DNSSEC not populating parent zone files with DS records
Hauke Lampe
lampe at hauke-lampe.de
Sat Oct 1 01:16:57 UTC 2011
On 01.10.2011 02:48, Jeff Reasoner wrote:
> Hmm, I see an A record using the same query:
> [foo at dns1 ~]$ dig +dnssec extended.nau.edu a
I get a SERVFAIL response for the first query and NXDOMAIN for
subsequent request:
named: client 127.0.0.1#54707: query: extended.nau.edu IN A +ED (127.0.0.1)
named: createfetch: extended.nau.edu A
named: createfetch: extended.nau.edu DNSKEY
named: createfetch: extended.nau.edu DS
named: createfetch: nau.edu DNSKEY
named: createfetch: nau.edu DS
named: createfetch: edu DNSKEY
named: createfetch: nau.edu.dlv.isc.org DLV
named: validating @0x7f36f7f17680: nau.edu SOA: no valid signature found
named: validating @0x7f36f7eed410: nau.edu NSEC: no valid signature found
named: validating @0x7f36f7eed410: ewb.nau.edu NSEC: no valid
signature found
named: error (broken trust chain) resolving
'extended.nau.edu/DNSKEY/IN': 134.114.138.3#53
named: error (broken trust chain) resolving 'extended.nau.edu/A/IN':
134.114.96.4#53
named: client 127.0.0.1#54707: query failed (SERVFAIL) for
extended.nau.edu/IN/A at query.c:6302
named: client 127.0.0.1#55872: query: extended.nau.edu IN A +ED (127.0.0.1)
Unbound resolves the record on the first try.
Aside from the missing DS, I don't see why BIND complains about the
NXDOMAIN response at first and then returns that cached record set in
response to later queries for the same name. dig +sigchase validates it,
if provided with the nau.edu DNSKEY:
> nau.edu. 86400 IN SOA ns3.nau.edu. DNS-Contact.nau.edu. 4779 1800 900 604800 86400
> nau.edu. 86400 IN RRSIG SOA 5 2 86400 20111030191258 20110930181258 7485 nau.edu. xoY5c8d+UnJfXA0ZZDv2Zz5tht4ZspTOeGvEGcQr+XIOMH39krpWR6T9 fUy5O/XnURz5nDGWR4QIKQMgAu+qfyGzA9Yzb5S5CkAWd4IDjKmznrXI G3beth9Dcr/fJxusMxGuhZWZftQBrHBn14Wqx8YKOOIwQZx/PSm8XONA tHc=
> nau.edu. 86400 IN NSEC _tcp.nau.edu. A NS SOA MX TXT RRSIG NSEC DNSKEY TYPE65534
> nau.edu. 86400 IN RRSIG NSEC 5 2 86400 20111020001752 20110919233312 7485 nau.edu. GizWBgmH1B7n0TuBjRgUEiu0XOCvrncyKR1iSSWJIrWKn4aZ9djBazdP /JEWGY73IIZ4j/i3yO6MSw1gJRe0ane3lZjpHFnFdaPPEcYHVWy3h7Zk UccnBd0ggkkLrHoG/CbRoVrF+90CDJymeAnYcWDycKQW84cNibj/tXxb CRk=
> ewb.nau.edu. 86400 IN NSEC facdevnet.nau.edu. CNAME RRSIG NSEC
> ewb.nau.edu. 86400 IN RRSIG NSEC 5 3 86400 20111019222812 20110919220129 7485 nau.edu. SfCIx42kzjbTV5sDH/OwIKGRRxfJaM8EgaX74/RbD+BJjJhP7o28dR1U VHRuO6arK8FXF0vCIZ5lpqaWFRkaCwEftrjX3ktdWUNfhRlD9qqHF+cV 00icFXkasql9f8Yk9XgTeZ63CkH/8H9acjTuVlunqZDL1CVtaKTJfKKq uMs=
> ;; Received 710 bytes from 134.114.96.4#53(134.114.96.4) in 189 ms
Hauke.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111001/409afe07/attachment.bin>
More information about the bind-users
mailing list