DNSSEC validation on 9.7.4 not working

Frank Bulk frnkblk at iname.com
Wed Jun 24 03:20:23 UTC 2015 

Mark,

Sorry for top-posting -- my email client makes it difficult to do otherwise.

Yes, I'm absolutely sure there's no software or physical firewall (we're an
ISP), and there's also no load-balancer in front of this box.  I've also
used the EDNS tests and I can get a 4000+ byte response.  There's also no
forwarder configured.

Here's the requested output:


root at nagios:/etc/bind# dig @127.0.0.1 +cd ds com; dig @127.0.0.1 +cd dnskey
.

; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd ds com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55498
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;com.                           IN      DS

;; ANSWER SECTION:
com.                    86400   IN      DS      30909 8 2
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766

;; Query time: 17 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 23 22:17:58 2015
;; MSG SIZE  rcvd: 69

;; Truncated, retrying in TCP mode.

; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd dnskey .
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25167
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;.                              IN      DNSKEY

;; ANSWER SECTION:
.                       32115   IN      DNSKEY  256 3 8
AwEAAa67bQck1JjopOOFc+iMISFcp/osWrEst2wbKbuQSUWu77QC9UHL
ipiHgWN7JlqVAEjKITZz49hhkLmOpmLK55pTq+RD2kwoyNWk9cvpc+tS
nIxT7i93O+3oVeLYjMWrkDAz7K45rObbHDuSBwYZKrcSIUCZnCpNMUtn PFl/04cb
.                       32115   IN      DNSKEY  257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
.                       32115   IN      DNSKEY  256 3 8
AwEAAZyIkCwEYeG29NV+4cOdKE4DPng/4BqJeoOhKqzJbl+LR33TPWsr
wBRfmAi9wvR/Qc6IV4MFMXjmkclXns+atIQZ9uQV3YAvKv/cVuO7Mneu
MssIQixaMw+jp73R7zIUNMbLBgJRQXI57Rl+pvXBAkgHndVwv+aJkf7y GEuE9Dtj

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 23 22:17:59 2015
;; MSG SIZE  rcvd: 586


Frank


-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org] 
Sent: Tuesday, June 23, 2015 10:11 PM
To: Frank Bulk <frnkblk at iname.com>
Cc: bind-users at isc.org
Subject: Re: DNSSEC validation on 9.7.4 not working


In message <003d01d0ae24$682fc080$388f4180$@iname.com>, "Frank Bulk" writes:
> I'm running BIND 9.7.3 on Debian and having trouble configuring DNSSEC
> validation.  
> 
> I'm using the excellent guides at
>
http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#easy-start-guide-
> for-recursive-servers and
>
https://www.surf.nl/binaries/content/assets/surf/en/knowledgebase/2012/rappo
> rt_Deploying_DNSSEC_v20.pdf and http://dnssec.vs.uni-due.de/ which provide
> 9.7.x configuration instructions and so I'm feeling a bit slow that I
can't
> make this work.
> 
> I'm have a copy of bind.keys from
> https://www.isc.org/downloads/bind/bind-keys/ in /etc/bind/
> 
> This statement in /etc/bind/bind.conf:
> 
> managed-keys {
>       "." initial-key 257 3 8
> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
> };
> 
> and the following in /etc/bind/bind.conf.options:
> 
> options {
>        <snip>
>        dnssec-enable yes;
>        dnssec-validation yes;
>        <snip>
> }
> 
> But when I issue "rdnc reconifg" I immediately get repeated log lines
about
> the following and then similar statements for each domains:
> 
> 23-Jun-2015 20:43:47.402 dnssec: info:   validating @0x7fcec948ce40: com
DS:
> no valid signature found
> 23-Jun-2015 20:43:47.402 dnssec: info:   validating @0x7fcec8c41bf0: com
DS:
> no valid signature found
> 23-Jun-2015 20:43:47.438 dnssec: info: validating @0x7fcec8c39b80: . NS:
no
> valid signature found
> <snip>
> 23-Jun-2015 20:43:48.750 dnssec: info: validating @0x7fced04fd9e0: . NS:
no
> valid signature found
> 23-Jun-2015 20:43:48.754 dnssec: info: validating @0x7fcee55996a0:
> a1075.dscg.akamai.net AAAA: bad cache hit (net/DS)
> 23-Jun-2015 20:43:48.757 dnssec: info: validating @0x7fceca621970:
> wwwp.wip.rackspace.com AAAA: bad cache hit (com/DS)
> 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fceca621970:
> a1526.dscg.akamai.net AAAA: bad cache hit (net/DS)
> 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fced04fd9e0:
> a1784.dscg.akamai.net AAAA: bad cache hit (net/DS)
> 23-Jun-2015 20:43:48.761 dnssec: info: validating @0x7fced04fd9e0:
> e1181.dscb.akamaiedge.net AAAA: bad cache hit (net/DS)
> 
> Of course, once the TLDs aren't considered valid everything goes south.  
> 
> What am I doing wrong?
> 
> Regards,
> 
> Frank Bulk

Are you sure that there isn't a firewall that is block RRSIGs getting
through or that you aren't using a forwarder that isn't also
validating.  These sorts of messages come when named is forced back
to plain DNS to get a response.

What do "dig +cd ds com" and "dig +cd dnskey ." return.  

Mark

> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from
>  this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list