On May 24 2011, I wrote:
We are getting DNSSEC-related SERVFAILs on names in bund.de (e.g.
mx1.bind.de). This happens with all of BIND 9.7.3-P1, 9.7.4b1 and
9.8.0-P1 configured with the root and dlv.isc.org trust anchors.
However, I can't see what is actually wrong with it, using dig +cd as
necessary. All the signatures appear to have valid start/stop times, and
http://dnsviz.net/d/mx1.bund.de/dnssec/ seems pretty happy with it. There
are a lot of false trails (e.g. the DS records for it in "de") but that
shouldn't stop BIND finding the one that works (DLV in dlv.isc.org ->
KSK with tag 10923 -> ZSK with tag 4814), should it?
It may be significant that this problem was reported to us on the same
day that obscured DNSKEY records were introduced into the "de" zone...
That seems almost certain to be the precipitating event, in fact.
I can produce the same effect for all 31 zones that are both registered
in dlv.isc.org *and* have a DS record in dlv.isc.org:
adns1.de. ralf-pulz.de.
brj-berlin.de. reichel-jens.de.
btw-kinderdorf.de. schrimpe.de.
buergerhaushalt-marzahn.de. sgfun.de.
bund.de. sgmail.de.
com.de. stadtteilzeitung-nordwest.de.
exanames.de. stefan-gransow.de.
gun.de. stegranet.de.
idkom-networks.de. steinmuss.de.
ifw-dresden.de. unixbuero.de.
iks-jena.de. verein-kiekin.de.
ipse-online.de. wartenbergerhof.de.
judo-dresden.de. wikileaks.de.
ombudschaft.de. zrb-kiekin.de.
ombudschaft-jugendhilfe.de.
Among other oddities:
dig +dnssec dnskey [zone] gives the right answer *without* the ad bit
dig +dnssec soa [zone] gives SERVFAIL, unless +cd is used as well.
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
