Facing issues while resolving only one record

stuart at registry.godaddy stuart at registry.godaddy
Thu Aug 31 07:28:20 UTC 2023 

This is odd.

“incometax.gov.in” hasn’t published a DS record, so no DNSSEC validation should be occurring for any child. The registry object hasn’t been changed since 2022, so its behaviour should be nothing new.

Testing various public verifying resolvers (google, cloudflare, local unbound instances) shows no issue retrieving an A record for eportal.incometax.gov.in., from many places around the world (nlnog ring nodes).

So, weird.


Stuart Browne
GoDaddy Registry | Eng - System IV
[signature_3682002026]
stuart at registry.godaddy<mailto:stuart at registry.godaddy>

i.e. I’m one of the people who maintains the registry and DNS servers for “in” / “gov.in”.

From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Blason R <blason16 at gmail.com>
Date: Thursday, 31 August 2023 at 1:42 pm
To: "Bhangui, Sandeep - BLS CTR" <Bhangui.Sandeep at bls.gov>
Cc: bind-users <bind-users at lists.isc.org>
Subject: Re: Facing issues while resolving only one record

You don't often get email from blason16 at gmail.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Caution: This email is from an external sender. Please do not click links or open attachments unless you recognize the sender and know the content is safe. Forward suspicious emails to isitbad at .


Yes, bypassing DNSSEC Validation seems to have a solution.

Thanks for the help.

On Wed, Aug 30, 2023 at 7:30 PM Bhangui, Sandeep - BLS CTR via bind-users <bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>> wrote:
This seems to be an issue with the domain incometax.gov.in<http://incometax.gov.in/>.

DNSSEC looks like is broken for that domain.

NS servers at our location also cannot resolve that directly  but if I forward that query to any ISP provider NS which are more lax it resolves just fine.

Thanks
Sandeep

From: bind-users <bind-users-bounces at lists.isc.org<mailto:bind-users-bounces at lists.isc.org>> On Behalf Of John W. Blue via bind-users
Sent: Wednesday, August 30, 2023 9:39 AM
To: bind-users <bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>>
Subject: RE: Facing issues while resolving only one record

CAUTION: This email originated from outside of BLS. DO NOT click (select) links or open attachments unless you recognize the sender and know the content is safe. Please report suspicious emails through the “Phish Alert Report” button on your email toolbar.
Recommend you turn off DNSSEC validation and see if it starts working.

If it does, then you know the issue is with how DNSSEC is configured on your server.

John

From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Blason R
Sent: Wednesday, August 30, 2023 8:20 AM
To: bind-users
Subject: Facing issues while resolving only one record

Hi all,

I have bind BIND 9.18.17-1+ubuntu22.04.1+isc+1-Ubuntu (Extended Support Version)
And I am facing this weird issue. Somehow eportal.incometax.gov.in<http://eportal.incometax.gov.in/> site is not getting resolved through DNS.

I tried a lot but unfortunately the issue still persists.

Here are packet capture logs.

listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
18:47:19.569999 ens18 In  IP 192.168.1.162.61110 > 192.168.1.133.53: 20+ A? eportal.incometax.gov.in<http://eportal.incometax.gov.in/>. (42)
18:47:19.587705 ens18 Out IP 192.168.1.133.40263 > 208.67.222.222.53: 30627+% [1au] A? eportal.incometax.gov.in<http://eportal.incometax.gov.in/>. (65)
18:47:19.599214 ens18 Out IP 192.168.1.133.44299 > 1.1.1.1.53: 62952+% [1au] DNSKEY? incometax.gov.in<http://incometax.gov.in/>. (57)
18:47:20.800736 ens18 Out IP 192.168.1.133.56154 > 8.8.8.8.53: 16152+% [1au] DNSKEY? incometax.gov.in<http://incometax.gov.in/>. (57)
18:47:21.573628 ens18 In  IP 192.168.1.162.53536 > 192.168.1.133.53: 21+ AAAA? eportal.incometax.gov.in<http://eportal.incometax.gov.in/>. (42)
18:47:21.576427 ens18 Out IP 192.168.1.133.55356 > 8.8.8.8.53: 57361+% [1au] AAAA? eportal.incometax.gov.in<http://eportal.incometax.gov.in/>. (65)
18:47:22.002738 ens18 Out IP 192.168.1.133.33064 > 208.67.222.222.53: 16204+% [1au] DNSKEY? incometax.gov.in<http://incometax.gov.in/>. (57)
18:47:22.777934 ens18 Out IP 192.168.1.133.58739 > 208.67.222.222.53: 34205+% [1au] AAAA? eportal.incometax.gov.in<http://eportal.incometax.gov.in/>. (65)
18:47:23.203333 ens18 Out IP 192.168.1.133.60920 > 9.9.9.9.53: 46145+% [1au] DNSKEY? incometax.gov.in<http://incometax.gov.in/>. (57)
18:47:23.584820 ens18 In  IP 192.168.1.162.53962 > 192.168.1.133.53: 22+ A? eportal.incometax.gov.in<http://eportal.incometax.gov.in/>. (42)
18:47:24.405041 ens18 Out IP 192.168.1.133.56475 > 198.41.0.4.53: 12349 [1au] DNSKEY? incometax.gov.in<http://incometax.gov.in/>. (57)
18:47:25.205136 ens18 Out IP 192.168.1.133.33517 > 192.36.148.17.53: 18768 [1au] DNSKEY? incometax.gov.in<http://incometax.gov.in/>. (57)
18:47:25.237837 ens18 Out IP 192.168.1.133.43646 > 156.154.100.20.53: 28883 [1au] DNSKEY? incometax.gov.in<http://incometax.gov.in/>. (57)
18:47:25.259888 ens18 Out IP 192.168.1.133.51762 > 59.160.103.171.53: 46716 [1au] DNSKEY? incometax.gov.in<http://incometax.gov.in/>. (57)
18:47:25.597312 ens18 In  IP 192.168.1.162.53963 > 192.168.1.133.53: 23+ AAAA? eportal.incometax.gov.in<http://eportal.incometax.gov.in/>. (42)
18:47:26.498891 ens18 Out IP 192.168.1.133.52631 > 125.16.225.122.53: 12762 [1au] DNSKEY? incometax.gov.in<http://incometax.gov.in/>. (57)

I feel this is something related to DNS RRKEY Record size?

Plus then I dumbdb on my server and went through cache using command
#rndc dumpdb -all

And here is the output

incometax.gov.in<http://incometax.gov.in/>.       3422    NS      ns01.incometax.gov.in<http://ns01.incometax.gov.in/>.
                        3422    NS      ns02.incometax.gov.in<http://ns02.incometax.gov.in/>.
ns01.incometax.gov.in<http://ns01.incometax.gov.in/>.  131     \-AAAA  ;-$NXRRSET
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/>. RRSIG NSEC ...
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/>. NSEC ns02.incometax.gov.in<http://ns02.incometax.gov.in/>. A RRSIG NSEC
; incometax.gov.in<http://incometax.gov.in/>. SOA ns01.incometax.gov.in<http://ns01.incometax.gov.in/>. ns-admin.cpc.incometax.gov.in<http://ns-admin.cpc.incometax.gov.in/>. 2023060970 7200 3600 1209600 3600
; incometax.gov.in<http://incometax.gov.in/>. RRSIG SOA ...
ns02.incometax.gov.in<http://ns02.incometax.gov.in/>.  120     \-AAAA  ;-$NXRRSET
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/>. RRSIG NSEC ...
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/>. NSEC ns03.incometax.gov.in<http://ns03.incometax.gov.in/>. A RRSIG NSEC
; incometax.gov.in<http://incometax.gov.in/>. SOA ns02.incometax.gov.in<http://ns02.incometax.gov.in/>. ns-admin.cpc.incometax.gov.in<http://ns-admin.cpc.incometax.gov.in/>. 2023071447 7200 3600 1209600 3600
; incometax.gov.in<http://incometax.gov.in/>. RRSIG SOA ...
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 131] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 120] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 131] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 120] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 131] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 120] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 131] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 120] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 131] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 120] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 130] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 119] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 128] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 117] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 128] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 117] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 128] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 117] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 128] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 117] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 128] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 117] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
; ns01.incometax.gov.in<http://ns01.incometax.gov.in/> [v6 TTL 124] [v4 unexpected] [v6 nxrrset]
; ns02.incometax.gov.in<http://ns02.incometax.gov.in/> [v6 TTL 113] [v4 unexpected] [v6 nxrrset]

Any idea what could be an issue?

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230831/00103ccc/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 37054 bytes
Desc: image001.png
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230831/00103ccc/attachment-0001.png>

More information about the bind-users mailing list