Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

Mon Mar 29 17:27:40 UTC 2010

> > Yes, I agree freebsd.org is insecure, but I still want to be able to
> > resolve it :-)
> 
> The point was, you should not be getting DNSSEC-related errors from
> a domain that is not secured.

I disagree.  In order for a validating resolver to resolve freebsd.org
(or any other insecure domain under .org) BIND still needs to verify
the RRSIG on the covering NSEC for freebsd.org.dlv.isc.org to prove
that freebsd.org doesn't have a DLV record.  It has to verify the
RRSIG on the DLV record for org.dlv.isc.org, and check that the hash
in the DLV record matches the DNSKEY record of the KSK at .org.  It
has to check that the RRSIG on the DNSKEY RRset is correctly signed
with the KSK, and then it has to check that the RRSIG on the NSEC3
opt-out record that covers freebsd.org is correctly signed with the
ZSK.  Only after doing all this does it know that freebsd.org is
really, legitimately, an insecure zone.

If any of these steps fail, the resolver should give an error, unless
the CD bit is set on the query.

> As requested, please supply configuration information... without
> that, it's unlikely anyone is going to be able to help you.  Matt

It's pretty basic.  Here's the substantive config - I've omited some
TSIG keys and a bunch of zones the server is authoritative for:

--------------------

logging {
	channel dnssec_log {
                file "logs/dnssec.log" versions 2 size 2m;
                print-time yes;
                print-category yes;
                print-severity yes;
                severity debug 9;
        };

	category dnssec { dnssec_log; };
};

options {
	directory	"/etc/namedb";
	pid-file	"/var/run/named/pid";
	dump-file	"/var/dump/named_dump.db";
	statistics-file	"/var/stats/named.stats";

	listen-on	{ any; };
	listen-on	port 5353 { any; };
	listen-on-v6	{ any; };

	allow-recursion { any; };

	dnssec-lookaside auto;

};

include "/etc/namedb/rndc.key";

controls {
	inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

zone "." {
	type hint;
	file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
	type master;
	file "master/localhost.rev";
};

// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
	type master;
	file "master/localhost-v6.rev";
};

zone "google.com" {
	type forward;
	forwarders {
		74.82.42.42;
	};
};

zone "google.co.uk" {
        type forward;
        forwarders {
                74.82.42.42;
        };
};