DNSSEC troubleshooting on a recursive server.

Grant Keller gkeller at corp.sonic.net
Thu Aug 8 16:22:07 UTC 2013 

On 08/08/2013 09:09 AM, Alan Clegg wrote:
> On Aug 8, 2013, at 11:58 AM, Grant Keller <gkeller at corp.sonic.net> wrote:
>
>> # dig +dnssec +cd zygo.com a
>>
>> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> +dnssec +cd zygo.com a
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45711
>> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;zygo.com.            IN    A
>>
>> ;; ANSWER SECTION:
>> zygo.com.        86400    IN    A    50.28.48.60
>>
>> ;; AUTHORITY SECTION:
>> zygo.com.        93100    IN    NS    pdns02.domaincontrol.com.
>> zygo.com.        93100    IN    NS    pdns01.domaincontrol.com.
> Somebody is stripping off DNSSEC records...
>
> aclegg at redwood:~/Src/bind-9.9.3-P2$ dig zygo.com +dnssec
>
> ; <<>> DiG 9.9.3-P2 <<>> zygo.com +dnssec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38336
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;zygo.com.			IN	A
>
> ;; ANSWER SECTION:
> zygo.com.		85958	IN	A	50.28.48.60
> zygo.com.		85958	IN	RRSIG	A 7 2 86400 20130812183056 20130728183056 19712 zygo.com. FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK 8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3 O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU=
>
> ;; AUTHORITY SECTION:
> zygo.com.		3158	IN	NS	pdns01.domaincontrol.com.
> zygo.com.		3158	IN	NS	pdns02.domaincontrol.com.
> zygo.com.		3158	IN	RRSIG	NS 7 2 3600 20130812183056 20130728183056 19712 zygo.com. YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01 7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3 qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhWj si4=
>
Its strange, I get the records when querying one of my other DNS servers:

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> +dnssec +cd zygo.com a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8807
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zygo.com.            IN    A

;; ANSWER SECTION:
zygo.com.        85276    IN    A    50.28.48.60
zygo.com.        85276    IN    RRSIG    A 7 2 86400 20130812183056
20130728183056 19712 zygo.com.
FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK
8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3
O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU=

;; AUTHORITY SECTION:
zygo.com.        2476    IN    NS    pdns02.domaincontrol.com.
zygo.com.        2476    IN    NS    pdns01.domaincontrol.com.
zygo.com.        2476    IN    RRSIG    NS 7 2 3600 20130812183056
20130728183056 19712 zygo.com.
YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01
7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3
qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhWj si4=

;; ADDITIONAL SECTION:
pdns01.domaincontrol.com. 19183    IN    A    216.69.185.50
pdns02.domaincontrol.com. 113756 IN    A    208.109.255.50
pdns02.domaincontrol.com. 25440    IN    AAAA    2607:f208:303::32

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug  8 09:17:01 2013
;; MSG SIZE  rcvd: 505



-- 
Grant Keller
Sonic.net System Operations

More information about the bind-users mailing list