DNSSEC validation failures for www.hrsa.gov

Jay Ford jay-ford at uiowa.edu
Fri Jun 24 23:59:16 UTC 2016 

I'm getting DNSSEC validation failures by BIND 9.10.4-P1 for www.hrsa.gov.

The pertinent log messages are things like:

    lame-servers: info: no valid RRSIG resolving 'webfarm.dr.hrsa.gov/DS/IN': 165.112.137.222#53
    lame-servers: info: no valid RRSIG resolving 'webfarm.dr.hrsa.gov/DS/IN': 162.99.248.222#53
    lame-servers: info: no valid DS resolving 'webfarm.dr.hrsa.gov/A/IN': 162.99.248.222#53
    lame-servers: info: broken trust chain resolving 'webfarm.dr.hrsa.gov/A/IN': 165.112.137.222#53
    lame-servers: info: insecurity proof failed resolving 'dr.hrsa.gov/SOA/IN': 162.99.248.222#53
    lame-servers: info: insecurity proof failed resolving 'dr.hrsa.gov/SOA/IN': 165.112.137.222#53

The dig output is:

    $ dig www.hrsa.gov @dns-spare.uiowa.edu

    ; <<>> DiG 9.10.3-P4-Debian <<>> www.hrsa.gov @dns-spare.uiowa.edu
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42947
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.hrsa.gov.                  IN      A

    ;; Query time: 103 msec
    ;; SERVER: fd9a:2c75:7d0c:5::2#53(fd9a:2c75:7d0c:5::2)
    ;; WHEN: Fri Jun 24 18:49:06 CDT 2016
    ;; MSG SIZE  rcvd: 41

It doesn't fail with a similar config on 9.10.3-P4, but there are admittedly 
config differences.

Other DNSSEC-signed things validate fine at both versions, so things are
mostly OK.

My guess is that BIND 9.10.4-P1 is checking something more stringently than
previous versions did, & that something is broken with the DNS for
www.hrsa.gov, but I can't spot what it is.  There are some very short TTLs (5
seconds) in the data tree in question, including for SOAs, which seems like a
really bad idea but I'm not sure it definitely breaks things.  There are also
some answers with both "AA" & "AD" set, which seems odd, but again, not
definitely broken.

dnsviz.net reports a couple of warnings, including a non-AA answer from
authoritative servers, but it doesn't say it's bogus.

If anybody can spot something broken for www.hrsa.gov, I'd be very glad to
hear about it.

________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford at uiowa.edu, phone: 319-335-5555

More information about the bind-users mailing list