UTC 2009
In message <Prayer.1.3.1.0906132001200.29839 at hermes-2.csi.cam.ac.uk>, Chris Tho
mpson writes:
> On Jun 12 20009, I wrote:
>
> [...]
> >The debug level 2 messages, which correspond to SERVFAILs, are all
> >associated with "8.84.in-addr.arpa", and it does seem that something
> >is wrong with the (signed) delegation of that from "84.in-addr.arpa".
> >I can reproduce the SERVFAIL effect on other validating nameservers.
>
> Just to expand on that a bit: the DS record in the parent zone correctly
> describes the KSK in the child zone, and the RRSIGs in 8.84.in-addr.arpa
> appear to be correct ... except that they all expired over 15 months ago!
>
> --
> Chris Thompson
> Email: cet1 at cam.ac.uk
Which you can see if you add "+cd" to the query.
; <<>> DiG 9.3.6-P1 <<>> +dnssec 8.84.in-addr.arpa soa +cd
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22303
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;8.84.in-addr.arpa. IN SOA
;; ANSWER SECTION:
8.84.in-addr.arpa. 10750 IN SOA aons2.alwaysonvpn.net. techsupport.alwaysongroup.com. 2008020803 86400 7200 3600000 172800
8.84.in-addr.arpa. 10750 IN RRSIG SOA 5 4 10800 20080309140727 20080208140727 5526 8.84.in-addr.arpa. Lto5pkqGRLMB02ROqhR1gtxJa2MT6DD94S0umcFg7NqI/o1XuX9bSvtj 9XrG2Xoaz1bn3cLhWElj3QzfqUgZ2Fr/sD9r6STr5nf0BA6z7i3PKyZ/ I5oQX7pagEs6FF0fnx+vOD3TTjki2zwEPCylvH4Ije3u3w/+HT69WxvH HDE=
;; AUTHORITY SECTION:
8.84.in-addr.arpa. 172735 IN NS aons1.alwaysonvpn.net.
8.84.in-addr.arpa. 172735 IN NS aons2.alwaysonvpn.net.
8.84.in-addr.arpa. 172735 IN NS ns.ripe.net.
8.84.in-addr.arpa. 10750 IN RRSIG NS 5 4 10800 20080309140727 20080208140727 5526 8.84.in-addr.arpa. KWR7lDQ6RhdzapN92rRBTxTS+sgV79s6d4eedDs3qzT7bzIitNVW/9hq cfaGPtOj4u6+nl5RWFCV+pbsGivljikyt4mkCWsDI1m6V9sdLZY8Zwrb hfa9c2/bm2kjl5HnMMS9dqYlv0xYgoAuV50MJCc8J88TSEgegszF/V7B qM8=
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 15 09:25:44 2009
;; MSG SIZE rcvd: 542
Or run "dig +trace +dnssec 130.40.8.84.in-addr.arpa ptr" as it talks to the
authoritative servers directly.
; <<>> DiG 9.3.6-P1 <<>> +trace +dnssec 130.40.8.84.in-addr.arpa ptr
;; global options: printcmd
. 174475 IN NS b.root-servers.net.
. 174475 IN NS i.root-servers.net.
. 174475 IN NS e.root-servers.net.
. 174475 IN NS l.root-servers.net.
. 174475 IN NS h.root-servers.net.
. 174475 IN NS f.root-servers.net.
. 174475 IN NS k.root-servers.net.
. 174475 IN NS d.root-servers.net.
. 174475 IN NS g.root-servers.net.
. 174475 IN NS a.root-servers.net.
. 174475 IN NS j.root-servers.net.
. 174475 IN NS c.root-servers.net.
. 174475 IN NS m.root-servers.net.
;; Received 599 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms
84.in-addr.arpa. 86400 IN NS SEC1.APNIC.NET.
84.in-addr.arpa. 86400 IN NS SEC3.APNIC.NET.
84.in-addr.arpa. 86400 IN NS SUNIC.SUNET.SE.
84.in-addr.arpa. 86400 IN NS NS-PRI.RIPE.NET.
84.in-addr.arpa. 86400 IN NS TINNIE.ARIN.NET.
84.in-addr.arpa. 86400 IN NS NS3.NIC.FR.
;; Received 204 bytes from 192.228.79.201#53(b.root-servers.net) in 166 ms
8.84.in-addr.arpa. 172800 IN NS ns.ripe.net.
8.84.in-addr.arpa. 172800 IN NS aons1.alwaysonvpn.net.
8.84.in-addr.arpa. 172800 IN NS aons2.alwaysonvpn.net.
8.84.in-addr.arpa. 172800 IN DS 38131 5 1 CD1F73DC774814A06F96F8483524BFF696EC3573
8.84.in-addr.arpa. 172800 IN RRSIG DS 5 4 172800 20090714213622 20090614213622 14538 84.in-addr.arpa. g0Qt2S26GxtLbGW8XmtpxrGcZZg4uIyE/re0vVg6A5oa1fDb7xH8uI5t nL/u9YMtzDmk9bC8lQOKSlzAF5j9TsSDw9fzLXiKzXRKZRHVW977SLXm udHmFjsEu3qujc3I2BLxM/+o/EZtZkzRCkUq2mpxKA0nfPIt9SFMPi5w OW3cz6doNvFR7nxrkVcnN/54sREaKRNG
;; Received 363 bytes from 2001:dc0:2001:a:4608::59#53(SEC1.APNIC.NET) in 363 ms
40.8.84.in-addr.arpa. 10800 IN NS aons2.alwaysonvpn.net.
40.8.84.in-addr.arpa. 10800 IN NS aons1.alwaysonvpn.net.
40.8.84.in-addr.arpa. 172800 IN NSEC 8.8.84.in-addr.arpa. NS RRSIG NSEC
40.8.84.in-addr.arpa. 172800 IN RRSIG NSEC 5 5 172800 20080309140727 20080208140727 5526 8.84.in-addr.arpa. HiktSvg8yLJfEhRSGIKSuFwU2GdjDbcOBobwXGv+3UPMsYj1YgLxg89t aUDtdGgH3TrV1yXun6HQSApirTQ4Fa7XY+yBQI14jQokW34+IjqDj2Tf fCJt0q3K/AjIeDMJfLoXh0r9pjJJWbx+eTwPOmb1bVnprNM3K/fIotdE Ivk=
;; Received 326 bytes from 2001:610:240:0:53::193#53(ns.ripe.net) in 325 ms
130.40.8.84.in-addr.arpa. 10800 IN PTR realinsurance.net.
40.8.84.in-addr.arpa. 10800 IN NS aons1.alwaysonvpn.net.
40.8.84.in-addr.arpa. 10800 IN NS aons2.alwaysonvpn.net.
;; Received 168 bytes from 84.8.2.11#53(aons2.alwaysonvpn.net) in 309 ms
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list