DNSSEC error resolving gpo.gov ?

Sanjai Gandhi K off53-del at supportgov.in
Thu Mar 16 04:19:45 UTC 2023 

Hi Alexandra Yang, 

Please try to find the actual issue the following DNS Validation Tool using your [ http://www.federalregister.gov/ | federalregister.gov ] DNS Server. 

[ https://dnsviz.net/ | https://dnsviz.net/ ] 

Try to Solve the issues in the following Warning, in your DNS Server. ( DS Record is having problem , SHA-1 algorithm mismatch, Check with your server's configuration ) 


With Regards 
K.Sanjai Gandhi. 


From: "Alexandra Yang" <drayales at gmail.com> 
To: "Mark Andrews" <marka at isc.org> 
Cc: "Tim Maestas" <tmaestas95 at gmail.com>, "BIND9 Users" <bind-users at lists.isc.org> 
Sent: Wednesday, March 15, 2023 7:16:18 PM 
Subject: Re: DNSSEC error resolving gpo.gov ? 

We have client reporting problem resolving [ http://www.federalregister.gov/ | federalregister.gov ] for several weeks, which hosted by the two [ http://gpo.gov/ | gpo.gov ] nameservers, and our nameserver can't resolve anything under [ http://gpo.gov/ | gpo.gov ] , we have dnssec-validation yes that's all, I really can't think of anything can be done on our end to fix this, but also i don't understand why such generic config like us see such issue not wide-spread? 




Mar 14 10:23:32 ipam-dns-in-1 named[3713]: no valid RRSIG resolving ' [ http://ns3.gpo.gov/DS/IN | ns3.gpo.gov/DS/IN ] ': 162.140.15.100#53 

Mar 14 10:23:32 ipam-dns-in-1 named[3713]: no valid RRSIG resolving ' [ http://ns3.gpo.gov/DS/IN | ns3.gpo.gov/DS/IN ] ': 162.140.254.200#53 

Mar 14 10:23:32 ipam-dns-in-1 named[3713]: broken trust chain resolving ' [ http://ns3.gpo.gov/A/IN | ns3.gpo.gov/A/IN ] ': 162.140.15.100#53 



This is the dumpdb, wonder why pending-answer: 



; glue 

[ http://gpo.gov/ | gpo.gov ] . 85163 NS [ http://ns3.gpo.gov/ | ns3.gpo.gov ] . 

85163 NS [ http://ns4.gpo.gov/ | ns4.gpo.gov ] . 

; secure 

2363 DS 18496 8 1 ( 

20D05E8AF9ED7706AC31146B9E3BEF2D04C4 

98ED ) 

2363 DS 18496 8 2 ( 

665A12F38B1E446269351305495D6E5746CD 

F92D0CBAA34BAF77624C1CDDDD07 ) 

; secure 

2363 RRSIG DS 8 2 3600 ( 

20230321224235 20230314224235 24250 gov. 

ZFdS88EC8WeL8H6jDcylnXBW5FBboNLhI8vT 

+hU0GFHVDDdhFW5u7qEEtTvyNArbBtZ8xAPA 

nALlJwe76n1GXEmYtdx/3CPSF/YLZWE9yc+R 

3eyXyvN65Ht73WtY1qY7cevXcWVxjiZQI7vf 

bFIS+yCkX4ZXE3U5dS7ydzasO5yIru05hLnD 

vTb6eHZty1Kb/O+d/v9WtsqgSTPcVXOgaA== ) 

; pending-answer 

[ http://ns3.gpo.gov/ | ns3.gpo.gov ] . 889 \-AAAA ;-$NXRRSET 

; [ http://gpo.gov/ | gpo.gov ] . SOA [ http://ins1.gpo.gov/ | ins1.gpo.gov ] . [ http://noc.gpo.gov/ | noc.gpo.gov ] . 2010073218 10800 3600 2592000 900 

; glue 

43567 A 162.140.15.100 

; pending-answer 

[ http://ns4.gpo.gov/ | ns4.gpo.gov ] . 889 \-AAAA ;-$NXRRSET 

; [ http://gpo.gov/ | gpo.gov ] . SOA [ http://ins1.gpo.gov/ | ins1.gpo.gov ] . [ http://noc.gpo.gov/ | noc.gpo.gov ] . 2010073218 10800 3600 2592000 900 

; glue 




43567 A 162.140.254.200 

On Wed, Mar 15, 2023 at 1:50 AM Mark Andrews < [ mailto:marka at isc.org | marka at isc.org ] > wrote: 




> On 15 Mar 2023, at 15:42, Tim Maestas < [ mailto:tmaestas95 at gmail.com | tmaestas95 at gmail.com ] > wrote: 
> 
> Named should be sending queries with DO=1 and it should be getting back signed responses. I suspect that you will need to run packet captures of the traffic to and from 162.140.15.100 and 162.140.254.200 port 53 from the nameserver. Either signed responses will cease or DNSSEC requests will cease. In either case having the traffic around the transition should help to determine what is happening. 
> 
> I've found that, after a fresh restart of named, if I query for " [ http://federalregister.gov/ | federalregister.gov ] A" I get a good AD response, and then subsequent queries for " [ http://www.federalregister.gov/ | www.federalregister.gov ] " are successful as well. If however after a restart of named I begin with a query for [ http://www.federalregister.gov/ | www.federalregister.gov ] A then I get servfail, and subsequent queries for [ http://federealregister.gov/ | federealregister.gov ] servfail as well. Here is the tcpdump from the 2nd (failed) case of an initial query for [ http://www.federalregister.gov/ | www.federalregister.gov ] : 
> 
> 
> reading from file dns.cap, link-type EN10MB (Ethernet), snapshot length 262144 
> 04:30:01.114458 IP (tos 0x0, ttl 64, id 35832, offset 0, flags [none], proto UDP (17), length 92) 
> 10.0.0.159.43263 > 162.140.254.200.53: [udp sum ok] 15013 [1au] A? [ http://www.federalregister.gov/ | www.federalregister.gov ] . ar: . OPT UDPsize=512 DO [COOKIE 352538a87bde87a5] (64) 
> 04:30:01.204863 IP (tos 0x0, ttl 229, id 4936, offset 0, flags [DF], proto UDP (17), length 80) 
> 162.140.254.200.53 > 10.0.0.159.43263: [udp sum ok] 15013*-| q: A? [ http://www.federalregister.gov/ | www.federalregister.gov ] . 3/0/1 . OPT UDPsize=4096 DO [|domain] 

This is a malformed DNS response. It looks like the server tried to send a truncated response with an OPT record but failed to correctly update the answer count field to zero. 

% dig [ http://www.federalregister.gov/ | www.federalregister.gov ] @ [ http://162.140.15.100/ | 162.140.15.100 ] +dnssec +bufsize=512 +ignore +qr +norec 

; <<>> DiG 9.19.11-dev <<>> www. @ [ http://162.140.15.100/ | 162.140.15.100 ] +dnssec +bufsize=512 +ignore +qr +norec 
;; global options: +cmd 
;; Sending: 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919 
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 

;; OPT PSEUDOSECTION: 
; EDNS: version: 0, flags: do; udp: 512 
; COOKIE: 4a67cc813cfe03eb 
;; QUESTION SECTION: 
; [ http://www.federalregister.gov/ | www.federalregister.gov ] . IN A 

;; QUERY SIZE: 64 

;; Warning: Message parser reports malformed message packet. 
;; Got answer: 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919 
;; flags: qr aa tc; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 

;; QUESTION SECTION: 
; [ http://www.federalregister.gov/ | www.federalregister.gov ] . IN A 

;; ANSWER SECTION: 
. 32768 CLASS4096 OPT 
;; Query time: 271 msec 
;; SERVER: 162.140.15.100#53(162.140.15.100) (UDP) 
;; WHEN: Wed Mar 15 16:30:22 AEDT 2023 
;; MSG SIZE rcvd: 52 

-- 
Mark Andrews, ISC 
1 Seymour St., Dundas Valley, NSW 2117, Australia 
PHONE: +61 2 9871 4742 INTERNET: [ mailto:marka at isc.org | marka at isc.org ] 





-- 
With Regards, 
K.Sanjai Gandhi. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230316/20ec8505/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Error - Copy1.png
Type: image/png
Size: 181008 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230316/20ec8505/attachment-0001.png>

More information about the bind-users mailing list