I have trouble resolving the host name dnssecnsec3qatestdomain.com. which is NSEC3 signed. This is the parent and child zone. If I run dig ( dnssec query) with the +cd option I which is a proper response:
[r...@stulcqanusbind1 ~]# dig dnssecnsec3qatestdomain.com. any +dnssec *+cd * ; <<>> DiG 9.7.1-P2 <<>> dnssecnsec3qatestdomain.com. any +dnssec +cd ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1601 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 8, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssecnsec3qatestdomain.com. IN ANY ;; ANSWER SECTION: dnssecnsec3qatestdomain.com. 86396 IN RRSIG A 7 2 86400 20200831000000 20100831205954 61559 dnssecnsec3qatestdomain.com. A4HqcGYSyEoM7Y75MoRaK4zzNiuL45tq+AnfUIrxxEIPkIOI12FmFyhY JOQN216QkTbYkJBlNwe2Ky1SRGjwhQ== dnssecnsec3qatestdomain.com. 86396 IN A 12.12.1.0 dnssecnsec3qatestdomain.com. 86396 IN A 255.12.1.0 dnssecnsec3qatestdomain.com. 86396 IN RRSIG SOA 7 2 86400 20200831000000 20100831205954 61559 dnssecnsec3qatestdomain.com. eAV/LHcB3WLA9ULvsz/kcVJ63XeJCX/YAOu9ZFUM+SVDIW/BAUXNfq9O iNBuukgDBlFZFOQyblfgjpcSW3CQMw== dnssecnsec3qatestdomain.com. 86396 IN SOA udns1.ultradns.net. bitbuck...@qa.neustar.com. 2009111903 10800 3600 2592000 86400 dnssecnsec3qatestdomain.com. 86396 IN RRSIG NS 7 2 86400 20200831000000 20100831205954 61559 dnssecnsec3qatestdomain.com. r11osNc3HFoVFWjC1iNN9Yv3IKGvApbZwkNLdK5HTlPt+3UDB2Do7RvT 9SSJaZYLj4PEC8Gp6lT1L+0LlsEP9w== dnssecnsec3qatestdomain.com. 86396 IN NS udns2.ultradns.net. dnssecnsec3qatestdomain.com. 86396 IN NS udns1.ultradns.net. ;; AUTHORITY SECTION: dnssecnsec3qatestdomain.com. 86396 IN NS udns2.ultradns.net. dnssecnsec3qatestdomain.com. 86396 IN NS udns1.ultradns.net. dnssecnsec3qatestdomain.com. 86396 IN RRSIG NS 7 2 86400 20200831000000 20100831205954 61559 dnssecnsec3qatestdomain.com. r11osNc3HFoVFWjC1iNN9Yv3IKGvApbZwkNLdK5HTlPt+3UDB2Do7RvT 9SSJaZYLj4PEC8Gp6lT1L+0LlsEP9w== But dig (dnssec query)without +cd option returns servfail. [r...@stulcqanusbind1 ~]# dig dnssecnsec3qatestdomain.com. any +dnssec ; <<>> DiG 9.7.1-P2 <<>> @ dnssecnsec3qatestdomain.com. any +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7437 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssecnsec3qatestdomain.com. IN ANY In my logs I am getting messages: Jan 7 13:17:55 named[17154]: error (no valid RRSIG) resolving ' dnssecnsec3qatestdomain.com/DNSKEY/IN': 10.31.142.103#53 Jan 7 13:17:55 named[17154]: error (broken trust chain) resolving ' dnssecnsec3qatestdomain.com/ANY/IN': 10.31.142.103#53 When doing query without +cd option. Can you figure out what would be the exact problem? Thanks & Regards, Ramesh
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users