unresolvable pms.psc.gov, but google/cloudflare/unbound work

Nicholas Miller Nicholas.Miller at Colorado.EDU
Mon Sep 18 13:29:57 UTC 2023 

I know this is an old thread but we are having issues resolving pms.psc.gov as well. Disabling DNSSec validation on a test server doesn’t solve the problem. I can add a forwarding zone for ha.psc.gov pointed to their NS servers and things work. I would love to know what is broken here. 

> dig pms.psc.gov

; <<>> DiG 9.16.43 <<>> pms.psc.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60669
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 20b2eb2c9840bfbd0100000065084978288fdde1e6f7c2a6 (good)
;; QUESTION SECTION:
;pms.psc.gov. IN A

;; Query time: 2993 msec
;; SERVER: 128.138.240.1#53(128.138.240.1)
;; WHEN: Mon Sep 18 06:58:32 MDT 2023
;; MSG SIZE  rcvd: 68

_________________________________________________________
Nicholas Miller, OIT, University of Colorado at Boulder

> On Aug 22, 2021, at 11:57 AM, Matthew Richardson <matthew-l at itconsult.co.uk> wrote:
> 
> It looks slightly more subtle than a straight failure.  There is a DS
> record in psc.gov pointing to key 180 in ha.psc.gov:-
> 
>> ha.psc.gov.             56      IN      DS      180 7 1 8A631C83457F4BDB3C450A725DFDB267C4BAC1CC
> 
> This points correctly to the key.  However digest algorith 1 is now either
> prohibited or discouraged.  Worse there is also a DS:-
> 
>> ha.psc.gov.             56      IN      DS      39093 7 2 DD956C9568726B6EEED24D9814F0EC0D2BD119CF4B8A6352A4BF6968 0880E8E7
> 
> where key 39093 does not exist in ha.psc.gov.
> 
> Buried in the mass of errors & warnings, dnsvis says:-
> 
>> ha.psc.gov/DS (alg 7, id 180): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset.
> 
> With both Bind & Unbound, I get SERVFAIL.  However, other resolvers may be
> more tolerant of algorithm 1 DS records, in which case they may decide that
> the answer is "valid".
> 
> In any event, it needs fixing.
> 
> However, to answer the OP's question, the solution is to use a "negative
> trust anchor":-
> 
>> # rndc nta -lifetime 1d ha.psc.gov
>> Negative trust anchor added: ha.psc.gov/_default, expires 23-Aug-2021 18:55:13.000
> 
> which then allowed my Bind to resolve it.
> 
> Best wishes,
> Matthew
> 
> ------
>> From: "John W. Blue via bind-users" <bind-users at lists.isc.org>
>> To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
>> Cc: 
>> Date: Sun, 22 Aug 2021 16:24:41 +0000
>> Subject: Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work
> 
>> Your using the wrong tools to troubleshoot or investigate this error.
>> 
>> Instead of relying upon resolvers to provide situational awareness you need to inspect DNSSEC itself using dnsviz.net:
>> 
>> https://dnsviz.net/d/pms.psc.gov/dnssec/
>> 
>> psc.gov is giving the world ID 5089 when they need to handing out ID 180.
>> 
>> Recommend the pms.psc.gov admins give the psc.gov admins the correct hash.
>> 
>> Sent from Nine<http://www.9folders.com/>
>> ________________________________
>> From: Roger Hammerstein <cheeky.m at gmx.com>
>> Sent: Sunday, August 22, 2021 9:45 AM
>> To: bind-users at lists.isc.org
>> Subject: unresolvable pms.psc.gov, but google/cloudflare/unbound work
>> 
>> 
>> pms.psc.gov appears to be unresolvable against bind9.16.19
>> and 9.11.34 because of dnssec issues.
>> But it resolves against Cloudflare's 1.1.1.1, Google's 8.8.8.8, and an Unbound
>> resolver that does dnssec-validation.
>> 
>> There's a ticket open with nih.gov to look into it, but is there anything that can
>> be changed with Bind to make this domain resolve in the meantime?
>> 
>> (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678
>> 
>> https://dnsviz.net/d/pms.psc.gov/dnssec/
>> https://dnssec-analyzer.verisignlabs.com/pms.psc.gov
>> 
>> dig a pms.psc.gov @8.8.8.8
>> pms.psc.gov.            2852    IN      CNAME   pms.ha.psc.gov.
>> pms.ha.psc.gov.         29      IN      A       156.40.178.24
>> 
>> 
>> 
>> dig a pms.psc.gov @8.8.8.8 +dnssec
>> 
>> ;; ANSWER SECTION:
>> pms.psc.gov.            2835    IN      CNAME   pms.ha.psc.gov.
>> pms.psc.gov.            2835    IN      RRSIG   CNAME 8 3 3600 20210827000144 20210821230144 5089 psc.gov. kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc=
>> pms.ha.psc.gov.         29      IN      A       156.40.178.24
>> pms.ha.psc.gov.         29      IN      RRSIG   A 7 4 30 20210827185442 20210820185442 21380 ha.psc.gov. w2XUqBVoBMtLv0qfc5xmccrpv+w2ukwGfaGJvthIKHXr2SdlAk3oQxve xyolEaj2zWn8Uj7lOsaZD8mewBMQ3iEEp8U96aFBslWV/ffEKL+H9oMM sUNU5KwNi7/Nk3KZuNc8R3xxuYTsSVdbu6ai1lQ6fmw2uWAoDP9YIqek jyo/0WFSXM+hxw/5WguijhilSRIywNgG3/6MY3ZmunPPafGTCTXigyex IBACJQJ+meD6vMi0YoRM17mwdD+7Buq2cb6LJyVYaQImh7M2gF8My75n lDns4PWEIx4bSW2uQQEPpB7MA9VI9y5CuVCmqC3wMZ2ow6G8pkaf18wv r/ucSQ==
>> 
>> 
>> 
>> 
>> I can sometimes get a servfail out of 8.8.8.8 with an any query
>> dig any pms.psc.gov @8.8.8.8 +dnssec
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36332
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 512
>> ;; QUESTION SECTION:
>> ;pms.psc.gov.                   IN      ANY
>> ;; Query time: 5001 msec
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list