[DNSSEC] SERVFAIL when resolving ".gov" through DLV
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue May 5 18:34:29 UTC 2009
I get a SERVFAIL when trying to resolve ".gov":
% dig +dnssec @127.0.0.1 SOA gov.
; <<>> DiG 9.5.1-P1 <<>> +dnssec @127.0.0.1 SOA gov.
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54920
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gov. IN SOA
;; Query time: 784 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 5 20:31:54 2009
;; MSG SIZE rcvd: 32
This is a BIND 9.5.1-P1, Debian package. It is configured to use ISC's
DLV:
dnssec-enable yes;
dnssec-lookaside . trust-anchor dlv.isc.org.;
Other signed TLD such as ".cz" or ".pr" creates no problems.
With Unbound, which also uses the same DLV, things seem to work so I
suspect a BIND bug. Restarting the name server does not seem to help.
Here is the log:
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: starting
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: looking for DLV
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: plain DNSSEC returns unsecure (.): looking for DLV
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: looking for DLV gov.dlv.isc.org
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: DLV gov found
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: dlv_validator_start
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: restarting using DLV
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: attempting positive response validation
05-May-2009 20:29:50.425 dnssec: info: validating @0x7ff090d763d0: gov SOA: no valid signature found
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: falling back to insecurity proof
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: insecurity proof failed
05-May-2009 20:29:50.425 dnssec: debug 3: validator @0x7ff090d763d0: dns_validator_destroy
More information about the bind-users
mailing list