DNSSEC troubleshooting on a recursive server.

Grant Keller gkeller at corp.sonic.net
Thu Aug 8 15:58:37 UTC 2013 

On 08/07/2013 06:17 PM, Mark Andrews wrote:
>>> In any event, as Mark has suggested, you don't want to dig the RRSIG
>>> yourself. Rather, use:
>>>
>>> dig +dnssec zygo.com a
>>>
>>> ...and if you get a SERVFAIL:
>>>
>>> dig +dnssec +cd zygo.com a
>> dig +dnssec +cd zygo.com a resolved the domain.
> "RESOLVED THE DOMAIN" is not !@#$#!$!@#!$@#$%@#! enough for anyone
> to help you.  WE NEED TO SEE WHAT YOU ARE SEEING.
>
> Mark
# dig +dnssec +cd zygo.com a

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> +dnssec +cd zygo.com a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45711
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zygo.com.            IN    A

;; ANSWER SECTION:
zygo.com.        86400    IN    A    50.28.48.60

;; AUTHORITY SECTION:
zygo.com.        93100    IN    NS    pdns02.domaincontrol.com.
zygo.com.        93100    IN    NS    pdns01.domaincontrol.com.

;; ADDITIONAL SECTION:
pdns01.domaincontrol.com. 33591    IN    A    216.69.185.50
pdns01.domaincontrol.com. 57182    IN    AAAA    2607:f208:207::32
pdns02.domaincontrol.com. 80032    IN    A    208.109.255.50
pdns02.domaincontrol.com. 28807    IN    AAAA    2607:f208:303::32

;; Query time: 23 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug  8 08:57:51 2013
;; MSG SIZE  rcvd: 197

>
>> I have started to get other reports of domains with the same problem.
>> The same nameservers are having validation issues with these, and all
>> the domains use pdns01.domaincontrol.com and pdns02.domaincontrol.com.
>> as auth name servers. I guess this points to a problem somewhere in the
>> trust chain, butI can't figure out where.
>>
>> # dig a zygo.com  +sigchase +trusted-key=root.keys +multiline +qr
>>
>> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> a zygo.com +sigchase
>> +trusted-key=root.keys +multiline +qr
>> ;; global options: +cmd
>> ;; Sending:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21316
>> ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;zygo.com.        IN A
>>
>> ;; NO ANSWERS: no more
>> We want to prove the non-existence of a type of rdata 1 or of the zone:
>> ;; nothing in authority section : impossible to validate the
>> non-existence : FAILED
>>
>> ;; Impossible to verify the Non-existence, the NSEC RRset can't be
>> validated: FAILED
>>
>>
>> If I add +topdown then it succeeds.
>>
>> -- 
>> Grant Keller
>> Sonic.net System Operations
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>  from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users


-- 
Grant Keller
Sonic.net System Operations

More information about the bind-users mailing list