Resolving .gov w/dnssec
Timothe Litt
litt at acm.org
Thu Apr 22 12:06:03 UTC 2010
I'm having trouble resolving uspto.gov with bind 9.6.1-P3 and 9.6-ESV
configured as valdidating resolvers.
Using dig, I get a connection timeout error after a long (~10 sec) delay.
+cdflag provides an immediate response.
state.gov does not get this error. Note that it uses different nameservers
than uspto.
Resolving uspto.gov using comcast's resolver (75.75.75.75) does not get this
error.
Is anyone else seeing this? Ideas on how to troubleshoot?
Here are details (using the -ESV server).
Subset named.conf:
options {
listen-on { 192.168.148.4; 192.168.148.5; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv.isc.org.;
sig-validity-interval 8 2;
}
trusted-keys {
dlv.isc.org. 257 3 5
"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};
Examples:
; <<>> DiG 9.6-ESV <<>> @192.168.148.4 state.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35438
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 0
;; QUESTION SECTION:
;state.gov. IN A
;; ANSWER SECTION:
state.gov. 60 IN A 72.166.186.160
;; AUTHORITY SECTION:
state.gov. 299 IN NS Ns1.terrenap.net.
state.gov. 299 IN NS Ns3.yipes.com.
state.gov. 299 IN NS Ns1.yipes.com.
state.gov. 299 IN NS Ns2.terrenap.net.
state.gov. 299 IN NS Ns2.yipes.com.
;; Query time: 441 msec
;; SERVER: 192.168.148.4#53(192.168.148.4)
;; WHEN: Thu Apr 22 07:37:46 2010
;; MSG SIZE rcvd: 154
dig @192.168.148.4 uspto.gov
; <<>> DiG 9.6-ESV <<>> @192.168.148.4 uspto.gov
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
dig @192.168.148.4 +cdflag uspto.gov
; <<>> DiG 9.6-ESV <<>> @192.168.148.4 +cdflag uspto.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18584
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;uspto.gov. IN A
;; ANSWER SECTION:
uspto.gov. 7200 IN A 151.207.247.130
uspto.gov. 7200 IN A 151.207.243.129
;; AUTHORITY SECTION:
uspto.gov. 78721 IN NS DNS2.uspto.gov.
uspto.gov. 78721 IN NS DNS1.uspto.gov.
;; Query time: 27 msec
;; SERVER: 192.168.148.4#53(192.168.148.4)
;; WHEN: Thu Apr 22 07:40:27 2010
;; MSG SIZE rcvd: 97
dig +dnssec @192.168.148.4 dlv.isc.org
; <<>> DiG 9.6-ESV <<>> +dnssec @192.168.148.4 dlv.isc.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43521
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dlv.isc.org. IN A
;; ANSWER SECTION:
dlv.isc.org. 300 IN A 149.20.16.8
dlv.isc.org. 300 IN RRSIG A 5 3 300 20100522083002
20100422083002 64263 dlv.isc.org.
MG9aDOgjqEMA3QcUQDDUac/YcHki0bPnXre6iyehi2jY3swg/zp3IOb4
Wf5cFQfIxQIf2n9EAw7tkBxhFZ2alDMEkotEVTPF13SYc+PP8EhV7vEF
OZc1snFat7R0YeeATpkZD5xaeYzkLZS1coiSJGiqCYrNoWDKi/DoP9TB RFo=
;; AUTHORITY SECTION:
dlv.isc.org. 2696 IN NS dlv.ord.sns-pb.isc.org.
dlv.isc.org. 2696 IN NS dlv.ams.sns-pb.isc.org.
dlv.isc.org. 2696 IN NS ns2.isc.ultradns.net.
dlv.isc.org. 2696 IN NS dlv.sfba.sns-pb.isc.org.
dlv.isc.org. 2696 IN NS ns1.isc.ultradns.net.
dlv.isc.org. 2696 IN NS ns.isc.afilias-nst.info.
dlv.isc.org. 2696 IN RRSIG NS 5 3 3600 20100522083002
20100422083002 64263 dlv.isc.org.
Ae2XBq3ibOKvx36NfB5ghOnHOH5XG1XFzVC/4ZCyu7lwxxh1RlVrMLcU
UHboYzBqdc/4bQ7SlELBSi34IN8BPm0tDpNmGmafXHj8ZqdojJxyLc07
Q9Hx15IJRkOcqKSmLAZq5VzfJDV9VeaPp6Xt4uVVpV1huzNwdzongjkB F0s=
;; Query time: 16 msec
;; SERVER: 192.168.148.4#53(192.168.148.4)
;; WHEN: Thu Apr 22 07:52:49 2010
;; MSG SIZE rcvd: 561
Dnssec logging for uspto.gov lookup:
22-Apr-2010 08:00:09.497 dnssec: debug 3: validating @0x8550e58: uspto.gov
A: starting
22-Apr-2010 08:00:09.497 dnssec: debug 3: validating @0x8550e58: uspto.gov
A: looking for DLV
22-Apr-2010 08:00:09.497 dnssec: debug 3: validating @0x8550e58: uspto.gov
A: plain DNSSEC returns unsecure (.): looking for DLV
22-Apr-2010 08:00:09.497 dnssec: debug 3: validating @0x8550e58: uspto.gov
A: looking for DLV uspto.gov.dlv.isc.org
22-Apr-2010 08:00:09.497 dnssec: debug 3: validating @0x8550e58: uspto.gov
A: DNS_R_COVERINGNSEC
22-Apr-2010 08:00:09.498 dnssec: debug 3: validating @0x8550e58: uspto.gov
A: covering nsec found: 'uspto.gov.dlv.isc.org' 'gov.dlv.isc.org'
'la.gs.dlv.isc.org'
22-Apr-2010 08:00:09.498 dnssec: debug 3: validating @0x8550e58: uspto.gov
A: looking for DLV gov.dlv.isc.org
22-Apr-2010 08:00:09.498 dnssec: debug 3: validating @0x8550e58: uspto.gov
A: DLV gov found
22-Apr-2010 08:00:09.498 dnssec: debug 3: validating @0x8550e58: uspto.gov
A: dlv_validator_start
22-Apr-2010 08:00:09.498 dnssec: debug 3: validating @0x8550e58: uspto.gov
A: restarting using DLV
22-Apr-2010 08:00:09.498 dnssec: debug 3: validating @0x8550e58: uspto.gov
A: attempting positive response validation
22-Apr-2010 08:00:09.498 dnssec: debug 9: validating @0x8550e58: uspto.gov
A: get_key: creating fetch for uspto.gov DNSKEY
---------------------------------------------------------
This communication may not represent my employer's views,
if any, on the matters discussed.
More information about the bind-users
mailing list