dnssec-validation?

Mark Andrews marka at isc.org
Fri Apr 14 01:34:45 UTC 2023 


> On 13 Apr 2023, at 19:23, David Carvalho via bind-users <bind-users at lists.isc.org> wrote:
> 
> Hello and thank you for the reply.
> My domain is "di.ubi.pt". The parent domain "ubi.pt" recently configured
> DNSSEC (BIND 9.11) so it was time again for me to try to set it up for my
> domain.
> 
> A few months ago I updated both dns servers to Oracle Linux 8, running BIND
> 9.16.23 to prepare for this.
> They seem to be working fine as previously, running as both recursive and
> authoritative for di.ubi.pt.
> 
> DNS2 has still "dnssec-validation auto;" on its  /etc/named.conf.
> I've found out that if I wanted my primary server to start answering my
> internal requests for outside "di.ubi.pt" I had to change dnssec-validation
> to "no".
> I still don't understand why, to be honest.

Look at your logs.  If named is having problems it will be logging
error messages.

What does "rndc managed-keys status” report?

% rndc managed-keys status
view: secure
next scheduled event: Fri, 14 Apr 2023 02:04:19 GMT

    name: .
    keyid: 20326
algorithm: RSASHA256
flags: SEP
next refresh: Sat, 15 Apr 2023 00:53:04 GMT
trusted since: Fri, 11 Aug 2017 01:07:03 GMT

view: forward
next scheduled event: Fri, 14 Apr 2023 02:04:19 GMT

    name: .
    keyid: 20326
algorithm: RSASHA256
flags: SEP
next refresh: Sat, 15 Apr 2023 00:53:04 GMT
trusted since: Tue, 10 May 2022 05:09:01 GMT

view: external
next scheduled event: Fri, 14 Apr 2023 03:04:19 GMT

    name: .
    keyid: 20326
algorithm: RSASHA256
flags: SEP
next refresh: Fri, 14 Apr 2023 03:04:19 GMT
trusted since: Thu, 10 Aug 2017 13:01:30 GMT
% 

Are you using a forwarder?  Does the forwarder support DNSSEC?

Do you have an overly restrictive firewall?

What does “dig +cd +dnssec +multi . DNSKEY” return?

% dig +cd +dnssec +multi . DNSKEY
;; BADCOOKIE, retrying.

; <<>> DiG 9.19.11-dev <<>> +cd +dnssec +multi . DNSKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10255
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 9c2f2034f253efff010000006438ad22999ed76ba1835477 (good)
;; QUESTION SECTION:
;. IN DNSKEY

;; ANSWER SECTION:
. 88321 IN DNSKEY 257 3 8 (
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
) ; KSK; alg = RSASHA256 ; key id = 20326
. 88321 IN DNSKEY 256 3 8 (
AwEAAbF1LAxEQPtClEQno48k6u7JjCOfVfwdENOxQUrX
0JbpN5DnKGMAKIfdiWa5oDeKQ3OoQ58yCC8vjtaaGFDg
pJxoLwqzhBYHPGFgins5HIERcCQPGAJKWu/ku4XLh+Fu
7UyBubDCelxKTbnj26EwbochltRqGIE8hbwSXEzRNo4g
+NXkaRMq2FFbaBtEE82yTmZUgFRYAFUvfGTPWblyZGtk
epVuHyNb0w/u24dpsz+uyCZZR04cHfRrWOKvqD3lDOwC
4+sqd6f7F841R0N2tqSh/WDUZzWdvPBaBOz0FWFLb9po
rIeZ3Jm08tAMHa+3SGRXfK4RAmxVCmIQQypGabE=
) ; ZSK; alg = RSASHA256 ; key id = 60955
. 88321 IN RRSIG DNSKEY 8 0 172800 (
20230502000000 20230411000000 20326 .
ID/zjsZ8MPaJMm4Ilw9PESU92a/MvPFKlKkE8d2qAbDV
fMGYQikmls8z0fIorVfoGECgiEey42+Y4Bk99qTEFxPr
Cml12/xyJcmzQICQcr28djuMMA+yY7w57GuRLkE+LTnl
5IdlucNf52gS/eKSBIjKH3hNYElH6BwIbTHKV5Jh1ZJg
FTo+FRtrniR4HlhhHaydDVLc2A8FG3Whl1kyATDlqcLr
F6yqbjAhNR0+Ak26gd5BkY9kwOYCMZ2KQ1RBKRmG3Dbk
tohYVHbH2j6B6kfIjooRwY5hWyNQnBZP6LOHQLyfYrUT
R3EK438G9VW0tXvNqL3ssDhuxhbFy7x3hw== )

;; Query time: 0 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Fri Apr 14 11:32:18 AEST 2023
;; MSG SIZE  rcvd: 892

% 

> Yesterday I set dnssec-validation to auto on my primary server, but as I
> wrote before, although outside tools showed everything was fine, my server
> kept answering "SERVFAIL" to my client queries. I don't think I tested
> dnssec-validation to no when dnssec was enabled, nor if this makes much
> sense, but I can try.
> 
> Kind regards
> David 
> 
> 
> 
> 
> 
> 
> On Wed, Apr 12, 2023 at 05:41:33PM +0100, David Carvalho via bind-users
> wrote:
>> After reverting my primary dns configuration, and asking my provider 
>> to remove the DNSKEY, I had to include dnssec-validation no; otherwise 
>> it would keep answering with SERVFAIL
>> 
>> I noticed the server was constantly trying to reach top domain dns
> servers.
>> 
>> Is this dnssec-validation mandatory? Any help appreciated.
> 
> dnssec-validation can be set three ways:
> - "no" (validation is never performed)
> - "yes" (validation *may* be performed, but only if you have also
>   configured a trust anchor in named.conf)
> - "auto" (validation will be performed using the standard root zone
>   trust anchor, which is built in to BIND and doesn't need to be
>   configured by hand).
> 
> The default is "auto". When it's set to that, your server will query the
> root name servers in order to confirm that the automatically-configured
> trust anchor is correct.  You said it was "trying to" reach the root, which
> suggests it wasn't succeeding?  If so, that would explain why everything
> that wasn't locally authoritative would return SERVFAIL.
> 
> Note that this is related to *recursive* queries, that is, queries for zones
> that are not served by your secondary server.  It should have nothing to do
> with whether your own domain is signed, or whether there's a DS record for
> it in the parent zone. My guess is, you had the authoritative configuration
> working fine (otherwise presumably dnssec-analyzer would've complained), but
> recursive isn't working.
> 
> Unfortunately, since you haven't provided any configuration info or even the
> name of the domain you were trying to set up, I can't make any more educated
> guesses than that.
> 
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list