Use of stale data during dnssec validation

Fri Mar 3 21:21:08 UTC 2023

Today, we had a case where one of our resolvers (9.16.37) failed to 
return an SOA-record for the TLD 'us'. digging with the +cd flag, 
returned a value, while delving with +vtrace failed:

;; fetch: us/SOA
;; resolution failed: SERVFAIL

Fingers pointed to a failure to validate. I dumped the cache to a file, 
and then did a flushname of 'us.'

digging and delving was then successful.

When looking in the dumped cache, I see the RRSIG-record for the 
SOA-record is marked as 'stale', and the DNSKEY-record (id=54159) is 
marked as 'pending-answer'

Is stale data used during the validation of answers?

:: From the dumped cache  ::

us.                     84964   SOA a.cctld.us. admin.tldns.godaddy. (
                                         1677862753 ; serial
                                         1800       ; refresh (30 minutes)
                                         300        ; retry (5 minutes)
                                         604800     ; expire (1 week)
                                         1800       ; minimum (30 minutes)
                                         )
; secure
; stale
                         84964   RRSIG   SOA 8 1 900 (
                                         20230402170130 20230303160130 
54159 us.
OKQQZoU8itxdg2T+AYpefOmGILJZRl1aA9zb
NXzYL9sXWsMMlctwod9JkEM08/SYGEHTmaEa
M+d9PMAjeeJMiChj3RV3TPGKRDubUbBrNJb2
R15fsjZRcVf8Iebhr0EZ/yxTJl4YzcTbUh9v
ffNOEULcPuVJmv0Hda7HKvnBmVJszPZImfLX
YIx3SyzRBp7jiZT1t7oyfZSlAbuRjX7zOw== )
; secure
                         82614   DS      46144 8 2 (
0C67E6017124BF19D50BE565CC486FF3CFE2
A278FE2E5983FF97B2A453386419 )
; secure
                         82614   RRSIG   DS 8 1 86400 (
                                         20230316050000 20230303040000 951 .
NHCxlyjA2/t38e03sjyEnXMszz/2whq5GFmP
Jf2Ttx9bUy1d/gq2n2PiM1BFZYKQvMGynB4f
58NK8905TG1fveBUTouF/eNo2gmHj/uBuPJm
g19lPm05tIK5OCCyD+D16K3IncQAjZUKjfcH
bT5qE8KF/ofRaO7PgFn27KbQwtnky+F3PXgJ
BkFIfkPJ8SFX6WSEaM8FsLojLDiJWllwnoJK
Qf6S0Ot8M3yOIb2oKCT0tucB7znRdkm9EEY5
oSe7waJRV+0sQL3rKhJePFVrd/AeTXY6ipaK
kIjdEn+1DoxiBAy/E0uhJ18s16USrxcZSSUg
                                         D5GfeGeuLiT7f69a+g== )
; pending-answer
                         3179    DNSKEY  256 3 8 (
AwEAAatbrQTiZd0FdSVbnkRFiU5jf9ACOPc4
M0CK+G+Gla4gH3ClPunwqBJhvRtMkKdhGE93
lMuzjNkGakBrkFvzwHtIw9pWLxum2Idysf+J
xdhfSXNNYEzKcP0lCIjWf+iY2rtXoltVLxgT
2skvDgmbwq+a3Cb/7CAB/SmFRCl8tQJ4YpJl
kHiHPbWXljjiPWsj3/52hv45GHKQPi4vRzPe
                                         aw0=
                                         ) ; ZSK; alg = RSASHA256 ; key 
id = 54159
                         3179    DNSKEY  257 3 8 (
AwEAAe5RHQBesQeThYEf56TkLfF5NysJv/H4
g1HeB7pnH25PsMVoVV/anWi7U3dSFsNzJ6nB
HwY/sdmxJ/HLunC/mLSo8ugB6G+UgtAgnlL3
u8Uq/3PYiBgpdNL+ldR0luV5WLAx8/1gG8JZ
w3Zu9VhurHKdGZso5ajSTFwBiY39lA0wWeDO
kZ2z/EV49JODt1i2N6KnvMTe5kD0qHXkP2oH
xTWOlf5vqUcmJmgfvLlGB1ROBT84xCm45Sfx
1U4FD8IPiOFrd9f/WcjPcW8MJFmzQmweVfKE
pF28s+YZ5wKid3gYESvaCeSvj7FHzdVUCcVh
                                         Fr2+XHeB8O8GTLqk7HgfdM8=
                                         ) ; KSK; alg = RSASHA256 ; key 
id = 46144

-- 
--
Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230303/abbb1b88/attachment-0001.htm>