9.11 can't validate sss.gov

Timothy A. Holtzen tah at NebrWesleyan.edu
Fri Jan 19 15:56:18 UTC 2018 

I've run into an odd problem.  On the same host with nearly identical
configurations.  Bind 9.10.6 can resolve and DNSSEC validate sss.gov but
Bind 9.11.2 cannot.  If I turn off DNSSEC validation 9.11.2 resolves it
just fine.  According to http://dnsviz.net/d/sss.gov/dnssec/ it looks
like the the domain is properly signed and valid.  I get the following
in the log when validation fails.

Jan 19 09:26:20 stout named[11872]: dnssec: debug 3: validating
sss.gov/A: starting
Jan 19 09:26:20 stout named[11872]: dnssec: debug 3: validating
sss.gov/A: attempting insecurity proof
Jan 19 09:26:20 stout named[11872]: dnssec: debug 3: validating
sss.gov/A: checking existence of DS at 'gov'
Jan 19 09:26:20 stout named[11872]: dnssec: debug 3: validating
sss.gov/A: checking existence of DS at 'sss.gov'
Jan 19 09:26:20 stout named[11872]: dnssec: debug 3: validating
sss.gov/A: insecurity proof failed
Jan 19 09:26:20 stout named[11872]: validating sss.gov/A: got insecure
response; parent indicates it should be secure
Jan 19 09:26:20 stout named[11872]: dnssec: info: validating sss.gov/A:
got insecure response; parent indicates it should be secure
Jan 19 09:26:20 stout named[11872]: insecurity proof failed resolving
'sss.gov/A/IN': 2001:428::7#53
Jan 19 09:26:20 stout named[11872]: client @0x7fa6ec5ef6d0
10.9.2.18#39295 (sss.gov): view internal: query: sss.gov IN A +E(0)
(10.1.1.5)
Jan 19 09:26:21 stout named[11872]: dnssec: debug 3: validating
sss.gov/A: starting
Jan 19 09:26:21 stout named[11872]: dnssec: debug 3: validating
sss.gov/A: attempting insecurity proof
Jan 19 09:26:21 stout named[11872]: dnssec: debug 3: validating
sss.gov/A: checking existence of DS at 'gov'
Jan 19 09:26:21 stout named[11872]: dnssec: debug 3: validating
sss.gov/A: checking existence of DS at 'sss.gov'
Jan 19 09:26:21 stout named[11872]: dnssec: debug 3: validating
sss.gov/A: insecurity proof failed
Jan 19 09:26:21 stout named[11872]: validating sss.gov/A: got insecure
response; parent indicates it should be secure
Jan 19 09:26:21 stout named[11872]: dnssec: info: validating sss.gov/A:
got insecure response; parent indicates it should be secure
Jan 19 09:26:21 stout named[11872]: insecurity proof failed resolving
'sss.gov/A/IN': 63.150.72.5#53
Jan 19 09:26:23 stout named[11872]: client @0x7fa725012090
2606:1c00:2802:9::6#40869 (sss.gov): view internal: query failed
(SERVFAIL) for sss.gov/IN/A at query.c:8302
Jan 19 09:26:23 stout named[11872]: client @0x7fa728a30e50
10.9.2.18#39295 (sss.gov): view internal: query failed (SERVFAIL) for
sss.gov/IN/A at query.c:8302

Oddly enough other signed domains seem to validate correctly.  What
might have changed between 9.10 and 9.11?  I'm guessing that 9.11 is
probably more closely requiring some kind of standard conformance and
sss.gov is maybe not conforming completely.

Any thoughts?

It is kind of important for us.  As a University we are required to
verify that our students are properly registered with the selective
service(sss.gov).

-- 

Timothy A. Holtzen
Campus Network Administrator
Nebraska Wesleyan University
Public PGP key CFB4 3AE8 B726 DEBF 00D9  CCFC 426E 76AF DABC B3D7



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180119/495c5a8a/attachment.bin>

More information about the bind-users mailing list