Question regarding delv and custom local trust anchor
Evan Hunt
each at isc.org
Thu Jun 8 19:57:12 UTC 2023
On Thu, Jun 08, 2023 at 09:54:15AM -0400, Josh Kuo wrote:
> *$ delv -a right.key www.example.com <http://www.example.com>. A*;; broken
> trust chain resolving 'www.example.com/A/IN': 127.0.0.53#53
> ;; resolution failed: broken trust chain
The address 127.0.0.53 was the clue I needed to figure this out: I suspect
you're on linux, and it's using systemd-resolved as the local resolver.
When I tried delv on a system configured that way, it got a NOTIMP response
to its first query:
$ delv +cd +mtrace @127.0.0.53 www.isc.org
;; fetch: www.isc.org/A
;; sending packet to 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7870
;; flags: rd cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 8e31ae172137a02f
;; QUESTION SECTION:
;www.isc.org. IN A
;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 7870
;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
; OPT=5: 05 07 08 0a 0d 0e 0f (".......")
; OPT=6: 01 02 04 ("...")
; OPT=7: 01 (".")
;; QUESTION SECTION:
;www.isc.org. IN A
;; NOTIMP unexpected RCODE resolving 'www.isc.org/A/IN': 127.0.0.53#53
;; resolution failed: SERVFAIL
So, I'm guessing systemd-resolved is choking on the EDNS COOKIE option.
This needs to be reported as a bug to the systemd maintainers. And, maybe
delv should have a +nocookie option.
In the meantime, the workaround is the one you found: point delv to a
resolver that implements EDNS correctly. It will validate the data it
receives, but it has to receive some.
The newest version of delv, in the BIND 9.19 development release, has
a 'delv +ns' option to do its own resolution internally, without needing
an external server to look up the data; that would also work.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list