Question regarding delv and custom local trust anchor

Evan Hunt each at isc.org
Thu Jun 8 19:57:12 UTC 2023 

On Thu, Jun 08, 2023 at 09:54:15AM -0400, Josh Kuo wrote:
> *$ delv -a right.key www.example.com <http://www.example.com>. A*;; broken
> trust chain resolving 'www.example.com/A/IN': 127.0.0.53#53
> ;; resolution failed: broken trust chain

The address 127.0.0.53 was the clue I needed to figure this out: I suspect
you're on linux, and it's using systemd-resolved as the local resolver.

When I tried delv on a system configured that way, it got a NOTIMP response
to its first query:

    $ delv +cd +mtrace @127.0.0.53 www.isc.org
    ;; fetch: www.isc.org/A
    ;; sending packet to 127.0.0.53#53
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   7870
    ;; flags: rd cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1232
    ; COOKIE: 8e31ae172137a02f
    ;; QUESTION SECTION:
    ;www.isc.org.			IN	A


    ;; received packet from 127.0.0.53#53
    ;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id:   7870
    ;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 65494
    ; OPT=5: 05 07 08 0a 0d 0e 0f (".......")
    ; OPT=6: 01 02 04 ("...")
    ; OPT=7: 01 (".")
    ;; QUESTION SECTION:
    ;www.isc.org.			IN	A


    ;; NOTIMP unexpected RCODE resolving 'www.isc.org/A/IN': 127.0.0.53#53
    ;; resolution failed: SERVFAIL

So, I'm guessing systemd-resolved is choking on the EDNS COOKIE option.
This needs to be reported as a bug to the systemd maintainers. And, maybe
delv should have a +nocookie option.

In the meantime, the workaround is the one you found: point delv to a
resolver that implements EDNS correctly. It will validate the data it
receives, but it has to receive some.

The newest version of delv, in the BIND 9.19 development release, has
a 'delv +ns' option to do its own resolution internally, without needing
an external server to look up the data; that would also work.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list