dnssec-delegation seems to be broken from .gov to bls.gov
Nick Tait
nick at tait.net.nz
Wed Dec 6 20:05:07 UTC 2023
On 7/12/2023 1:53 am, Bhangui, Sandeep - BLS CTR via bind-users wrote:
>
> Hi
>
> It seems the DNSSEC delegation is broken from “.gov” to bls.gov domain
> and due to which the records for bls.gov are considered as bogus and
> we are having issues at our site.
>
> It looks like we were in the process of KSK rollover and that may have
> caused the issue as things were fine till yesterday.
>
> As we troubleshoot this issue was wondering whether from our master
> DNS server can we use some option in named.conf so that dnssec
> verification is NOT done for any bls.gov DNS lookups from outside to
> get a quick fix to this problem.
>
> Currently DNS lookups from outside are flaky and I believe the reason
> behind that being that the DNSSEC delegation is broken.
>
> From the output at dnsviz.net analyzing for bls.gov it seems that KSK
> rollover for bls.gov is the issue.
>
> Basically, trying to see if I can get a quick interim fix till we
> resolve the issue correctly.
>
> Please advise.
>
> Thanks
>
> Sandeep
>
Hi Sandeep.
Probably the simplest workaround for broken chain of trust would be to
remove your zone's DS records from the parent zone.
$ dig -t ds bls.gov
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> -t ds bls.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27975
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;bls.gov. IN DS
;; ANSWER SECTION:
bls.gov. 0 IN DS 50951 8 2 E6B0A294066904F20A2B8EBA3FA9920F9A1822802977F59D706B30A1 77F7DC0C
;; Query time: 0 msec
;; SERVER: 172.20.192.1#53(172.20.192.1) (UDP)
;; WHEN: Thu Dec 07 09:01:33 NZDT 2023
;; MSG SIZE rcvd: 80
I could be wrong, but based on the output above it looks like the
current TTL is 0, which means that doing this should provide immediate
relief.
Add a new DS record once you've fixed your KSK issues.
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231207/23dfdb56/attachment-0001.htm>
More information about the bind-users
mailing list