DNSSEC error resolving gpo.gov ?

Alexandra Yang drayales at gmail.com
Wed Mar 15 13:46:18 UTC 2023 

We have client reporting problem resolving federalregister.gov
<http://www.federalregister.gov/> for several weeks, which hosted by the
two gpo.gov nameservers, and our nameserver can't resolve anything under
gpo.gov, we have dnssec-validation yes that's all, I really can't think of
anything can be done on our end to fix this, but also i don't understand
why such generic config like us see such issue not wide-spread?


Mar 14 10:23:32 ipam-dns-in-1 named[3713]: no valid RRSIG resolving '
ns3.gpo.gov/DS/IN': 162.140.15.100#53

Mar 14 10:23:32 ipam-dns-in-1 named[3713]: no valid RRSIG resolving '
ns3.gpo.gov/DS/IN': 162.140.254.200#53

Mar 14 10:23:32 ipam-dns-in-1 named[3713]: broken trust chain resolving '
ns3.gpo.gov/A/IN': 162.140.15.100#53


This is the dumpdb, wonder why pending-answer:


; glue

gpo.gov.                85163   NS      ns3.gpo.gov.

                        85163   NS      ns4.gpo.gov.

; secure

                        2363    DS      18496 8 1 (

                                        20D05E8AF9ED7706AC31146B9E3BEF2D04C4

                                        98ED )

                        2363    DS      18496 8 2 (

                                        665A12F38B1E446269351305495D6E5746CD

                                        F92D0CBAA34BAF77624C1CDDDD07 )

; secure

                        2363    RRSIG   DS 8 2 3600 (

                                        20230321224235 20230314224235 24250
gov.

                                        ZFdS88EC8WeL8H6jDcylnXBW5FBboNLhI8vT

                                        +hU0GFHVDDdhFW5u7qEEtTvyNArbBtZ8xAPA

                                        nALlJwe76n1GXEmYtdx/3CPSF/YLZWE9yc+R

                                        3eyXyvN65Ht73WtY1qY7cevXcWVxjiZQI7vf

                                        bFIS+yCkX4ZXE3U5dS7ydzasO5yIru05hLnD

                                        vTb6eHZty1Kb/O+d/v9WtsqgSTPcVXOgaA==
)

; pending-answer

ns3.gpo.gov.            889     \-AAAA  ;-$NXRRSET

; gpo.gov. SOA ins1.gpo.gov. noc.gpo.gov. 2010073218 10800 3600 2592000 900

; glue

                        43567   A       162.140.15.100

; pending-answer

ns4.gpo.gov.            889     \-AAAA  ;-$NXRRSET

; gpo.gov. SOA ins1.gpo.gov. noc.gpo.gov. 2010073218 10800 3600 2592000 900

; glue

                        43567   A       162.140.254.200

On Wed, Mar 15, 2023 at 1:50 AM Mark Andrews <marka at isc.org> wrote:

>
>
> > On 15 Mar 2023, at 15:42, Tim Maestas <tmaestas95 at gmail.com> wrote:
> >
> > Named should be sending queries with DO=1 and it should be getting back
> signed responses.  I suspect that you will need to run packet captures of
> the traffic to and from 162.140.15.100 and 162.140.254.200 port 53 from the
> nameserver.  Either signed responses will cease or DNSSEC requests will
> cease.  In either  case having the traffic around the transition should
> help to determine what is happening.
> >
> > I've found that, after a fresh restart of named, if I query for "
> federalregister.gov A" I get a good AD response, and then subsequent
> queries for "www.federalregister.gov" are successful as well.  If however
> after a restart of named I begin with a query for www.federalregister.gov
> A then I get servfail, and subsequent queries for federealregister.gov
> servfail as well.  Here is the tcpdump from the 2nd (failed) case of an
> initial query for www.federalregister.gov:
> >
> >
> > reading from file dns.cap, link-type EN10MB (Ethernet), snapshot length
> 262144
> > 04:30:01.114458 IP (tos 0x0, ttl 64, id 35832, offset 0, flags [none],
> proto UDP (17), length 92)
> >     10.0.0.159.43263 > 162.140.254.200.53: [udp sum ok] 15013 [1au] A?
> www.federalregister.gov. ar: . OPT UDPsize=512 DO [COOKIE
> 352538a87bde87a5] (64)
> > 04:30:01.204863 IP (tos 0x0, ttl 229, id 4936, offset 0, flags [DF],
> proto UDP (17), length 80)
> >     162.140.254.200.53 > 10.0.0.159.43263: [udp sum ok] 15013*-| q: A?
> www.federalregister.gov. 3/0/1 . OPT UDPsize=4096 DO [|domain]
>
> This is a malformed DNS response.  It looks like the server tried to send
> a truncated response with an OPT record but failed to correctly update the
> answer count field to zero.
>
> % dig www.federalregister.gov @162.140.15.100 +dnssec +bufsize=512
> +ignore +qr +norec
>
> ; <<>> DiG 9.19.11-dev <<>> www. @162.140.15.100 +dnssec +bufsize=512
> +ignore +qr +norec
> ;; global options: +cmd
> ;; Sending:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919
> ;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ; COOKIE: 4a67cc813cfe03eb
> ;; QUESTION SECTION:
> ;www.federalregister.gov. IN A
>
> ;; QUERY SIZE: 64
>
> ;; Warning: Message parser reports malformed message packet.
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919
> ;; flags: qr aa tc; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;www.federalregister.gov. IN A
>
> ;; ANSWER SECTION:
> . 32768 CLASS4096 OPT
> ;; Query time: 271 msec
> ;; SERVER: 162.140.15.100#53(162.140.15.100) (UDP)
> ;; WHEN: Wed Mar 15 16:30:22 AEDT 2023
> ;; MSG SIZE  rcvd: 52
>
>  --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230315/d8a60690/attachment-0001.htm>

More information about the bind-users mailing list