DNSSEC Validating Resolver and Views
Mark Andrews
marka at isc.org
Tue Mar 16 22:03:23 UTC 2010
In message <slrnhpummo.2ter.john at rwpc12.mby.riverwillow.net.au>, John Marshall
writes:
> On Tue, 16 Mar 2010 08:14:40 +0000 (UTC), John Marshall wrote:
> >
> > Client: 192.168.25.71 is querying the PTR record for its own address.
> > Server: 172.25.24.16 is querying itself for the DS record for the
> > parent of the zone which the client is querying (Why?).
> > There is no DS record in that zone. Neither the child or
> > parent zones are signed.
> >
> > 16-Mar-2010 18:15:34.761 query-errors: debug 1: client 172.25.24.16#62578:
> view internal: query failed (SERVFAIL) for 168.192.in-addr.arpa/IN/DS at quer
> y.c:4631
> > 16-Mar-2010 18:15:34.761 query-errors: debug 2: fetch completed at resolver
> .c:6117 for 168.192.in-addr.arpa/DS in 1.358282: SERVFAIL/success [domain:168
> .192.in-addr.arpa,referral:0,restart:1,qrysent:1,timeout:0,lame:0,neterr:0,ba
> dresp:1,adberr:0,findfail:0,valfail:0]
> > 16-Mar-2010 18:15:34.761 query-errors: debug 1: client 192.168.25.71#43718:
> view guest: query failed (SERVFAIL) for 71.25.168.192.in-addr.arpa/IN/PTR at
> query.c:4631
> > 16-Mar-2010 18:15:34.762 query-errors: debug 2: fetch completed at resolver
> .c:3023 for 71.25.168.192.in-addr.arpa/PTR in 2.342775: failure/no valid DS [
> domain:25.168.192.in-addr.arpa,referral:0,restart:2,qrysent:1,timeout:0,lame:
> 0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:1]
>
> I should have checked syslog before posting. It shows this going on at
> the same time...
>
> Mar 16 18:15:33 rwsrv03 named[679]: error (chase DS servers) resolving '168.1
> 92.in-addr.arpa/DS/IN': 172.25.24.17#53
> Mar 16 18:15:33 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 204.61.216.50#53
> Mar 16 18:15:33 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 192.35.51.32#53
> Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 199.212.0.63#53
> Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 199.71.0.63#53
> Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 192.42.93.32#53
> Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 63.243.194.2#53
> Mar 16 18:15:34 rwsrv03 named[679]: error (no valid RRSIG) resolving '192.in-
> addr.arpa/NS/IN': 72.52.71.2#53
> Mar 16 18:15:34 rwsrv03 named[679]: error (no valid DS) resolving '71.25.168.
> 192.in-addr.arpa/PTR/IN': 172.25.24.16#53
>
> I don't understand this. If the client needs an answer from
> 25.168.192.in-addr.arpa. and we are hosting that zone and its parent
> zone (both unsigned, both in our internal view), why are we looking
> higher for DS records?
Because you have a trust anchor configured at or above the query name and
the validator need to see a DS or non existance proof (NSEC/NSEC3) for the
DS which indicates a secure to insecure transition.
Are your trust anchors up to date?
Mark
> If I grant the guest clients access to the internal view, all is well.
> Things seem to go wobbly, unless checking is disabled, when we forward
> the guest view queries to the internal view.
>
> --
> John Marshall
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list