DNSSEC troubleshooting on a recursive server.

Grant Keller gkeller at corp.sonic.net
Thu Aug 8 16:42:20 UTC 2013 

On 08/08/2013 09:34 AM, Phil Mayers wrote:
> On 08/08/13 17:22, Grant Keller wrote:
>
>> Its strange, I get the records when querying one of my other DNS
>> servers:
>
> As per my original email - firewall? middlebox? crazy ISP transparent
> caching DNS server?
>
> I would break out tcpdump; clear the cache on the affected server,
> re-do the dig, then trawl through the tcpdump looking for the relevant
> queries and replies. Prove to yourself whether the RRSIGs are arriving
> at the "broken" DNS server. If so, go on from there. If not, harass
> your network/security team or upstream ;o)
>

I don't think it is anything upstream. As a test, I flushed the cache on
one of the affected servers, and now it is validating successfully:

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> +dnssec zygo.com a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58342
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zygo.com.            IN    A

;; ANSWER SECTION:
zygo.com.        86400    IN    A    50.28.48.60
zygo.com.        86400    IN    RRSIG    A 7 2 86400 20130812183056
20130728183056 19712 zygo.com.
FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK
8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3
O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU=

;; AUTHORITY SECTION:
zygo.com.        3600    IN    NS    pdns02.domaincontrol.com.
zygo.com.        3600    IN    NS    pdns01.domaincontrol.com.
zygo.com.        3600    IN    RRSIG    NS 7 2 3600 20130812183056
20130728183056 19712 zygo.com.
YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01
7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3
qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhWj si4=

;; ADDITIONAL SECTION:
pdns01.domaincontrol.com. 172786 IN    A    216.69.185.50
pdns02.domaincontrol.com. 172786 IN    A    208.109.255.50

;; Query time: 23 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug  8 09:38:24 2013
;; MSG SIZE  rcvd: 477


I still have a few more servers that are affected, and I would prefer to
not flush the cache on all of them.

-- 
Grant Keller
Sonic.net System Operations

More information about the bind-users mailing list