Hi Mukund > Are you able to reproduce the bug with the latest stock version of BIND > 9.9? 9.9.4 is very old and that branch has had numerous bugfixes since.
> I'm not able to reproduce such a validation failure with 9.9.11: At the moment the latest patched version of bind available for CentOS 7 is 9.9.4-50. The policy has been to stick with the patches / versions distributed by the Distro rather than getting the latest. So, I will have to try the new version and see if the problem persists. I have looked around a bit more and this is where it starts getting interesting. For hosts that are not mapped to CNAME, this works perfectly fine. See below for host ns.icann.org # dig @localhost ns.icann.org A +dnssec ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost ns.icann.org A +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31866 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ns.icann.org. IN A ;; ANSWER SECTION: ns.icann.org. 3600 IN A 199.4.138.53 ns.icann.org. 3600 IN RRSIG A 7 3 3600 20170914022301 20170824010741 56445 icann.org. DFfGY0h65bDzMHNSkf9cmM8vHbIeOyupdw5HeagBiWzQMAbzvtc4w5et N+1P2zeOPvCvYiBcUsHi+JGqyB0q6gpyZMcXFbMGRPnp931B+F6MUnZL H2+2PDhkBrZ1EtyVaS8s8IyZ9XOuzJKNwOQBt4mNdFhpvrpWmXMc1zTQ OYX1Kqg= ;; AUTHORITY SECTION: icann.org. 86393 IN NS a.iana-servers.net. icann.org. 86393 IN NS ns.icann.org. icann.org. 86393 IN NS c.iana-servers.net. icann.org. 86393 IN NS b.iana-servers.net. icann.org. 86393 IN RRSIG NS 7 2 86400 20170915091737 20170825024031 56445 icann.org. P7offNJTV/zX8mZVC7x6uwvhZrdLzLNM/r1tsp4g7yaprD6LY//TLbNc tIdbFjZdml7CYYZxZSecmb5Uzo8O7sHS+1xdandh6KxPfo47mO+Ge6JI JmspnEaOxOlK7Vp3RGCqdeUasxIpwjHlNa+4rZ30ImmKxsAGC9oq01ey d/JE8j8= ;; ADDITIONAL SECTION: a.iana-servers.net. 172793 IN A 199.43.135.53 a.iana-servers.net. 172793 IN AAAA 2001:500:8f::53 b.iana-servers.net. 172793 IN A 199.43.133.53 b.iana-servers.net. 172793 IN AAAA 2001:500:8d::53 c.iana-servers.net. 172793 IN A 199.43.134.53 c.iana-servers.net. 172793 IN AAAA 2001:500:8e::53 ns.icann.org. 86393 IN AAAA 2001:500:89::53 ns.icann.org. 3600 IN RRSIG AAAA 7 3 3600 20170913162548 20170824010741 56445 icann.org. cSpl1KEIPeFTzXBhjn9CMA+Y4iVG92++kdzxoTzRhgEMsH2Xud/s8Mg1 DBEc07xMgou5OqyGvlbOxP1F2c/dOFrQBMBuojBmG4ltIj663GYshyFy 3sxqNJGATHDDJ7Sk8eiYFazct09Z2wQ73UdwKGXuzM4bD9LrXUYP0rnJ l0xEen8= However, when I try the same thing for www.icann.org, I get SERVFAIL like below: # dig @localhost www.icann.org A +dnssec ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org A +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30814 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.icann.org. IN A ;; Query time: 4237 msec ;; SERVER: ::1#53(::1) ;; WHEN: Thu Aug 31 10:06:23 +06 2017 ;; MSG SIZE rcvd: 42 So, I am beginning to wonder if there is issue between dissed and CNAME in 9.9.4-50 version of bind. With checking disabled (as suggested by Tony), it resolves correctly: # dig @localhost www.icann.org A +cd ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org A +cd ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53618 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 7 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.icann.org. IN A ;; ANSWER SECTION: www.icann.org. 3386 IN CNAME www.vip.icann.org. www.vip.icann.org. 30 IN A 192.0.32.7 ;; AUTHORITY SECTION: vip.icann.org. 3382 IN NS gtm1.dc.icann.org. vip.icann.org. 3382 IN NS gtm1.mdr.icann.org. vip.icann.org. 3382 IN NS gtm1.lax.icann.org. with +cd and +sigchase, the resolver is able to find the RRSIG data fine but once checking is enabled, it just fails: /# dig @localhost www.icann.org A +cd +sigchase ;; RRset to chase: www.icann.org. 3039 IN CNAME www.vip.icann.org. ;; RRSIG of the RRset to chase: www.icann.org. 3039 IN RRSIG CNAME 7 3 3600 20170914195717 20170824110741 56445 icann.org. GoSDthX9s2BsyaT/AYyfNKixR8UMVF/fx3zz5U9XPIVJUkpp3g9xyuZy wxO7aTVgiPaESUOttGGn4xs9KMzZ4BcI6bmOAehYubS6AaAb6YdbweR4 S6O3qiNMT5Sai4BrfmvITGjigyNXSb3vc8fsSeUPJVdR8gmObfzbJbdn VW+NoRo= Launch a query to find a RRset of type DNSKEY for zone: icann.org. ;; DNSKEYset that signs the RRset to chase: icann.org. 2900 IN DNSKEY 256 3 7 AwEAAebfIXOw6kz9YDpBWe6s9xjc8F6ZDo+/LdyOfel/9ghIhnsxDU3W fmmevVXWHQm5J+SMFhRk8nidYuR9dT0D7NgloPb3LJmu8Anm1cDIokN2 +1gknvY2eAuK9t/cadh+rZpZRzTKr2DnvQoarQOzvTFurpkZhsXvl8NM UsTIIdUWP0hP .... .... -- Ganga -- Sent from: http://bind-users-forum.2342410.n4.nabble.com/ _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
