DNSSEC error resolving gpo.gov ?

Tim Maestas tmaestas95 at gmail.com
Wed Mar 15 04:42:36 UTC 2023 

>
>
> Named should be sending queries with DO=1 and it should be getting back
> signed responses.  I suspect that you will need to run packet captures of
> the traffic to and from 162.140.15.100 and 162.140.254.200 port 53 from the
> nameserver.  Either signed responses will cease or DNSSEC requests will
> cease.  In either  case having the traffic around the transition should
> help to determine what is happening.
>
> I've found that, after a fresh restart of named, if I query for "
federalregister.gov A" I get a good AD response, and then subsequent
queries for "www.federalregister.gov" are successful as well.  If however
after a restart of named I begin with a query for www.federalregister.gov A
then I get servfail, and subsequent queries for federealregister.gov
servfail as well.  Here is the tcpdump from the 2nd (failed) case of an
initial query for www.federalregister.gov:


reading from file dns.cap, link-type EN10MB (Ethernet), snapshot length
262144
04:30:01.114458 IP (tos 0x0, ttl 64, id 35832, offset 0, flags [none],
proto UDP (17), length 92)
    10.0.0.159.43263 > 162.140.254.200.53: [udp sum ok] 15013 [1au] A?
www.federalregister.gov. ar: . OPT UDPsize=512 DO [COOKIE 352538a87bde87a5]
(64)
04:30:01.204863 IP (tos 0x0, ttl 229, id 4936, offset 0, flags [DF], proto
UDP (17), length 80)
    162.140.254.200.53 > 10.0.0.159.43263: [udp sum ok] 15013*-| q: A?
www.federalregister.gov. 3/0/1 . OPT UDPsize=4096 DO [|domain]
04:30:01.205350 IP (tos 0x0, ttl 64, id 43065, offset 0, flags [none],
proto UDP (17), length 69)
    10.0.0.159.59699 > 162.140.254.200.53: [udp sum ok] 50396 A?
www.federalregister.gov. (41)
04:30:01.325033 IP (tos 0x0, ttl 229, id 61678, offset 0, flags [DF], proto
UDP (17), length 141)
    162.140.254.200.53 > 10.0.0.159.59699: [udp sum ok] 50396*- q: A?
www.federalregister.gov. 2/2/0 www.federalregister.gov. A 99.83.174.136,
www.federalregister.gov. A 75.2.36.59 ns: federalregister.gov. NS
ns3.gpo.gov., federalregister.gov. NS ns4.gpo.gov. (113)
04:30:01.706532 IP (tos 0x0, ttl 64, id 13071, offset 0, flags [none],
proto UDP (17), length 92)
    10.0.0.159.40399 > 162.140.15.100.53: [udp sum ok] 59408 [1au] DS?
www.federalregister.gov. ar: . OPT UDPsize=512 DO [COOKIE bcd54232244c075a]
(64)
04:30:01.823027 IP (tos 0x0, ttl 230, id 41740, offset 0, flags [DF], proto
UDP (17), length 80)
    162.140.15.100.53 > 10.0.0.159.40399: [udp sum ok] 59408*-| q: DS?
www.federalregister.gov. 0/2/1 ns: . OPT UDPsize=4096 DO [|domain]
04:30:01.826975 IP (tos 0x0, ttl 64, id 29142, offset 0, flags [none],
proto UDP (17), length 69)
    10.0.0.159.41463 > 162.140.15.100.53: [udp sum ok] 53452 DS?
www.federalregister.gov. (41)
04:30:01.958188 IP (tos 0x0, ttl 230, id 41744, offset 0, flags [DF], proto
UDP (17), length 149)
    162.140.15.100.53 > 10.0.0.159.41463: [udp sum ok] 53452*- q: DS?
www.federalregister.gov. 0/1/0 ns: federalregister.gov. SOA ins1.gpo.gov.
please_set_email.absolutely.nowhere. 2542629 10800 1080 2592000 900 (121)
04:30:01.960633 IP (tos 0x0, ttl 64, id 61049, offset 0, flags [none],
proto UDP (17), length 69)
    10.0.0.159.47806 > 162.140.254.200.53: [udp sum ok] 3265 DS?
www.federalregister.gov. (41)
04:30:02.093679 IP (tos 0x0, ttl 229, id 61713, offset 0, flags [DF], proto
UDP (17), length 149)
    162.140.254.200.53 > 10.0.0.159.47806: [udp sum ok] 3265*- q: DS?
www.federalregister.gov. 0/1/0 ns: federalregister.gov. SOA ins1.gpo.gov.
please_set_email.absolutely.nowhere. 2542629 10800 1080 2592000 900 (121)
04:30:02.095216 IP (tos 0x0, ttl 64, id 53735, offset 0, flags [none],
proto UDP (17), length 57)
    10.0.0.159.44320 > 162.140.15.100.53: [udp sum ok] 27093 AAAA?
ns4.gpo.gov. (29)
04:30:02.099567 IP (tos 0x0, ttl 64, id 23890, offset 0, flags [none],
proto UDP (17), length 57)
    10.0.0.159.49556 > 162.140.15.100.53: [udp sum ok] 11719 AAAA?
ns3.gpo.gov. (29)
04:30:02.229242 IP (tos 0x0, ttl 230, id 56543, offset 0, flags [DF], proto
UDP (17), length 102)
    162.140.15.100.53 > 10.0.0.159.44320: [udp sum ok] 27093*- q: AAAA?
ns4.gpo.gov. 0/1/0 ns: gpo.gov. SOA ins1.gpo.gov. noc.gpo.gov. 2010073218
10800 3600 2592000 900 (74)
04:30:02.229459 IP (tos 0x0, ttl 230, id 56542, offset 0, flags [DF], proto
UDP (17), length 102)
    162.140.15.100.53 > 10.0.0.159.49556: [udp sum ok] 11719*- q: AAAA?
ns3.gpo.gov. 0/1/0 ns: gpo.gov. SOA ins1.gpo.gov. noc.gpo.gov. 2010073218
10800 3600 2592000 900 (74)

Here is the tcpdump from the 1st successful case of an initial query for
federalregister.gov:

04:39:02.838690 IP (tos 0x0, ttl 64, id 27981, offset 0, flags [none],
proto UDP (17), length 88)
    10.0.0.159.41336 > 162.140.15.100.53: [udp sum ok] 45611 [1au] A?
federalregister.gov. ar: . OPT UDPsize=512 DO [COOKIE 09372246c1a6d91c] (60)
04:39:02.924319 IP (tos 0x0, ttl 230, id 28551, offset 0, flags [DF], proto
UDP (17), length 506)
    162.140.15.100.53 > 10.0.0.159.41336: [udp sum ok] 45611*- q: A?
federalregister.gov. 3/3/1 federalregister.gov. A 75.2.36.59,
federalregister.gov. A 99.83.174.136, federalregister.gov. RRSIG ns:
federalregister.gov. NS ns4.gpo.gov., federalregister.gov. NS ns3.gpo.gov.,
federalregister.gov. RRSIG ar: . OPT UDPsize=4096 DO (478)
04:39:02.925207 IP (tos 0x0, ttl 64, id 22272, offset 0, flags [none],
proto UDP (17), length 88)
    10.0.0.159.36187 > 162.140.254.200.53: [udp sum ok] 44463 [1au] DNSKEY?
federalregister.gov. ar: . OPT UDPsize=512 DO [COOKIE cc687621d8684958] (60)
04:39:03.008409 IP (tos 0x0, ttl 229, id 32759, offset 0, flags [DF], proto
UDP (17), length 76)
    162.140.254.200.53 > 10.0.0.159.36187: [udp sum ok] 44463*-| q: DNSKEY?
federalregister.gov. 0/0/1 ar: . OPT UDPsize=4096 DO (48)
04:39:03.008785 IP (tos 0x0, ttl 64, id 53226, offset 0, flags [none],
proto TCP (6), length 60)
    10.0.0.159.55681 > 162.140.254.200.53: Flags [S], cksum 0x5d5f
(correct), seq 4261541886, win 64240, options [mss 1460,sackOK,TS val
682249050 ecr 0,nop,wscale 7], length 0
04:39:03.095133 IP (tos 0x0, ttl 229, id 32783, offset 0, flags [DF], proto
TCP (6), length 60)
    162.140.254.200.53 > 10.0.0.159.55681: Flags [S.], cksum 0x7ae4
(correct), seq 1529080310, ack 4261541887, win 13800, options [mss
1380,nop,wscale 0,sackOK,TS val 3817897758 ecr 682249050], length 0
04:39:03.095209 IP (tos 0x0, ttl 64, id 53227, offset 0, flags [none],
proto TCP (6), length 52)
    10.0.0.159.55681 > 162.140.254.200.53: Flags [.], cksum 0xdcf5
(correct), seq 1, ack 1, win 502, options [nop,nop,TS val 682249136 ecr
3817897758], length 0
04:39:03.095408 IP (tos 0x0, ttl 64, id 53228, offset 0, flags [none],
proto TCP (6), length 114)
    10.0.0.159.55681 > 162.140.254.200.53: Flags [P.], cksum 0x0a81
(correct), seq 1:63, ack 1, win 502, options [nop,nop,TS val 682249137 ecr
3817897758], length 62 22096 [1au] DNSKEY? federalregister.gov. ar: . OPT
UDPsize=1232 DO [COOKIE cc687621d8684958] (60)
04:39:03.183481 IP (tos 0x0, ttl 229, id 32793, offset 0, flags [DF], proto
TCP (6), length 52)
    162.140.254.200.53 > 10.0.0.159.55681: Flags [.], cksum 0xa82a
(correct), seq 1, ack 63, win 13862, options [nop,nop,TS val 3817897850 ecr
682249137], length 0
04:39:03.187960 IP (tos 0x0, ttl 229, id 32794, offset 0, flags [DF], proto
TCP (6), length 1160)
    162.140.254.200.53 > 10.0.0.159.55681: Flags [P.], cksum 0xca8d
(correct), seq 1:1109, ack 63, win 13862, options [nop,nop,TS val
3817897850 ecr 682249137], length 1108 22096*- q: DNSKEY?
federalregister.gov. 5/0/1 federalregister.gov. DNSKEY, federalregister.gov.
DNSKEY, federalregister.gov. DNSKEY, federalregister.gov. RRSIG,
federalregister.gov. RRSIG ar: . OPT UDPsize=4096 DO (1106)
04:39:03.187995 IP (tos 0x0, ttl 64, id 53229, offset 0, flags [none],
proto TCP (6), length 52)
    10.0.0.159.55681 > 162.140.254.200.53: Flags [.], cksum 0xd7ab
(correct), seq 63, ack 1109, win 501, options [nop,nop,TS val 682249229 ecr
3817897850], length 0
04:39:03.189604 IP (tos 0x0, ttl 64, id 53230, offset 0, flags [none],
proto TCP (6), length 52)
    10.0.0.159.55681 > 162.140.254.200.53: Flags [F.], cksum 0xd7a8
(correct), seq 63, ack 1109, win 501, options [nop,nop,TS val 682249231 ecr
3817897850], length 0
04:39:03.486320 IP (tos 0x0, ttl 64, id 53231, offset 0, flags [none],
proto TCP (6), length 52)
    10.0.0.159.55681 > 162.140.254.200.53: Flags [F.], cksum 0xd67f
(correct), seq 63, ack 1109, win 501, options [nop,nop,TS val 682249528 ecr
3817897850], length 0

Both dumps were filtered to only traffic to/from the authoritative servers
162.140.15.100 and 162.140.254.200.

This particular system is running  9.16.33-Raspbian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230314/1f311084/attachment.htm>

More information about the bind-users mailing list