Dnssec-validation auto
Petr Menšík
pemensik at redhat.com
Fri Nov 13 13:19:47 UTC 2020
I would check what nameservers are in /etc/resolv.conf, and try to
direct delv or dig to its address.
for H in $(awk '$1 == "nameserver" { print $2 }' /etc/resolv.conf); do
dig +dnssec @$H www.popularsba.com; done
Check every server returns reliable and the same results. I had one
NOERROR and one SERVFAIL from our instrastructure. The second server
provides more servers in ADDITIONAL section. Second retry was successful.
It might take a bit more time to fetch and verify addresses of all
authoritative servers of gslb.siteforce.com. domain. Six seems a lot.
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> +dnssec @10.5.30.45
www.popularsba.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43145
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 13
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.popularsba.com. IN A
;; ANSWER SECTION:
www.popularsba.com. 262 IN CNAME
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com.
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com. 262 IN CNAME
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 82 IN A
13.109.220.200
;; AUTHORITY SECTION:
gslb.siteforce.com. 55886 IN NS dns05.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns01.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns02.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns04.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns06.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns03.salesforce.com.
;; ADDITIONAL SECTION:
dns01.salesforce.com. 53547 IN A 204.74.108.235
dns02.salesforce.com. 53547 IN A 204.74.109.235
dns04.salesforce.com. 53547 IN A 199.7.69.235
dns03.salesforce.com. 53547 IN A 199.7.68.235
dns06.salesforce.com. 53547 IN A 204.74.115.235
dns05.salesforce.com. 53547 IN A 204.74.114.235
dns01.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
fUb+1uVGcdeVSsjTj1O++bcNLZwapzTvLcHLP+tykm3y3ziCSIHtxfCp
3kZqdBQtB3nGd7ySGPEblvBJA4ZHUA==
dns02.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
QOVhwrJ0dwkHRHLr/ytEzmZ04bYaAzN2ooDfJOVJXDCinYGFuNTRmPhs
uFawDGlRlFja8OyiIyJXIFvwXKGSxg==
dns04.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
DXOOYz5odrnY7SkWNvU0NiGOZEWalNT+0VYCYgd7wl6Rj0cOR4slFrvR
ADj5eAgFLybADvTviia/xbqz4u7ueQ==
dns03.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
Rkzv/z9vhnURB8hueZgkQrKFffLB9Zj423ZPHoPXtoECxNVk/ZV/ODv4
BQZLT8+t8W7cLILNyXVVpEjG2ejE9Q==
dns06.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201218220609
20201019213201 2317 salesforce.com.
YcTDijezumyiv+WZcvZqFk/yOJ2r7WdxZ5XFwIjt5R6iDOSQNChxhQ3G
dhR28sLna+rM9yVehyyEyCh4iJUeHg==
dns05.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
gmzIaK0lTolbkUaIGfHTLl2+TzUYQUtxHJ5yevEzdLmaE8z0AW7JBVXf
07osroe/7LxRQO38ZCxNZHVXfQnMHA==
;; Query time: 45 msec
;; SERVER: 10.5.30.45#53(10.5.30.45)
;; WHEN: Fri Nov 13 08:12:49 EST 2020
;; MSG SIZE rcvd: 1076
It seems to me, only dns0?.salesforce.com. hosts are in DNSSEC signed
domain. Try debuging salesforce.com. domain verification instead.
On 11/13/20 1:59 PM, Ismael Suarez wrote:
> With "dnssec-validation AUTO;" I get:
>
> # delv +cd www.popularsba.com
> ;; resolution failed: timed out
>
>
> With "dnssec-validation NO;" I get:
>
> # delv +cd www.popularsba.com
> ;; resolution failed: timed out
> ; unsigned answer
> www.popularsba.com. 279 IN CNAME www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com.
>
>
> CAPS just to show the difference in .conf
>
>
> --
>
> Ismael Suárez Maldonado | UNIX ADM | Coqui.Net Corp / ClaroTV
> ismael_suarez at coqui.com<mailto:ismael_suarez at coqui.com> | T: 787-793-0001 x 4007
>
> -----Original Message-----
> From: Petr Menšík <pemensik at redhat.com<mailto:Petr%20%3d%3fUTF-8%3fQ%3fMen%3dC5%3dA1%3dC3%3dADk%3f%3d%20%3cpemensik at redhat.com%3e>>
> To: bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
> Subject: Re: Dnssec-validation auto
> Date: Fri, 13 Nov 2020 11:26:17 +0100
>
>
> Hi Ismael,
>
>
> easiest way to check validation is using delv tool from BIND 9.11+. It
>
> uses the same algorithm as BIND server does. If you get SERVFAIL from
>
> your recursive server, try adding +cd parameter to delv or dig. When it
>
> works with +cd, validation is responsible somewhere in recursive servers
>
> chain.
>
>
> It shows just unsigned to me, today.
>
>
> $ delv +cd
>
> <http://www.popularsba.com>
>
> www.popularsba.com
>
>
> ; unsigned answer
>
> <http://www.popularsba.com>
>
> www.popularsba.com
>
> . 282 IN CNAME
>
> <http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>
>
> www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com
>
> .
>
> <http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>
>
> www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com
>
> . 282 IN CNAME
>
> 4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.
>
> 4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 102 IN A
>
> 161.71.31.253
>
>
> Cheers,
>
> Petr
>
>
> On 11/13/20 5:26 AM, Ismael Suarez wrote:
>
> Hi all
>
>
> The following domain (
>
> <http://www.popularsba.com>
>
> www.popularsba.com
>
> ) does not resolve with dnssec validation set to auto, but when I change the validation off it works.
>
>
> Why is this? How can I check this validation?
>
>
> Using bind 9.12
>
>
> Thanks to all
>
> _______________________________________________
>
> Please visit
>
> <https://lists.isc.org/mailman/listinfo/bind-users>
>
> https://lists.isc.org/mailman/listinfo/bind-users
>
> to unsubscribe from this list
>
>
> ISC funds the development of this software with paid support subscriptions. Contact us at
>
> <https://www.isc.org/contact/>
>
> https://www.isc.org/contact/
>
> for more information.
>
>
>
> bind-users mailing list
>
> <mailto:bind-users at lists.isc.org>
>
> bind-users at lists.isc.org
>
>
> <https://lists.isc.org/mailman/listinfo/bind-users>
>
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
> _______________________________________________
>
> Please visit
>
> <https://lists.isc.org/mailman/listinfo/bind-users>
>
> https://lists.isc.org/mailman/listinfo/bind-users
>
> to unsubscribe from this list
>
>
> ISC funds the development of this software with paid support subscriptions. Contact us at
>
> <https://www.isc.org/contact/>
>
> https://www.isc.org/contact/
>
> for more information.
>
>
>
> bind-users mailing list
>
> <mailto:bind-users at lists.isc.org>
>
> bind-users at lists.isc.org
>
>
> <https://lists.isc.org/mailman/listinfo/bind-users>
>
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc
Type: application/pgp-keys
Size: 9364 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201113/154fd543/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201113/154fd543/attachment-0003.bin>
More information about the bind-users
mailing list