> On 15 Mar 2023, at 11:14, Tim Maestas <tmaesta...@gmail.com> wrote:
>
>
>
> On Tue, Mar 14, 2023 at 4:34 PM Mark Andrews <ma...@isc.org> wrote:
>
>
> > On 15 Mar 2023, at 02:08, Alexandra Yang <draya...@gmail.com> wrote:
> >
> > Hi Group,
> >
> > I wonder if anyone can shed some light on this, our nameserver(BIND 9.16.37
> > )keeps giving error on resolving gpo.gov and ns3.gpo.gov, here are the
> > errors:
> >
> > Mar 14 10:23:32 ipam-dns-in-1 named[3713]: validating gpo.gov/SOA: got
> > insecure response; parent indicates it should be secure
>
> For some reason you are not getting signed responses. Are you using a
> forwarder?
>
> For what it's worth, I keep getting:
> Mar 14 23:59:56 cl-dns1 named[19640]: view Caching: validating
> federalregister.gov/SOA: got insecure response; parent indicates it should be
> secure
> Mar 14 23:59:56 cl-dns1 named[19640]: no valid RRSIG resolving
> 'www.federalregister.gov/DS/IN': 162.140.254.200#53
> Mar 14 23:59:56 cl-dns1 named[19640]: view Caching: validating
> federalregister.gov/SOA: got insecure response; parent indicates it should be
> secure
> Mar 14 23:59:56 cl-dns1 named[19640]: no valid RRSIG resolving
> 'www.federalregister.gov/DS/IN': 162.140.15.100#53
> Mar 14 23:59:56 cl-dns1 named[19640]: broken trust chain resolving
> 'www.federalregister.gov/A/IN': 162.140.15.100#53
>
> ..no forwarders in use. At some point the domain starts to validate as my
> NTAs drop out unless I use -force, but then it starts to fail again.
Named should be sending queries with DO=1 and it should be getting back signed
responses. I suspect that you will need to run packet captures of the traffic
to and from 162.140.15.100 and 162.140.254.200 port 53 from the nameserver.
Either signed responses will cease or DNSSEC requests will cease. In either
case having the traffic around the transition should help to determine what is
happening.
e.g. tcpdump -G 100 -w %Y%m%d%H%M%S.pcap port 53 and \( host 162.140.15.100 or
host 162.140.254.200 \)
% tcpdump -r 20230315150938.pcap -n -vv
reading from file 20230315150938.pcap, link-type EN10MB (Ethernet), snapshot
length 262144
15:10:12.496870 IP (tos 0x0, ttl 64, id 17293, offset 0, flags [none], proto
UDP (17), length 88)
172.30.42.109.55290 > 162.140.254.200.53: [udp sum ok] 1494% [1au] A?
federalregister.gov. ar: . OPT UDPsize=1232 DO [COOKIE 1a42be4f8b283640] (60)
15:10:12.845984 IP (tos 0x0, ttl 229, id 53065, offset 0, flags [DF], proto UDP
(17), length 506)
162.140.254.200.53 > 172.30.42.109.55290: [udp sum ok] 1494*- q: A?
federalregister.gov. 3/3/1 federalregister.gov. A 75.2.36.59,
federalregister.gov. A 99.83.174.136, federalregister.gov. RRSIG ns:
federalregister.gov. NS ns4.gpo.gov., federalregister.gov. NS ns3.gpo.gov.,
federalregister.gov. RRSIG ar: . OPT UDPsize=4096 DO (478)
15:10:12.851518 IP (tos 0x0, ttl 64, id 27024, offset 0, flags [none], proto
UDP (17), length 88)
172.30.42.109.58808 > 162.140.15.100.53: [udp sum ok] 32328% [1au] DNSKEY?
federalregister.gov. ar: . OPT UDPsize=1232 DO [COOKIE a8086401dd8eae30] (60)
15:10:13.107025 IP (tos 0x0, ttl 230, id 37446, offset 0, flags [DF], proto UDP
(17), length 1134)
162.140.15.100.53 > 172.30.42.109.58808: [udp sum ok] 32328*- q: DNSKEY?
federalregister.gov. 5/0/1 federalregister.gov. DNSKEY, federalregister.gov.
DNSKEY, federalregister.gov. DNSKEY, federalregister.gov. RRSIG,
federalregister.gov. RRSIG ar: . OPT UDPsize=4096 DO (1106)
%
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
