Use of stale data during dnssec validation

Fri, 03 Mar 2023 13:22:23 -0800

Today, we had a case where one of our resolvers (9.16.37) failed to return an SOA-record for the TLD 'us'. digging with the +cd flag, returned a value, while delving with +vtrace failed: 

;; fetch: us/SOA
;; resolution failed: SERVFAIL
Fingers pointed to a failure to validate. I dumped the cache to a file, and then did a flushname of 'us.' 

digging and delving was then successful.
When looking in the dumped cache, I see the RRSIG-record for the SOA-record is marked as 'stale', and the DNSKEY-record (id=54159) is marked as 'pending-answer' 

Is stale data used during the validation of answers?


:: From the dumped cache  ::

us.                     84964   SOA a.cctld.us. admin.tldns.godaddy. (
                                        1677862753 ; serial
                                        1800       ; refresh (30 minutes)
                                        300        ; retry (5 minutes)
                                        604800     ; expire (1 week)
                                        1800       ; minimum (30 minutes)
                                        )
; secure
; stale
                        84964   RRSIG   SOA 8 1 900 (
                                        20230402170130 20230303160130 54159 us. 
OKQQZoU8itxdg2T+AYpefOmGILJZRl1aA9zb
NXzYL9sXWsMMlctwod9JkEM08/SYGEHTmaEa
M+d9PMAjeeJMiChj3RV3TPGKRDubUbBrNJb2
R15fsjZRcVf8Iebhr0EZ/yxTJl4YzcTbUh9v
ffNOEULcPuVJmv0Hda7HKvnBmVJszPZImfLX
YIx3SyzRBp7jiZT1t7oyfZSlAbuRjX7zOw== )
; secure
                        82614   DS      46144 8 2 (
0C67E6017124BF19D50BE565CC486FF3CFE2
A278FE2E5983FF97B2A453386419 )
; secure
                        82614   RRSIG   DS 8 1 86400 (
                                        20230316050000 20230303040000 951 .
NHCxlyjA2/t38e03sjyEnXMszz/2whq5GFmP
Jf2Ttx9bUy1d/gq2n2PiM1BFZYKQvMGynB4f
58NK8905TG1fveBUTouF/eNo2gmHj/uBuPJm
g19lPm05tIK5OCCyD+D16K3IncQAjZUKjfcH
bT5qE8KF/ofRaO7PgFn27KbQwtnky+F3PXgJ
BkFIfkPJ8SFX6WSEaM8FsLojLDiJWllwnoJK
Qf6S0Ot8M3yOIb2oKCT0tucB7znRdkm9EEY5
oSe7waJRV+0sQL3rKhJePFVrd/AeTXY6ipaK
kIjdEn+1DoxiBAy/E0uhJ18s16USrxcZSSUg
                                        D5GfeGeuLiT7f69a+g== )
; pending-answer
                        3179    DNSKEY  256 3 8 (
AwEAAatbrQTiZd0FdSVbnkRFiU5jf9ACOPc4
M0CK+G+Gla4gH3ClPunwqBJhvRtMkKdhGE93
lMuzjNkGakBrkFvzwHtIw9pWLxum2Idysf+J
xdhfSXNNYEzKcP0lCIjWf+iY2rtXoltVLxgT
2skvDgmbwq+a3Cb/7CAB/SmFRCl8tQJ4YpJl
kHiHPbWXljjiPWsj3/52hv45GHKQPi4vRzPe
                                        aw0=
                                        ) ; ZSK; alg = RSASHA256 ; key id = 54159 
                        3179    DNSKEY  257 3 8 (
AwEAAe5RHQBesQeThYEf56TkLfF5NysJv/H4
g1HeB7pnH25PsMVoVV/anWi7U3dSFsNzJ6nB
HwY/sdmxJ/HLunC/mLSo8ugB6G+UgtAgnlL3
u8Uq/3PYiBgpdNL+ldR0luV5WLAx8/1gG8JZ
w3Zu9VhurHKdGZso5ajSTFwBiY39lA0wWeDO
kZ2z/EV49JODt1i2N6KnvMTe5kD0qHXkP2oH
xTWOlf5vqUcmJmgfvLlGB1ROBT84xCm45Sfx
1U4FD8IPiOFrd9f/WcjPcW8MJFmzQmweVfKE
pF28s+YZ5wKid3gYESvaCeSvj7FHzdVUCcVh
                                        Fr2+XHeB8O8GTLqk7HgfdM8=
                                        ) ; KSK; alg = RSASHA256 ; key id = 46144 



--
--
Do things because you should, not just because you can.

John Thurston    907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to