DNSSEC validation failures for www.hrsa.gov

Fri, 24 Jun 2016 17:00:06 -0700 

I'm getting DNSSEC validation failures by BIND 9.10.4-P1 for www.hrsa.gov.

The pertinent log messages are things like:

   lame-servers: info: no valid RRSIG resolving 'webfarm.dr.hrsa.gov/DS/IN': 
165.112.137.222#53
   lame-servers: info: no valid RRSIG resolving 'webfarm.dr.hrsa.gov/DS/IN': 
162.99.248.222#53
   lame-servers: info: no valid DS resolving 'webfarm.dr.hrsa.gov/A/IN': 
162.99.248.222#53
   lame-servers: info: broken trust chain resolving 'webfarm.dr.hrsa.gov/A/IN': 
165.112.137.222#53
   lame-servers: info: insecurity proof failed resolving 'dr.hrsa.gov/SOA/IN': 
162.99.248.222#53
   lame-servers: info: insecurity proof failed resolving 'dr.hrsa.gov/SOA/IN': 
165.112.137.222#53

The dig output is:

   $ dig www.hrsa.gov @dns-spare.uiowa.edu

   ; <<>> DiG 9.10.3-P4-Debian <<>> www.hrsa.gov @dns-spare.uiowa.edu
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42947
   ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

   ;; OPT PSEUDOSECTION:
   ; EDNS: version: 0, flags:; udp: 4096
   ;; QUESTION SECTION:
   ;www.hrsa.gov.                  IN      A

   ;; Query time: 103 msec
   ;; SERVER: fd9a:2c75:7d0c:5::2#53(fd9a:2c75:7d0c:5::2)
   ;; WHEN: Fri Jun 24 18:49:06 CDT 2016
   ;; MSG SIZE  rcvd: 41
It doesn't fail with a similar config on 9.10.3-P4, but there are admittedly config differences. 

Other DNSSEC-signed things validate fine at both versions, so things are
mostly OK.

My guess is that BIND 9.10.4-P1 is checking something more stringently than
previous versions did, & that something is broken with the DNS for
www.hrsa.gov, but I can't spot what it is.  There are some very short TTLs (5
seconds) in the data tree in question, including for SOAs, which seems like a
really bad idea but I'm not sure it definitely breaks things.  There are also
some answers with both "AA" & "AD" set, which seems odd, but again, not
definitely broken.

dnsviz.net reports a couple of warnings, including a non-AA answer from
authoritative servers, but it doesn't say it's bogus.

If anybody can spot something broken for www.hrsa.gov, I'd be very glad to
hear about it.

________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-5555
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to