DNSSEC troubleshooting on a recursive server.

Wed Aug 7 03:49:34 UTC 2013

When diagnosing DNSSEC problems you need to chase the trust chain
from DS record to the DNSKEY RRset to the answer RRset.

; <<>> DiG 9.10.0pre-alpha <<>> ds zygo.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65065
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zygo.com.			IN	DS

;; ANSWER SECTION:
zygo.com.		76075	IN	DS	53991 7 1 21F6C5AD943229BA42DC9CB383F106EFBA8C36C3
zygo.com.		76075	IN	DS	54396 7 1 812D183E96200482170DD07989E90FA2DABBE12A
zygo.com.		76075	IN	RRSIG	DS 8 2 86400 20130811043747 20130804032747 8795 com. cKYDb9z9EcoVHk4AWohaECz7LwphvX+LGqinfh2H6ZeWz6oWWFMGs8Pc ZAYwh63e7+czbwhfy1LALwBKVRh9ijyg43NW0Ag7ZamQ56yc5k27UiuR x9skNeOLe+CDpfYM9LwbEnPKG2bJhAXAZ9lZEPT/seB5ID23HBwy9jfy wig=

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 07 13:32:49 EST 2013
;; MSG SIZE  rcvd: 272

This tells me that there are two possible DNSKEY records with keyids
53991 and 54396 that self sign the DNSKEY RRset.  You need to find
atleast one of them to have a working secure delegation.

; <<>> DiG 9.10.0pre-alpha <<>> dnskey zygo.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16142
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zygo.com.		IN DNSKEY

;; ANSWER SECTION:
zygo.com.		3048 IN	DNSKEY 257 3 7 (
				AwEAAeGPcXpffVBiKimUNzlzh3V/I9Fz7gDxpPCMAmG8
				Ka9E4FDniad0iYiUV1fHSJsqxT8+4ShRWHhB/CR0UH6y
				evD8KZ+o8ymD2HjH0P3MWP+KBQ1a26mOt3jo4JfHd20M
				nQo1P02s5QtrA1QsouMp1JLm3Iy4rP6dCJT3FFyEpZin
				bU7cbHQjm1ST9hOq1cDwXExhHQPyx2MQs1z7xjiay9L6
				hDu58PBId0yvRr0WLbrOVlefkyTO4y7AEY3eFGzlZYXq
				F4M7W050UG7qqxdgiDWAxtomA0yuR4ZhVO/hUxa6FC9D
				xgrwBycqt7fD//QTUI88ZJLtEu0s/NnPN+2sl3E=
				) ; KSK; alg = NSEC3RSASHA1; key id = 54396
zygo.com.		3048 IN	DNSKEY 256 3 7 (
				AwEAAawqGDezEvzgYS1tUtk6fK5Sd/AOocV0MCkYDg77
				tmZj8AEArs/STSD0uxKmLP7OFirTCoPrquJDzjDJmFFk
				vbdU8FCbG1BxD2B+Rg13+VArhQcxqQNTldnEaeKA813W
				zjmVgHpU6X4h7HDLVQM/WgzLVBDKJZqdosQ1DqJuNR0R
				) ; ZSK; alg = NSEC3RSASHA1; key id = 19712
zygo.com.		3048 IN	DNSKEY 257 3 7 (
				AwEAAaDyADHYXBgAY+3dIBrZoa9Yw9ZEh28gJhNbRDtJ
				DvDhsgfoHA4bgtfwjxZ6rHymKuXMIsa3GztQ79sMGZpf
				lZNBt+KPTYqAlop2C7Ov7jkJ2UjXgdmovQuarPYllhHg
				iSUKRvNv/i6MK1kUwbSNrV6o86XjwIdpwgLASs7KJMiA
				caeV69ZEx7EmXsajN5l6sEgNVvcccUO+5BS0tC9+RQy1
				Zcp9+2WkNsYmJQ5HSptTB2CLIlyhgfTO0ulR3eU3bQrD
				vOArGOwIn8gqQyWGz2aN4tbxSKT6v5g1tMqSxLw3SW8b
				iEYJBWdezvh9fEpCFbz8ZS9yyzA02BS/QcF8H1E=
				) ; KSK; alg = NSEC3RSASHA1; key id = 53991
zygo.com.		3048 IN	DNSKEY 256 3 7 (
				AwEAAcfweFDqyNSnQqwnWnw4+/hZR4DcuNnL0q9ilUu3
				JueJwV7nzoE98TqQSMGjFzxiNQxjiFATxchMS0+gW6ax
				LWg6rmje73W8I4f6w4/TylFu6XQjs0to6MNeRAuOBJXi
				AysLjl5zvUjmmVysBtCnGWpsO0zKB5829VOk21cuXnxf
				) ; ZSK; alg = NSEC3RSASHA1; key id = 2864
zygo.com.		3048 IN	RRSIG DNSKEY 7 2 3600 (
				20130812183056 20130728183056 54396 zygo.com.
				iZ5qg7HIuCb7N/0SCPPj0JRiNWBYLc8DupV2VSfjhv12
				fiqMvaLimDb+xYaxFGaHzNySM6rgDfZf1sod5iCwaTUV
				XDwru/zgDoDv2PV5xYUZ0U9vubgiACKmJAE+uPe2CI5E
				CaLX6fzuKP5hrBIurk33jt0znauogIPyzpOPy9woc4tS
				xlmllFWJcO6PUU0ZBrHESepxll+v7St9aMVCiGe8g22O
				8NPn3JKazq8OHQPptGAY0TnqU0oZoDIiYY1oEscTGr2h
				OWdAh9Kz95rMRtfq4L6aP63MnEIbYPUzzTbMiQqfZJkJ
				shwfttnRTxlcZ+7/WDYl2YJVIR+SRtYsYA== )

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 07 13:35:18 EST 2013
;; MSG SIZE  rcvd: 1181

The DNSKEY with keyid 54396 self signs the DNSKEY RRset and it has
the same algorithm as that listed in the DS record.  The expire and
inception fields (20130812183056 20130728183056) are sane.

; <<>> DiG 9.10.0pre-alpha <<>> a zygo.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50389
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zygo.com.			IN	A

;; ANSWER SECTION:
zygo.com.		76237	IN	A	50.28.48.60
zygo.com.		76237	IN	RRSIG	A 7 2 86400 20130812183056 20130728183056 19712 zygo.com. FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK 8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3 O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU=

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 07 13:37:11 EST 2013
;; MSG SIZE  rcvd: 221

The A record is signed with keyid 19712 alg 7 which exists in the
DNSKEY RRset.  The expire and inception fields are sane (20130812183056
20130728183056).

Now if you can't get a particular answer do the query again with
+cd and look to see what doesn't match up.

To diagnose DNSSEC problems you almost never need to check the
actual crypto.  99.99% of problem are failing to sign/re-sign or
mismatched between DS and DNSKEY records which are usually visible
by looking at the keyid and key algorithm fields.

You also never need to make explicit RRSIG queries.

Mark

In message <52018214.9080305 at corp.sonic.net>, Grant Keller writes:
> Hello,
> 
> We have 7 recursive DNS servers running Bind 9.9.2, and we are seeing
> some strange behavoir validating DNSSEC. We have seen this happen a few
> times, and in the past the problem has gone away when the server is
> rebooted, so my first guess is that some record is stuck in the cache.
> An example from one of the servers in question:
> 
> # dig a zygo.com @pdns02.domaincontrol.com +nocomments
> 
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> a zygo.com
> @pdns02.domaincontrol.com +nocomments
> ;; global options: +cmd
> ;zygo.com.            IN    A
> zygo.com.        86400    IN    A    50.28.48.60
> zygo.com.        3600    IN    NS    pdns01.domaincontrol.com.
> zygo.com.        3600    IN    NS    pdns02.domaincontrol.com.
> ;; Query time: 83 msec
> ;; SERVER: 208.109.255.50#53(208.109.255.50)
> ;; WHEN: Tue Aug  6 16:04:26 2013
> ;; MSG SIZE  rcvd: 98
> 
> # dig rrsig zygo.com @pdns02.domaincontrol.com +nocomments
> 
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> rrsig zygo.com
> @pdns02.domaincontrol.com +nocomments
> ;; global options: +cmd
> ;zygo.com.            IN    RRSIG
> zygo.com.        86400    IN    RRSIG    A 7 2 86400 20130812183056
> 20130728183056 19712 zygo.com.
> FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK
> 8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3
> O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU=
> zygo.com.        3600    IN    RRSIG    NS 7 2 3600 20130812183056
> 20130728183056 19712 zygo.com.
> YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01
> 7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3
> qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhWj si4=
> zygo.com.        3600    IN    RRSIG    SOA 7 2 3600 20130812183056
> 20130728183056 19712 zygo.com.
> XDFuwBva0CzYYyXJIWI7HWWrFgK2GrhhOqb/fxtvDA7623WEb5DkROHg
> nx1cfI7w585MU3R0P2ZmrAXKULMFaZ0i24WvWa+hZf/GpBaO9wYGm1oS
> jWnUXpxNT15G/XXB91rVS0kCU4vEdLkVCXgh3k63QB+Drs0gfrPHjeSj Co8=
> zygo.com.        86400    IN    RRSIG    MX 7 2 86400 20130812183056
> 20130728183056 19712 zygo.com.
> dsRwujkNkm2P/lgBf9CfF5d1qzgaFYrQob5RDEXLYQkA2BkYd26yakQF
> xb8doXp1q3AxxlQ8yZpyUUGZmT13Aw/IBm8hFMdy+PmSxDGqoveUeah9
> dh3abPVrWlP+jbcLXVX9r5Lg5yVxXFAqplfmPj8fuupFJSkOEfMMB6P0 iMw=
> zygo.com.        86400    IN    RRSIG    TXT 7 2 86400 20130812183056
> 20130728183056 19712 zygo.com.
> LV05eG+KKxv1dLUvKL3xddiEtKuQ+gOM5dPFfAn6Qpzt+xg13E0rLvwR
> wV3w9Ol10r2cbGZr5leQciXHNoJtRKo8gNuMdxOFu/F+vu3zZZDYvR2I
> CrWrO5Acm7oVORllTs0gEIvYzXkmJErFEnwlc6uXENZlVEt08drmq0Lq 8nc=
> zygo.com.        3600    IN    RRSIG    DNSKEY 7 2 3600 20130812183056
> 20130728183056 54396 zygo.com.
> iZ5qg7HIuCb7N/0SCPPj0JRiNWBYLc8DupV2VSfjhv12fiqMvaLimDb+
> xYaxFGaHzNySM6rgDfZf1sod5iCwaTUVXDwru/zgDoDv2PV5xYUZ0U9v
> ubgiACKmJAE+uPe2CI5ECaLX6fzuKP5hrBIurk33jt0znauogIPyzpOP
> y9woc4tSxlmllFWJcO6PUU0ZBrHESepxll+v7St9aMVCiGe8g22O8NPn
> 3JKazq8OHQPptGAY0TnqU0oZoDIiYY1oEscTGr2hOWdAh9Kz95rMRtfq
> 4L6aP63MnEIbYPUzzTbMiQqfZJkJshwfttnRTxlcZ+7/WDYl2YJVIR+S RtYsYA==
> zygo.com.        3600    IN    RRSIG    NSEC3PARAM 7 2 3600
> 20130812183056 20130728183056 19712 zygo.com.
> Zt+Bak9VK/apMNCXmPxUdYtIdKJtVo5IwMtnuYv8SgZMOPZIvl2ROD1y
> Ra48JWEeQ3vMErRt0BsJPwl4Y3a6auM6tZMxhG+Ja6ZWoL2IaMcgGpct
> CW9Pl8hUIykRcL4QfzyPlQM6o8ZwSuhAAPw2+7N9dvhSWzPT6IKq9B2T DQQ=
> zygo.com.        3600    IN    NS    pdns01.domaincontrol.com.
> zygo.com.        3600    IN    NS    pdns02.domaincontrol.com.
> ;; Query time: 83 msec
> ;; SERVER: 208.109.255.50#53(208.109.255.50)
> ;; WHEN: Tue Aug  6 16:05:13 2013
> ;; MSG SIZE  rcvd: 1386
> 
> That is the correct answer from the auth name server. When I query the
> local server, I get this:
> 
> # dig a zygo.com @127.0.0.1 +nocomments
> 
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> a zygo.com
> @127.0.0.1 +nocomments
> ;; global options: +cmd
> ;zygo.com.            IN    A
> ;; Query time: 162 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Aug  6 16:06:10 2013
> ;; MSG SIZE  rcvd: 26
> 
> # dig rrsig zygo.com @127.0.0.1 +nocomments
> 
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> rrsig zygo.com
> @127.0.0.1 +nocomments
> ;; global options: +cmd
> ;zygo.com.            IN    RRSIG
> zygo.com.        5    IN    RRSIG    DS 8 2 86400 20130811043747
> 20130804032747 8795 com.
> cKYDb9z9EcoVHk4AWohaECz7LwphvX+LGqinfh2H6ZeWz6oWWFMGs8Pc
> ZAYwh63e7+czbwhfy1LALwBKVRh9ijyg43NW0Ag7ZamQ56yc5k27UiuR
> x9skNeOLe+CDpfYM9LwbEnPKG2bJhAXAZ9lZEPT/seB5ID23HBwy9jfy wig=
> zygo.com.        153315    IN    NS    pdns02.domaincontrol.com.
> zygo.com.        153315    IN    NS    pdns01.domaincontrol.com.
> pdns01.domaincontrol.com. 4258    IN    A    216.69.185.50
> pdns01.domaincontrol.com. 6156    IN    AAAA    2607:f208:207::32
> pdns02.domaincontrol.com. 43034    IN    A    208.109.255.50
> pdns02.domaincontrol.com. 3041    IN    AAAA    2607:f208:303::32
> ;; Query time: 80 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Aug  6 16:06:41 2013
> ;; MSG SIZE  rcvd: 333
> 
> The thing that really confuses me is that the ttl on the RRSIG DS record
> has been stuck at 5 for about a day now. I tried doing a rndc flushname
> zygo.com, which did not help. What else can I do to troubleshoot this,
> and if it is a cache problem, what can I do to clear the records? Thanks.
> 
> 
> 
> -- 
> Grant Keller
> Sonic.net System Operations
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org