DNSSEC error resolving gpo.gov ?

Mark Andrews marka at isc.org
Thu Mar 16 04:40:42 UTC 2023


The cause is known and has nothing to do with the SHA-1 DS record.

-- 
Mark Andrews

> On 16 Mar 2023, at 15:20, Sanjai Gandhi K <off53-del at supportgov.in> wrote:
> 
> 
> Hi Alexandra Yang,
> 
> Please try to find the actual issue the following DNS Validation Tool using your  federalregister.gov DNS Server.
> 
> https://dnsviz.net/
> 
> Try to Solve the issues in the following Warning, in your DNS Server. ( DS Record is having problem , SHA-1 algorithm mismatch, Check with your server's configuration )
> 
> 
> 
> With Regards
> K.Sanjai Gandhi.
> 
> From: "Alexandra Yang" <drayales at gmail.com>
> To: "Mark Andrews" <marka at isc.org>
> Cc: "Tim Maestas" <tmaestas95 at gmail.com>, "BIND9 Users" <bind-users at lists.isc.org>
> Sent: Wednesday, March 15, 2023 7:16:18 PM
> Subject: Re: DNSSEC error resolving gpo.gov ?
> 
> We have client reporting problem resolving federalregister.gov for several weeks, which hosted by the two gpo.gov nameservers, and our nameserver can't resolve anything under gpo.gov, we have dnssec-validation yes that's all, I really can't think of anything can be done on our end to fix this, but also i don't understand why such generic config like us see such issue not wide-spread? 
> 
> 
> Mar 14 10:23:32 ipam-dns-in-1 named[3713]: no valid RRSIG resolving 'ns3.gpo.gov/DS/IN': 162.140.15.100#53
> Mar 14 10:23:32 ipam-dns-in-1 named[3713]: no valid RRSIG resolving 'ns3.gpo.gov/DS/IN': 162.140.254.200#53
> Mar 14 10:23:32 ipam-dns-in-1 named[3713]: broken trust chain resolving 'ns3.gpo.gov/A/IN': 162.140.15.100#53
>  
> This is the dumpdb, wonder why pending-answer:
>  
> ; glue
> gpo.gov.                85163   NS      ns3.gpo.gov.
>                         85163   NS      ns4.gpo.gov.
> ; secure
>                         2363    DS      18496 8 1 (
>                                         20D05E8AF9ED7706AC31146B9E3BEF2D04C4
>                                         98ED )
>                         2363    DS      18496 8 2 (
>                                         665A12F38B1E446269351305495D6E5746CD
>                                         F92D0CBAA34BAF77624C1CDDDD07 )
> ; secure
>                         2363    RRSIG   DS 8 2 3600 (
>                                         20230321224235 20230314224235 24250 gov.
>                                         ZFdS88EC8WeL8H6jDcylnXBW5FBboNLhI8vT
>                                         +hU0GFHVDDdhFW5u7qEEtTvyNArbBtZ8xAPA
>                                         nALlJwe76n1GXEmYtdx/3CPSF/YLZWE9yc+R
>                                         3eyXyvN65Ht73WtY1qY7cevXcWVxjiZQI7vf
>                                         bFIS+yCkX4ZXE3U5dS7ydzasO5yIru05hLnD
>                                         vTb6eHZty1Kb/O+d/v9WtsqgSTPcVXOgaA== )
> ; pending-answer
> ns3.gpo.gov.            889     \-AAAA  ;-$NXRRSET
> ; gpo.gov. SOA ins1.gpo.gov. noc.gpo.gov. 2010073218 10800 3600 2592000 900
> ; glue
>                         43567   A       162.140.15.100
> ; pending-answer
> ns4.gpo.gov.            889     \-AAAA  ;-$NXRRSET
> ; gpo.gov. SOA ins1.gpo.gov. noc.gpo.gov. 2010073218 10800 3600 2592000 900
> ; glue
> 
>                         43567   A       162.140.254.200
> 
>> On Wed, Mar 15, 2023 at 1:50 AM Mark Andrews <marka at isc.org> wrote:
>> 
>> 
>> > On 15 Mar 2023, at 15:42, Tim Maestas <tmaestas95 at gmail.com> wrote:
>> > 
>> > Named should be sending queries with DO=1 and it should be getting back signed responses.  I suspect that you will need to run packet captures of the traffic to and from 162.140.15.100 and 162.140.254.200 port 53 from the nameserver.  Either signed responses will cease or DNSSEC requests will cease.  In either  case having the traffic around the transition should help to determine what is happening.
>> > 
>> > I've found that, after a fresh restart of named, if I query for "federalregister.gov A" I get a good AD response, and then subsequent queries for "www.federalregister.gov" are successful as well.  If however after a restart of named I begin with a query for www.federalregister.gov A then I get servfail, and subsequent queries for federealregister.gov servfail as well.  Here is the tcpdump from the 2nd (failed) case of an initial query for www.federalregister.gov:
>> > 
>> > 
>> > reading from file dns.cap, link-type EN10MB (Ethernet), snapshot length 262144
>> > 04:30:01.114458 IP (tos 0x0, ttl 64, id 35832, offset 0, flags [none], proto UDP (17), length 92)
>> >     10.0.0.159.43263 > 162.140.254.200.53: [udp sum ok] 15013 [1au] A? www.federalregister.gov. ar: . OPT UDPsize=512 DO [COOKIE 352538a87bde87a5] (64)
>> > 04:30:01.204863 IP (tos 0x0, ttl 229, id 4936, offset 0, flags [DF], proto UDP (17), length 80)
>> >     162.140.254.200.53 > 10.0.0.159.43263: [udp sum ok] 15013*-| q: A? www.federalregister.gov. 3/0/1 . OPT UDPsize=4096 DO [|domain]
>> 
>> This is a malformed DNS response.  It looks like the server tried to send a truncated response with an OPT record but failed to correctly update the answer count field to zero.  
>> 
>> % dig www.federalregister.gov @162.140.15.100 +dnssec +bufsize=512 +ignore +qr +norec
>> 
>> ; <<>> DiG 9.19.11-dev <<>> www. @162.140.15.100 +dnssec +bufsize=512 +ignore +qr +norec
>> ;; global options: +cmd
>> ;; Sending:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919
>> ;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 512
>> ; COOKIE: 4a67cc813cfe03eb
>> ;; QUESTION SECTION:
>> ;www.federalregister.gov. IN A
>> 
>> ;; QUERY SIZE: 64
>> 
>> ;; Warning: Message parser reports malformed message packet.
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919
>> ;; flags: qr aa tc; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>> 
>> ;; QUESTION SECTION:
>> ;www.federalregister.gov. IN A
>> 
>> ;; ANSWER SECTION:
>> . 32768 CLASS4096 OPT 
>> ;; Query time: 271 msec
>> ;; SERVER: 162.140.15.100#53(162.140.15.100) (UDP)
>> ;; WHEN: Wed Mar 15 16:30:22 AEDT 2023
>> ;; MSG SIZE  rcvd: 52
>> 
>>  -- 
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>> 
> 
> 
> --
> With Regards,
> K.Sanjai Gandhi.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230316/b6bec9b9/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Error - Copy1.png
Type: image/png
Size: 181008 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230316/b6bec9b9/attachment-0001.png>


More information about the bind-users mailing list