dnssec validation issue
Ganga R. Dhungyel
grdhungyel at gmail.com
Thu Aug 24 03:33:32 UTC 2017
Hi All
I am running a bind 9.9.4-50 resolver on CentOS 7 (kernel 3.10.0-514.26.2.el7.x86_64). I have enabled dnssec and made it into a validating resolver but I am facing issues with some sites that use CNAME and getting SERVFAIL. Configs are pretty simple as given below:
**configs
options {
listen-on port 53 { 127.0.0.1; x.x.x.x; };
listen-on-v6 port 53 { ::1; aaaa:bbbb:cccc::d; };
directory "/var/named";
pid-file "/var/run/named/named.pid";
dump-file "data/cache_dump.db";
empty-zones-enable yes;
zone-statistics yes;
querylog yes;
recursion yes;
allow-recursion {localhost; my-net; };
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
allow-query {localhost; my-net; };
allow-query-cache {localhost; my-net; };
flush-zones-on-shutdown yes;
version "UNNECESSARY";
dnssec-enable yes;
dnssec-validation auto; ## tried with yes but no difference
random-device "/dev/urandom";
managed-keys-directory "/var/named/dynamic”;
};
// named.conf
//
include "/etc/named/acl.conf";
include "/etc/named/options.conf";
include "//etc/named/named-log.conf";
//include "/etc/named/named.rfc1912.zones";
include "/etc/rndc.key";
include "/etc/named.root.key";
zone "." IN {
type hint;
file "/var/named/data/named.root";
};
//
zone "0.0.127.in-addr.arpa" {
type master;
file "data/db.loopback.master";
notify no;
};
**end of configs
//
**dig results for A record of www.icann.org <http://www.icann.org/>
# dig @localhost www.icann.org <http://www.icann.org/>. A +dnssec
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org <http://www.icann.org/>. A +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25178
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.icann.org <http://www.icann.org/>. IN A
*** Dig for CNAME works fine
# dig @localhost www.icann.org <http://www.icann.org/>. cname +dnssec
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org <http://www.icann.org/>. cname +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62144
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11
;www.icann.org <http://www.icann.org/>. IN CNAME
;; ANSWER SECTION:
www.icann.org <http://www.icann.org/>. 1747 IN CNAME www.vip.icann.org <http://www.vip.icann.org/>.
www.icann.org <http://www.icann.org/>. 1747 IN RRSIG CNAME 7 3 3600 20170830102924 20170809041125 56445 icann.org <http://icann.org/>. VB1PWieuP3nZX9rpJ8WyA2G0DoV86NxkrgT6HNDsTHmDI0xLYdGvLPCj H4m3lRg1YVxmpwFEJPDHG9TRcqo39T4TDFe+SIyMI/2ERFRhgorggaok zATAs35lDiLpoO7S1LLSWl/L+QmT/bK/XXq1VP/ZUjX3t6belB/GBnZW ZsL/NAU=
;; AUTHORITY SECTION:
icann.org <http://icann.org/>. 84541 IN NS b.iana-servers.net <http://b.iana-servers.net/>.
icann.org <http://icann.org/>. 84541 IN NS c.iana-servers.net <http://c.iana-servers.net/>.
icann.org <http://icann.org/>. 84541 IN NS ns.icann.org <http://ns.icann.org/>.
icann.org <http://icann.org/>. 84541 IN NS a.iana-servers.net <http://a.iana-servers.net/>.
icann.org <http://icann.org/>. 84541 IN RRSIG NS 7 2 86400 20170831033936 20170810001125 56445 icann.org <http://icann.org/>. jylCSOpN18PNZcDYghGrYky8NsR1Pt7Rpm+c564QQobdd6u8Q1cQtVZZ a+m8wDQtgb0LQCQ9FEXT7Sm9+/p+hGottj4YUuv1TDnLSztSkUqV5DOV ptqG7TCFqsF482AMEmqW8OKNMiapAX6NAbO1hl5gDm+BX0ro2XrCaqzU 8RrdHNE=
;; ADDITIONAL SECTION:
a.iana-servers.net <http://a.iana-servers.net/>. 170941 IN A 199.43.135.53
a.iana-servers.net <http://a.iana-servers.net/>. 170941 IN AAAA 2001:500:8f::53
b.iana-servers.net <http://b.iana-servers.net/>. 170941 IN A 199.43.133.53
….
...
ns.icann.org <http://ns.icann.org/>. 84541 IN A 199.4.138.53
ns.icann.org <http://ns.icann.org/>. 84541 IN AAAA 2001:500:89::53
ns.icann.org <http://ns.icann.org/>. 1741 IN RRSIG A 7 3 3600 20170830005731 20170808155836 56445 icann.org <http://icann.org/>. vcUjGAOoJj2nomVKLuigIJAYIOaauYWFN++wqcAYfwO6ayOXPxXMq4j6 jvc8W5r+aLl4jQlHHTZ5L2TghdrH2ngFl5YlXKJSCjcAwifcvASrr5rv +5nmC41L66ueEafDLCBV1vUD2KlaHro1Om1vxZkl9zLCPQc3ESRkHE74 5Nr+nY8=
ns.icann.org <http://ns.icann.org/>. 1741 IN RRSIG AAAA 7 3 3600 20170830012209 20170809081125 56445 icann.org <http://icann.org/>. rPURe+sfaBHZccMmpr1sqTzKgxnehYE5D4jt+ndGLKS0yq91EvX/Ktmk EVdyrkSR74Ic+ZY2UjjMopqZO42StePHItX1X0UHXHwpZvS3DqYQwX7o g607QoXPDrotsw0HiG/LVWiT4nZDyGLxRgnp7sQLzAwja9UQO8U/XO6N LdWZ2+c=
**debug log
23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: starting
23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: attempting insecurity proof
23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: checking existence of DS at 'org'
23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: checking existence of DS at 'icann.org <http://icann.org/>'
23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: checking existence of DS at 'vip.icann.org <http://vip.icann.org/>'
23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: checking existence of DS at 'www.vip.icann.org <http://www.vip.icann.org/>'
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: starting
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: attempting negative response validation
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: vip.icann.org <http://vip.icann.org/> SOA: starting
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: vip.icann.org <http://vip.icann.org/> SOA: attempting positive response validation
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: vip.icann.org <http://vip.icann.org/> SOA: keyset with trust secure
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: vip.icann.org <http://vip.icann.org/> SOA: verify rdataset (keyid=47600): success
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: vip.icann.org <http://vip.icann.org/> SOA: marking as secure, noqname proof not needed
23-Aug-2017 16:17:57.872 dnssec: debug 3: validator @0x7f3ffc96fdf0: dns_validator_destroy
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: in authvalidated
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: resuming nsecvalidate
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org <http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: starting
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org <http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: attempting positive response valid
ation
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org <http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: keyset with trust secure
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org <http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: verify rdataset (keyid=47600): suc
cess
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org <http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: marking as secure, noqname proof n
ot needed
23-Aug-2017 16:17:57.872 dnssec: debug 3: validator @0x7f3ffc96fdf0: dns_validator_destroy
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: in authvalidated
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: resuming nsecvalidate
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: looking for relevant NSEC3
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: looking for relevant NSEC3
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: NSEC3 proves name exists (owner) data=0
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: nonexistence proof(s) found
23-Aug-2017 16:17:57.872 dnssec: debug 3: validator @0x7f3ffc96f160: dns_validator_destroy
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: in dsfetched2: ncache nxrrset
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: resuming proveunsecure
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: insecurity proof failed
With dnssec-validation turned on, resolving sites like www.icann.org <http://www.icann.org/> fails. The alternative is to remove validation which of course is not the desired solution.
Any help would be appreciated.
Thanks.
—
Dhungyel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170824/80ffce72/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3579 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170824/80ffce72/attachment-0001.bin>
More information about the bind-users
mailing list