Facing issues while resolving only one record

Mark Andrews marka at isc.org
Thu Aug 31 08:01:53 UTC 2023 

The servers don’t respond to DNSKEY queries.  No every error is an indication
that the validator should switch tracks from proving an answer is secure (the
server is sending signed responses) to proving that it is insecure.


> On 31 Aug 2023, at 17:28, stuart at registry.godaddy wrote:
> 
> This is odd.
>  “incometax.gov.in” hasn’t published a DS record, so no DNSSEC validation should be occurring for any child. The registry object hasn’t been changed since 2022, so its behaviour should be nothing new.
>  Testing various public verifying resolvers (google, cloudflare, local unbound instances) shows no issue retrieving an A record for eportal.incometax.gov.in., from many places around the world (nlnog ring nodes).
>  So, weird.
>  Stuart Browne
> GoDaddy Registry | Eng - System IV<image001.png>stuart at registry.godaddy
>  i.e. I’m one of the people who maintains the registry and DNS servers for “in” / “gov.in”.
>  From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Blason R <blason16 at gmail.com>
> Date: Thursday, 31 August 2023 at 1:42 pm
> To: "Bhangui, Sandeep - BLS CTR" <Bhangui.Sandeep at bls.gov>
> Cc: bind-users <bind-users at lists.isc.org>
> Subject: Re: Facing issues while resolving only one record
>  You don't often get email from blason16 at gmail.com. Learn why this is important
> Caution: This email is from an external sender. Please do not click links or open attachments unless you recognize the sender and know the content is safe. Forward suspicious emails to isitbad at .
>  Yes, bypassing DNSSEC Validation seems to have a solution.
>  Thanks for the help.
>  On Wed, Aug 30, 2023 at 7:30 PM Bhangui, Sandeep - BLS CTR via bind-users <bind-users at lists.isc.org> wrote:
>> 
>> 
>> This seems to be an issue with the domain incometax.gov.in.
>>  DNSSEC looks like is broken for that domain.
>>  NS servers at our location also cannot resolve that directly  but if I forward that query to any ISP provider NS which are more lax it resolves just fine.
>>  Thanks
>> Sandeep
>>  From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of John W. Blue via bind-users
>> Sent: Wednesday, August 30, 2023 9:39 AM
>> To: bind-users <bind-users at lists.isc.org>
>> Subject: RE: Facing issues while resolving only one record
>>  CAUTION: This email originated from outside of BLS. DO NOT click (select) links or open attachments unless you recognize the sender and know the content is safe. Please report suspicious emails through the “Phish Alert Report” button on your email toolbar. Recommend you turn off DNSSEC validation and see if it starts working.
>>  If it does, then you know the issue is with how DNSSEC is configured on your server.
>>  John
>>  From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Blason R
>> Sent: Wednesday, August 30, 2023 8:20 AM
>> To: bind-users
>> Subject: Facing issues while resolving only one record
>>  Hi all,
>>  I have bind BIND 9.18.17-1+ubuntu22.04.1+isc+1-Ubuntu (Extended Support Version)
>> And I am facing this weird issue. Somehow eportal.incometax.gov.in site is not getting resolved through DNS.
>>  I tried a lot but unfortunately the issue still persists.
>>  Here are packet capture logs.
>>  listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
>> 18:47:19.569999 ens18 In  IP 192.168.1.162.61110 > 192.168.1.133.53: 20+ A? eportal.incometax.gov.in. (42)
>> 18:47:19.587705 ens18 Out IP 192.168.1.133.40263 > 208.67.222.222.53: 30627+% [1au] A? eportal.incometax.gov.in. (65)
>> 18:47:19.599214 ens18 Out IP 192.168.1.133.44299 > 1.1.1.1.53: 62952+% [1au] DNSKEY? incometax.gov.in. (57)
>> 18:47:20.800736 ens18 Out IP 192.168.1.133.56154 > 8.8.8.8.53: 16152+% [1au] DNSKEY? incometax.gov.in. (57)
>> 18:47:21.573628 ens18 In  IP 192.168.1.162.53536 > 192.168.1.133.53: 21+ AAAA? eportal.incometax.gov.in. (42)
>> 18:47:21.576427 ens18 Out IP 192.168.1.133.55356 > 8.8.8.8.53: 57361+% [1au] AAAA? eportal.incometax.gov.in. (65)
>> 18:47:22.002738 ens18 Out IP 192.168.1.133.33064 > 208.67.222.222.53: 16204+% [1au] DNSKEY? incometax.gov.in. (57)
>> 18:47:22.777934 ens18 Out IP 192.168.1.133.58739 > 208.67.222.222.53: 34205+% [1au] AAAA? eportal.incometax.gov.in. (65)
>> 18:47:23.203333 ens18 Out IP 192.168.1.133.60920 > 9.9.9.9.53: 46145+% [1au] DNSKEY? incometax.gov.in. (57)
>> 18:47:23.584820 ens18 In  IP 192.168.1.162.53962 > 192.168.1.133.53: 22+ A? eportal.incometax.gov.in. (42)
>> 18:47:24.405041 ens18 Out IP 192.168.1.133.56475 > 198.41.0.4.53: 12349 [1au] DNSKEY? incometax.gov.in. (57)
>> 18:47:25.205136 ens18 Out IP 192.168.1.133.33517 > 192.36.148.17.53: 18768 [1au] DNSKEY? incometax.gov.in. (57)
>> 18:47:25.237837 ens18 Out IP 192.168.1.133.43646 > 156.154.100.20.53: 28883 [1au] DNSKEY? incometax.gov.in. (57)
>> 18:47:25.259888 ens18 Out IP 192.168.1.133.51762 > 59.160.103.171.53: 46716 [1au] DNSKEY? incometax.gov.in. (57)
>> 18:47:25.597312 ens18 In  IP 192.168.1.162.53963 > 192.168.1.133.53: 23+ AAAA? eportal.incometax.gov.in. (42)
>> 18:47:26.498891 ens18 Out IP 192.168.1.133.52631 > 125.16.225.122.53: 12762 [1au] DNSKEY? incometax.gov.in. (57)
>>  I feel this is something related to DNS RRKEY Record size?
>>  Plus then I dumbdb on my server and went through cache using command
>> #rndc dumpdb -all
>>  And here is the output
>>  incometax.gov.in.       3422    NS      ns01.incometax.gov.in.
>>                         3422    NS      ns02.incometax.gov.in.
>> ns01.incometax.gov.in.  131     \-AAAA  ;-$NXRRSET
>> ; ns01.incometax.gov.in. RRSIG NSEC ...
>> ; ns01.incometax.gov.in. NSEC ns02.incometax.gov.in. A RRSIG NSEC
>> ; incometax.gov.in. SOA ns01.incometax.gov.in. ns-admin.cpc.incometax.gov.in. 2023060970 7200 3600 1209600 3600
>> ; incometax.gov.in. RRSIG SOA ...
>> ns02.incometax.gov.in.  120     \-AAAA  ;-$NXRRSET
>> ; ns02.incometax.gov.in. RRSIG NSEC ...
>> ; ns02.incometax.gov.in. NSEC ns03.incometax.gov.in. A RRSIG NSEC
>> ; incometax.gov.in. SOA ns02.incometax.gov.in. ns-admin.cpc.incometax.gov.in. 2023071447 7200 3600 1209600 3600
>> ; incometax.gov.in. RRSIG SOA ...
>> ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 130] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 119] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset]
>> ; ns01.incometax.gov.in [v6 TTL 124] [v4 unexpected] [v6 nxrrset]
>> ; ns02.incometax.gov.in [v6 TTL 113] [v4 unexpected] [v6 nxrrset]
>>  Any idea what could be an issue?
>>  -- 
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list