dnssec-delegation seems to be broken from .gov to bls.gov

Nick Tait nick at tait.net.nz
Wed Dec 6 20:05:07 UTC 2023 

On 7/12/2023 1:53 am, Bhangui, Sandeep - BLS CTR via bind-users wrote:
>
> Hi
>
> It seems the DNSSEC delegation is broken from “.gov” to bls.gov domain 
> and due to which the records for bls.gov are considered as bogus and 
> we are having issues at our site.
>
> It looks like we were in the process of KSK rollover and that may have 
> caused the issue as things were fine till yesterday.
>
> As we troubleshoot this issue was wondering whether from our master 
> DNS server can we use some option in named.conf so that dnssec 
> verification is NOT done for any bls.gov DNS lookups from outside to 
> get a quick fix to this problem.
>
> Currently DNS lookups from outside are flaky and I believe the reason 
> behind that being that the DNSSEC delegation is broken.
>
> From the output at dnsviz.net analyzing for bls.gov it seems that KSK 
> rollover for bls.gov is the issue.
>
> Basically, trying to see if I can get a quick interim fix till we 
> resolve the issue correctly.
>
> Please advise.
>
> Thanks
>
> Sandeep
>
Hi Sandeep.

Probably the simplest workaround for broken chain of trust would be to 
remove your zone's DS records from the parent zone.

    $ dig -t ds bls.gov

    ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> -t ds bls.gov
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27975
    ;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;bls.gov.                       IN      DS

    ;; ANSWER SECTION:
    bls.gov.                0       IN      DS      50951 8 2 E6B0A294066904F20A2B8EBA3FA9920F9A1822802977F59D706B30A1 77F7DC0C

    ;; Query time: 0 msec
    ;; SERVER: 172.20.192.1#53(172.20.192.1) (UDP)
    ;; WHEN: Thu Dec 07 09:01:33 NZDT 2023
    ;; MSG SIZE  rcvd: 80

I could be wrong, but based on the output above it looks like the 
current TTL is 0, which means that doing this should provide immediate 
relief.

Add a new DS record once you've fixed your KSK issues.

Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231207/23dfdb56/attachment-0001.htm>

More information about the bind-users mailing list