DNSSEC error resolving gpo.gov ?

Mark Andrews marka at isc.org
Wed Mar 15 05:49:50 UTC 2023 


> On 15 Mar 2023, at 15:42, Tim Maestas <tmaestas95 at gmail.com> wrote:
> 
> Named should be sending queries with DO=1 and it should be getting back signed responses.  I suspect that you will need to run packet captures of the traffic to and from 162.140.15.100 and 162.140.254.200 port 53 from the nameserver.  Either signed responses will cease or DNSSEC requests will cease.  In either  case having the traffic around the transition should help to determine what is happening.
> 
> I've found that, after a fresh restart of named, if I query for "federalregister.gov A" I get a good AD response, and then subsequent queries for "www.federalregister.gov" are successful as well.  If however after a restart of named I begin with a query for www.federalregister.gov A then I get servfail, and subsequent queries for federealregister.gov servfail as well.  Here is the tcpdump from the 2nd (failed) case of an initial query for www.federalregister.gov:
> 
> 
> reading from file dns.cap, link-type EN10MB (Ethernet), snapshot length 262144
> 04:30:01.114458 IP (tos 0x0, ttl 64, id 35832, offset 0, flags [none], proto UDP (17), length 92)
>     10.0.0.159.43263 > 162.140.254.200.53: [udp sum ok] 15013 [1au] A? www.federalregister.gov. ar: . OPT UDPsize=512 DO [COOKIE 352538a87bde87a5] (64)
> 04:30:01.204863 IP (tos 0x0, ttl 229, id 4936, offset 0, flags [DF], proto UDP (17), length 80)
>     162.140.254.200.53 > 10.0.0.159.43263: [udp sum ok] 15013*-| q: A? www.federalregister.gov. 3/0/1 . OPT UDPsize=4096 DO [|domain]

This is a malformed DNS response.  It looks like the server tried to send a truncated response with an OPT record but failed to correctly update the answer count field to zero.  

% dig www.federalregister.gov @162.140.15.100 +dnssec +bufsize=512 +ignore +qr +norec

; <<>> DiG 9.19.11-dev <<>> www. @162.140.15.100 +dnssec +bufsize=512 +ignore +qr +norec
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
; COOKIE: 4a67cc813cfe03eb
;; QUESTION SECTION:
;www.federalregister.gov. IN A

;; QUERY SIZE: 64

;; Warning: Message parser reports malformed message packet.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919
;; flags: qr aa tc; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;www.federalregister.gov. IN A

;; ANSWER SECTION:
. 32768 CLASS4096 OPT 
;; Query time: 271 msec
;; SERVER: 162.140.15.100#53(162.140.15.100) (UDP)
;; WHEN: Wed Mar 15 16:30:22 AEDT 2023
;; MSG SIZE  rcvd: 52

 -- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list