Re: DNSSEC server failure with trstech.net

Thu, 06 Nov 2008 05:49:09 -0800 

In message <[EMAIL PROTECTED]>, Stephane Bortzmeyer writes:
> dig MX trstech.net 
> 
> makes a SERVFAIL. (The BIND resolver is set to dnssec-validation yes
> and uses the ISC DLV registry).
> 
> The domain is not signed and has no trust anchor at my resolver (BIND
> 9.5.0-P2). I cannot reproduce the problem with other similar (no
> signature, no trust anchor) domains.
> 
> The logfile says:
> 
> Nov  6 12:37:25 lilith named[22431]: not insecure resolving 'trstech.net/ANY/
> IN': 196.200.57.137#53
> Nov  6 12:37:25 lilith named[22431]: not insecure resolving 'trstech.net/ANY/
> IN': 147.28.0.39#53
> Nov  6 12:37:26 lilith named[22431]: not insecure resolving 'trstech.net/ANY/
> IN': 2001:4f8:feec::1#53
> 
> Despite the:
> 
>  logging {
>           channel dnssec_log {             // a DNSSEC log channel
>                   file "/var/tmp/bindlog/dnssec.log" size 20m;
>                   print-time yes;        // timestamp the entries
>                   print-category yes;    // add category name to entries
>                   print-severity yes;    // add severity level to entries
>                   severity debug 3;      
>           };
> 
>     category dnssec  { dnssec_log; };
> 
> There is nothing in /var/tmp/bindlog/dnssec.log.
> 
> This seems BIND specific. Using OARC DNSSEC resolvers, I see the same
> behavior on their BIND resolver (149.20.64.20) but not on the Unbound
> one (149.20.64.21).

        This is what happens when you publish a DLV record but don't
        configure the servers to return DNSSEC information.  Or you
        replace a signed zone with a unsigned zone and fail to
        remove the DS/DLV records prior to the change.  Given the
        procedures to add a DLV record I suspect the later is the
        actual cause.

        The log messages are saying that the validation failed
        because there was no secure to insecure transition and all
        named is getting are insecure responses.

        Mark

; <<>> DiG 9.3.5-P2 <<>> trstech.net.dlv.isc.org dlv
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34801
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 4

;; QUESTION SECTION:
;trstech.net.dlv.isc.org.       IN      DLV

;; ANSWER SECTION:
trstech.net.dlv.isc.org. 3085   IN      DLV     36472 5 2 
FB0DA57E6C06EA0CF636C47016DCE1DAC81142A3FCA389D2CBA829FC 2E0EABE0
trstech.net.dlv.isc.org. 3085   IN      DLV     36472 5 1 
0B4B9F5A6CA4B0C800D2B432F1D206F176E8E00F

;; AUTHORITY SECTION:
dlv.isc.org.            3480    IN      NS      ns-ext.sth1.isc.org.
dlv.isc.org.            3480    IN      NS      ns-ext.lga1.isc.org.
dlv.isc.org.            3480    IN      NS      ns-ext.nrt1.isc.org.
dlv.isc.org.            3480    IN      NS      sfba.sns-pb.isc.org.
dlv.isc.org.            3480    IN      NS      ns-ext.isc.org.

;; ADDITIONAL SECTION:
sfba.sns-pb.isc.org.    3600    IN      A       149.20.64.3
ns-ext.isc.org.         3600    IN      A       204.152.184.64
sfba.sns-pb.isc.org.    3600    IN      AAAA    2001:4f8:0:2::19
ns-ext.isc.org.         3600    IN      AAAA    2001:4f8:0:2::13

;; Query time: 10 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov  7 00:34:04 2008
;; MSG SIZE  rcvd: 338


; <<>> DiG 9.3.5-P2 <<>> +dnssec +norec @rip.psg.com trstech.net mx
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4086
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;trstech.net.                   IN      MX

;; ANSWER SECTION:
trstech.net.            600     IN      MX      5 afribone.trstech.net.

;; AUTHORITY SECTION:
trstech.net.            600     IN      NS      afribone.trstech.net.
trstech.net.            600     IN      NS      rip.psg.com.

;; ADDITIONAL SECTION:
afribone.trstech.net.   600     IN      A       196.200.57.137
afribone.trstech.net.   600     IN      AAAA    2001:4f8:feec::1

;; Query time: 196 msec
;; SERVER: 2001:418:1::39#53(2001:418:1::39)
;; WHEN: Fri Nov  7 00:35:41 2008
;; MSG SIZE  rcvd: 148


; <<>> DiG 9.3.5-P2 <<>> +dnssec +norec @196.200.57.137 mx trstech.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17263
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;trstech.net.                   IN      MX

;; ANSWER SECTION:
trstech.net.            600     IN      MX      5 afribone.trstech.net.

;; AUTHORITY SECTION:
trstech.net.            600     IN      NS      rip.psg.com.
trstech.net.            600     IN      NS      afribone.trstech.net.

;; ADDITIONAL SECTION:
afribone.trstech.net.   600     IN      A       196.200.57.137
afribone.trstech.net.   600     IN      AAAA    2001:4f8:feec::1

;; Query time: 429 msec
;; SERVER: 196.200.57.137#53(196.200.57.137)
;; WHEN: Fri Nov  7 00:36:14 2008
;; MSG SIZE  rcvd: 148


; <<>> DiG 9.3.5-P2 <<>> dnskey trstech.net @rip.psg.com +dnssec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13533
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;trstech.net.                   IN      DNSKEY

;; AUTHORITY SECTION:
trstech.net.            600     IN      SOA     afribone.trstech.net. 
aalain.trstech.net. 2007112400 14400 3600 1209600 3600

;; Query time: 189 msec
;; SERVER: 2001:418:1::39#53(2001:418:1::39)
;; WHEN: Fri Nov  7 00:38:54 2008
;; MSG SIZE  rcvd: 92

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [EMAIL PROTECTED]

Reply via email to