DNSSEC validation on 9.7.4 not working
frnkblk at iname.com
frnkblk at iname.com
Wed Jun 24 07:46:48 UTC 2015
Ding-ding-ding -- issuing "rndc flushname ." did the trick, Mark.
I'd encourage this troubleshooting tip to be documented in one of those
how-to guides. I don't think waiting for a TTL is a good idea if most
queries are failing with "bad cache hit".
Frank
-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org]
Sent: Tuesday, June 23, 2015 11:03 PM
To: Frank Bulk
Cc: bind-users at isc.org
Subject: Re: DNSSEC validation on 9.7.4 not working
I suspect that the DNSKEY record for the root will be marked as a
'answer' rather than 'secure' (rndc dumpdb) and flushing the cache
will fix the issue as will waiting ~30703 seconds. 'rndc flushname .'
should also work though I forget where we added flushname.
Mark
In message <005701d0ae2f$ef2798f0$cd76cad0$@iname.com>, "Frank Bulk" writes:
> Here you go:
>
> root at nagios:/etc/bind# dig @127.0.0.1 +dnssec +cd ds com; dig @127.0.0.1
> +dnssec +cd dnskey .
>
> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +dnssec +cd ds com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38536
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;com. IN DS
>
> ;; ANSWER SECTION:
> com. 86400 IN DS 30909 8 2
> E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
> com. 86400 IN RRSIG DS 8 1 86400
20150703170000
> 20150623160000 48613 .
> ioJ6KyZ9ig0PsFBdo5jfM/9hLEX9qn06QaitkJubhcH3m/DPBi2o9xTu
> Cs9Aabwm/tSlGc+JVc3oBVSwv6LakHUY9v7aJn77pD244tnnlgNeR+z4
> kkZSn1Kp5tHmhKx8sNYe8Fe9rTA/9hC+3IokE949ppf+3CEyjJ4uhJhm lN0=
>
> ;; Query time: 54 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jun 23 22:41:31 2015
> ;; MSG SIZE rcvd: 239
>
>
> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +dnssec +cd dnskey .
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11727
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;. IN DNSKEY
>
> ;; ANSWER SECTION:
> . 30703 IN DNSKEY 256 3 8
> AwEAAZyIkCwEYeG29NV+4cOdKE4DPng/4BqJeoOhKqzJbl+LR33TPWsr
> wBRfmAi9wvR/Qc6IV4MFMXjmkclXns+atIQZ9uQV3YAvKv/cVuO7Mneu
> MssIQixaMw+jp73R7zIUNMbLBgJRQXI57Rl+pvXBAkgHndVwv+aJkf7y GEuE9Dtj
> . 30703 IN DNSKEY 256 3 8
> AwEAAa67bQck1JjopOOFc+iMISFcp/osWrEst2wbKbuQSUWu77QC9UHL
> ipiHgWN7JlqVAEjKITZz49hhkLmOpmLK55pTq+RD2kwoyNWk9cvpc+tS
> nIxT7i93O+3oVeLYjMWrkDAz7K45rObbHDuSBwYZKrcSIUCZnCpNMUtn PFl/04cb
> . 30703 IN DNSKEY 257 3 8
> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
> . 30703 IN RRSIG DNSKEY 8 0 172800
> 20150705235959 20150620000000 19036 .
> W6ZIOh5tJ1ph3C0c9Fqot+55jCewbk/cWRquGOeRnWkag7rx/XgsEfvd
> HLr1HsSIlag+lt1OvTlsLgvVk/yUcOAZA/NvMRPbFfbyrEi82YpZ70Z2
> B995qkT7dCf/3uBynAzubAPshUfEi7LuBy9bzyYPMvtRZptEnBz3xsAf
> 4gmrRTX0BW66ve2xqvitZrPVH2WaYR70iJbJWbKKDCPl9rwEcit95gyi
> CNQLOIPFq2XgHDmo01Pr4evPbSowny6kNXzuDHgKQn1+BWX5zhbr74OE
> 3FZXo2DUXm8BA5OhMY0bMg32kjzQLu+lxBWpaXabjFoALNFG4WRRdx1s 4+Wuhg==
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jun 23 22:41:31 2015
> ;; MSG SIZE rcvd: 883
>
> root at nagios:/etc/bind# date -u
> Wed Jun 24 03:41:52 UTC 2015
> root at nagios:/etc/bind#
>
> Frank
>
> -----Original Message-----
> From: Mark Andrews [mailto:marka at isc.org]
> Sent: Tuesday, June 23, 2015 10:31 PM
> To: Frank Bulk <frnkblk at iname.com>
> Cc: bind-users at isc.org
> Subject: Re: DNSSEC validation on 9.7.4 not working
>
>
> Should have asked for +dnssec on those queries. Also "date -u".
>
>
> In message <005601d0ae2c$b698b6c0$23ca2440$@iname.com>, "Frank Bulk"
writes:
> > Mark,
> >
> > Sorry for top-posting -- my email client makes it difficult to do
> otherwise.
> >
> > Yes, I'm absolutely sure there's no software or physical firewall (we're
> an
> > ISP), and there's also no load-balancer in front of this box. I've also
> > used the EDNS tests and I can get a 4000+ byte response. There's also
no
> > forwarder configured.
> >
> > Here's the requested output:
> >
> >
> > root at nagios:/etc/bind# dig @127.0.0.1 +cd ds com; dig @127.0.0.1 +cd
> dnskey
> > .
> >
> > ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd ds com
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55498
> > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;com. IN DS
> >
> > ;; ANSWER SECTION:
> > com. 86400 IN DS 30909 8 2
> > E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
> >
> > ;; Query time: 17 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Tue Jun 23 22:17:58 2015
> > ;; MSG SIZE rcvd: 69
> >
> > ;; Truncated, retrying in TCP mode.
> >
> > ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd dnskey .
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25167
> > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;. IN DNSKEY
> >
> > ;; ANSWER SECTION:
> > . 32115 IN DNSKEY 256 3 8
> > AwEAAa67bQck1JjopOOFc+iMISFcp/osWrEst2wbKbuQSUWu77QC9UHL
> > ipiHgWN7JlqVAEjKITZz49hhkLmOpmLK55pTq+RD2kwoyNWk9cvpc+tS
> > nIxT7i93O+3oVeLYjMWrkDAz7K45rObbHDuSBwYZKrcSIUCZnCpNMUtn PFl/04cb
> > . 32115 IN DNSKEY 257 3 8
> > AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
> > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
> > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
> > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
> > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
> > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
> > . 32115 IN DNSKEY 256 3 8
> > AwEAAZyIkCwEYeG29NV+4cOdKE4DPng/4BqJeoOhKqzJbl+LR33TPWsr
> > wBRfmAi9wvR/Qc6IV4MFMXjmkclXns+atIQZ9uQV3YAvKv/cVuO7Mneu
> > MssIQixaMw+jp73R7zIUNMbLBgJRQXI57Rl+pvXBAkgHndVwv+aJkf7y GEuE9Dtj
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Tue Jun 23 22:17:59 2015
> > ;; MSG SIZE rcvd: 586
> >
> >
> > Frank
> >
> >
> > -----Original Message-----
> > From: Mark Andrews [mailto:marka at isc.org]
> > Sent: Tuesday, June 23, 2015 10:11 PM
> > To: Frank Bulk <frnkblk at iname.com>
> > Cc: bind-users at isc.org
> > Subject: Re: DNSSEC validation on 9.7.4 not working
> >
> >
> > In message <003d01d0ae24$682fc080$388f4180$@iname.com>, "Frank Bulk"
> writes:
> > > I'm running BIND 9.7.3 on Debian and having trouble configuring DNSSEC
> > > validation.
> > >
> > > I'm using the excellent guides at
> > >
> >
>
http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#easy-start-guide-
> > > for-recursive-servers and
> > >
> >
>
https://www.surf.nl/binaries/content/assets/surf/en/knowledgebase/2012/rappo
> > > rt_Deploying_DNSSEC_v20.pdf and http://dnssec.vs.uni-due.de/ which
> provide
> > > 9.7.x configuration instructions and so I'm feeling a bit slow that I
> > can't
> > > make this work.
> > >
> > > I'm have a copy of bind.keys from
> > > https://www.isc.org/downloads/bind/bind-keys/ in /etc/bind/
> > >
> > > This statement in /etc/bind/bind.conf:
> > >
> > > managed-keys {
> > > "." initial-key 257 3 8
> > > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
> > > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
> > > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
> > > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
> > > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
> > > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
> > > };
> > >
> > > and the following in /etc/bind/bind.conf.options:
> > >
> > > options {
> > > <snip>
> > > dnssec-enable yes;
> > > dnssec-validation yes;
> > > <snip>
> > > }
> > >
> > > But when I issue "rdnc reconifg" I immediately get repeated log lines
> > about
> > > the following and then similar statements for each domains:
> > >
> > > 23-Jun-2015 20:43:47.402 dnssec: info: validating @0x7fcec948ce40:
com
> > DS:
> > > no valid signature found
> > > 23-Jun-2015 20:43:47.402 dnssec: info: validating @0x7fcec8c41bf0:
com
> > DS:
> > > no valid signature found
> > > 23-Jun-2015 20:43:47.438 dnssec: info: validating @0x7fcec8c39b80: .
NS:
> > no
> > > valid signature found
> > > <snip>
> > > 23-Jun-2015 20:43:48.750 dnssec: info: validating @0x7fced04fd9e0: .
NS:
> > no
> > > valid signature found
> > > 23-Jun-2015 20:43:48.754 dnssec: info: validating @0x7fcee55996a0:
> > > a1075.dscg.akamai.net AAAA: bad cache hit (net/DS)
> > > 23-Jun-2015 20:43:48.757 dnssec: info: validating @0x7fceca621970:
> > > wwwp.wip.rackspace.com AAAA: bad cache hit (com/DS)
> > > 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fceca621970:
> > > a1526.dscg.akamai.net AAAA: bad cache hit (net/DS)
> > > 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fced04fd9e0:
> > > a1784.dscg.akamai.net AAAA: bad cache hit (net/DS)
> > > 23-Jun-2015 20:43:48.761 dnssec: info: validating @0x7fced04fd9e0:
> > > e1181.dscb.akamaiedge.net AAAA: bad cache hit (net/DS)
> > >
> > > Of course, once the TLDs aren't considered valid everything goes
south.
>
> > >
> > > What am I doing wrong?
> > >
> > > Regards,
> > >
> > > Frank Bulk
> >
> > Are you sure that there isn't a firewall that is block RRSIGs getting
> > through or that you aren't using a forwarder that isn't also
> > validating. These sorts of messages come when named is forced back
> > to plain DNS to get a response.
> >
> > What do "dig +cd ds com" and "dig +cd dnskey ." return.
> >
> > Mark
> >
> > > _______________________________________________
> > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from
> > > this list
> > >
> > > bind-users mailing list
> > > bind-users at lists.isc.org
> > > https://lists.isc.org/mailman/listinfo/bind-users
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> >
> >
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list