FW: dnssec-validation? SOLVED

David Carvalho david at di.ubi.pt
Mon Apr 17 11:33:22 UTC 2023 

Hello. I just want to say everything seems to be working on my domain, and my primary dns server already performs validation
Dnssec-validation is set to auto, like on the secondary dns, and it's working.
When I perform 
Dig @dns www.dnssec-failed.org it already returns SERVFAIL and the rest seems fine.
It turns out that "managed-keys.bind" and "managed-keys.bind.jnl" were copied into the working folder from my previous dnssec impletation try.
Removed,  as indicated at: https://kb.isc.org/docs/aa-01182
And everythings seems fine.
The Kdi.ubi.pt*.....files also are aok after restarting the service.

Thank you all who took the time to clarify me about this.

Kind regards
David Carvalho



-----Original Message-----
From: Mark Andrews <marka at isc.org> 
Sent: 14 April 2023 02:35
To: David Carvalho <david at di.ubi.pt>
Cc: Evan Hunt <each at isc.org>; bind-users at lists.isc.org
Subject: Re: dnssec-validation?



> On 13 Apr 2023, at 19:23, David Carvalho via bind-users <bind-users at lists.isc.org> wrote:
> 
> Hello and thank you for the reply.
> My domain is "di.ubi.pt". The parent domain "ubi.pt" recently 
> configured DNSSEC (BIND 9.11) so it was time again for me to try to 
> set it up for my domain.
> 
> A few months ago I updated both dns servers to Oracle Linux 8, running 
> BIND
> 9.16.23 to prepare for this.
> They seem to be working fine as previously, running as both recursive 
> and authoritative for di.ubi.pt.
> 
> DNS2 has still "dnssec-validation auto;" on its  /etc/named.conf.
> I've found out that if I wanted my primary server to start answering 
> my internal requests for outside "di.ubi.pt" I had to change 
> dnssec-validation to "no".
> I still don't understand why, to be honest.

Look at your logs.  If named is having problems it will be logging error messages.

What does "rndc managed-keys status” report?

% rndc managed-keys status
view: secure
next scheduled event: Fri, 14 Apr 2023 02:04:19 GMT

    name: .
    keyid: 20326
algorithm: RSASHA256
flags: SEP
next refresh: Sat, 15 Apr 2023 00:53:04 GMT trusted since: Fri, 11 Aug 2017 01:07:03 GMT

view: forward
next scheduled event: Fri, 14 Apr 2023 02:04:19 GMT

    name: .
    keyid: 20326
algorithm: RSASHA256
flags: SEP
next refresh: Sat, 15 Apr 2023 00:53:04 GMT trusted since: Tue, 10 May 2022 05:09:01 GMT

view: external
next scheduled event: Fri, 14 Apr 2023 03:04:19 GMT

    name: .
    keyid: 20326
algorithm: RSASHA256
flags: SEP
next refresh: Fri, 14 Apr 2023 03:04:19 GMT trusted since: Thu, 10 Aug 2017 13:01:30 GMT % 

Are you using a forwarder?  Does the forwarder support DNSSEC?

Do you have an overly restrictive firewall?

What does “dig +cd +dnssec +multi . DNSKEY” return?

% dig +cd +dnssec +multi . DNSKEY
;; BADCOOKIE, retrying.

; <<>> DiG 9.19.11-dev <<>> +cd +dnssec +multi . DNSKEY ;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10255 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232 ; COOKIE: 9c2f2034f253efff010000006438ad22999ed76ba1835477 (good) ;; QUESTION SECTION:
;. IN DNSKEY

;; ANSWER SECTION:
. 88321 IN DNSKEY 257 3 8 (
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
) ; KSK; alg = RSASHA256 ; key id = 20326 . 88321 IN DNSKEY 256 3 8 ( AwEAAbF1LAxEQPtClEQno48k6u7JjCOfVfwdENOxQUrX
0JbpN5DnKGMAKIfdiWa5oDeKQ3OoQ58yCC8vjtaaGFDg
pJxoLwqzhBYHPGFgins5HIERcCQPGAJKWu/ku4XLh+Fu
7UyBubDCelxKTbnj26EwbochltRqGIE8hbwSXEzRNo4g
+NXkaRMq2FFbaBtEE82yTmZUgFRYAFUvfGTPWblyZGtk
epVuHyNb0w/u24dpsz+uyCZZR04cHfRrWOKvqD3lDOwC
4+sqd6f7F841R0N2tqSh/WDUZzWdvPBaBOz0FWFLb9po
rIeZ3Jm08tAMHa+3SGRXfK4RAmxVCmIQQypGabE=
) ; ZSK; alg = RSASHA256 ; key id = 60955 . 88321 IN RRSIG DNSKEY 8 0 172800 (
20230502000000 20230411000000 20326 .
ID/zjsZ8MPaJMm4Ilw9PESU92a/MvPFKlKkE8d2qAbDV
fMGYQikmls8z0fIorVfoGECgiEey42+Y4Bk99qTEFxPr
Cml12/xyJcmzQICQcr28djuMMA+yY7w57GuRLkE+LTnl
5IdlucNf52gS/eKSBIjKH3hNYElH6BwIbTHKV5Jh1ZJg
FTo+FRtrniR4HlhhHaydDVLc2A8FG3Whl1kyATDlqcLr
F6yqbjAhNR0+Ak26gd5BkY9kwOYCMZ2KQ1RBKRmG3Dbk
tohYVHbH2j6B6kfIjooRwY5hWyNQnBZP6LOHQLyfYrUT
R3EK438G9VW0tXvNqL3ssDhuxhbFy7x3hw== )

;; Query time: 0 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Fri Apr 14 11:32:18 AEST 2023
;; MSG SIZE  rcvd: 892

% 

> Yesterday I set dnssec-validation to auto on my primary server, but as 
> I wrote before, although outside tools showed everything was fine, my 
> server kept answering "SERVFAIL" to my client queries. I don't think I 
> tested dnssec-validation to no when dnssec was enabled, nor if this 
> makes much sense, but I can try.
> 
> Kind regards
> David
> 
> 
> 
> 
> 
> 
> On Wed, Apr 12, 2023 at 05:41:33PM +0100, David Carvalho via 
> bind-users
> wrote:
>> After reverting my primary dns configuration, and asking my provider 
>> to remove the DNSKEY, I had to include dnssec-validation no; 
>> otherwise it would keep answering with SERVFAIL
>> 
>> I noticed the server was constantly trying to reach top domain dns
> servers.
>> 
>> Is this dnssec-validation mandatory? Any help appreciated.
> 
> dnssec-validation can be set three ways:
> - "no" (validation is never performed)
> - "yes" (validation *may* be performed, but only if you have also
>   configured a trust anchor in named.conf)
> - "auto" (validation will be performed using the standard root zone
>   trust anchor, which is built in to BIND and doesn't need to be
>   configured by hand).
> 
> The default is "auto". When it's set to that, your server will query 
> the root name servers in order to confirm that the 
> automatically-configured trust anchor is correct.  You said it was 
> "trying to" reach the root, which suggests it wasn't succeeding?  If 
> so, that would explain why everything that wasn't locally authoritative would return SERVFAIL.
> 
> Note that this is related to *recursive* queries, that is, queries for 
> zones that are not served by your secondary server.  It should have 
> nothing to do with whether your own domain is signed, or whether 
> there's a DS record for it in the parent zone. My guess is, you had 
> the authoritative configuration working fine (otherwise presumably 
> dnssec-analyzer would've complained), but recursive isn't working.
> 
> Unfortunately, since you haven't provided any configuration info or 
> even the name of the domain you were trying to set up, I can't make 
> any more educated guesses than that.
> 
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list