NSEC3 ISSUE

Mark Andrews marka at isc.org
Fri Jan 7 13:51:02 UTC 2011 

Perhaps if dnssecnsec3qatestdomain.com existed we would be able to
tell you.  As it is there is not enough information here to workout
what is broken.


In message <AANLkTik4qLWTYDStmWxm-hsE8yx88H6tfkPX4cXY8+nx at mail.gmail.com>, rams
 writes:
> 
> I have trouble resolving the host name dnssecnsec3qatestdomain.com. which is
> NSEC3 signed. This is the parent and child zone. If I run dig ( dnssec
> query) with the +cd option I which is a proper response:
> 
> 
> 
> [root at stulcqanusbind1 ~]# dig  dnssecnsec3qatestdomain.com. any +dnssec *+cd
> *
> 
> 
> 
> ; <<>> DiG 9.7.1-P2 <<>>  dnssecnsec3qatestdomain.com. any +dnssec +cd
> 
> ; (1 server found)
> 
> ;; global options: +cmd
> 
> ;; Got answer:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1601
> 
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 8, AUTHORITY: 3, ADDITIONAL: 1
> 
> 
> 
> ;; OPT PSEUDOSECTION:
> 
> ; EDNS: version: 0, flags: do; udp: 4096
> 
> ;; QUESTION SECTION:
> 
> ;dnssecnsec3qatestdomain.com.   IN      ANY
> 
> 
> 
> ;; ANSWER SECTION:
> 
> dnssecnsec3qatestdomain.com. 86396 IN   RRSIG   A 7 2 86400 20200831000000
> 20100831205954 61559 dnssecnsec3qatestdomain.com.
> A4HqcGYSyEoM7Y75MoRaK4zzNiuL45tq+AnfUIrxxEIPkIOI12FmFyhY
> JOQN216QkTbYkJBlNwe2Ky1SRGjwhQ==
> 
> dnssecnsec3qatestdomain.com. 86396 IN   A       12.12.1.0
> 
> dnssecnsec3qatestdomain.com. 86396 IN   A       255.12.1.0
> 
> dnssecnsec3qatestdomain.com. 86396 IN   RRSIG   SOA 7 2 86400 20200831000000
> 20100831205954 61559 dnssecnsec3qatestdomain.com.
> eAV/LHcB3WLA9ULvsz/kcVJ63XeJCX/YAOu9ZFUM+SVDIW/BAUXNfq9O
> iNBuukgDBlFZFOQyblfgjpcSW3CQMw==
> 
> dnssecnsec3qatestdomain.com. 86396 IN   SOA     udns1.ultradns.net.
> bitbucket\@qa.neustar.com. 2009111903 10800 3600 2592000 86400
> 
> dnssecnsec3qatestdomain.com. 86396 IN   RRSIG   NS 7 2 86400 20200831000000
> 20100831205954 61559 dnssecnsec3qatestdomain.com.
> r11osNc3HFoVFWjC1iNN9Yv3IKGvApbZwkNLdK5HTlPt+3UDB2Do7RvT
> 9SSJaZYLj4PEC8Gp6lT1L+0LlsEP9w==
> 
> dnssecnsec3qatestdomain.com. 86396 IN   NS      udns2.ultradns.net.
> 
> dnssecnsec3qatestdomain.com. 86396 IN   NS      udns1.ultradns.net.
> 
> 
> 
> ;; AUTHORITY SECTION:
> 
> dnssecnsec3qatestdomain.com. 86396 IN   NS      udns2.ultradns.net.
> 
> dnssecnsec3qatestdomain.com. 86396 IN   NS      udns1.ultradns.net.
> 
> dnssecnsec3qatestdomain.com. 86396 IN   RRSIG   NS 7 2 86400 20200831000000
> 20100831205954 61559 dnssecnsec3qatestdomain.com.
> r11osNc3HFoVFWjC1iNN9Yv3IKGvApbZwkNLdK5HTlPt+3UDB2Do7RvT
> 9SSJaZYLj4PEC8Gp6lT1L+0LlsEP9w==
> 
> 
> 
> 
> 
> But dig (dnssec query)without +cd option returns servfail.
> 
> 
> 
> 
> 
> [root at stulcqanusbind1 ~]# dig  dnssecnsec3qatestdomain.com. any +dnssec
> 
> 
> 
> ; <<>> DiG 9.7.1-P2 <<>> @ dnssecnsec3qatestdomain.com. any +dnssec
> 
> ; (1 server found)
> 
> ;; global options: +cmd
> 
> ;; Got answer:
> 
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7437
> 
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> 
> 
> ;; OPT PSEUDOSECTION:
> 
> ; EDNS: version: 0, flags: do; udp: 4096
> 
> ;; QUESTION SECTION:
> 
> ;dnssecnsec3qatestdomain.com.   IN      ANY
> 
> 
> 
> 
> 
> In my logs I am getting messages:
> 
> 
> 
> Jan  7 13:17:55  named[17154]: error (no valid RRSIG) resolving '
> dnssecnsec3qatestdomain.com/DNSKEY/IN': 10.31.142.103#53
> 
> Jan  7 13:17:55  named[17154]: error (broken trust chain) resolving '
> dnssecnsec3qatestdomain.com/ANY/IN': 10.31.142.103#53
> 
> 
> 
> When doing query without +cd option.
> 
> 
> 
> Can you figure out what would be the exact problem?
> 
> 
> Thanks & Regards,
> 
> Ramesh
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list