Hi Greg, We can't see the beginning of the trace for the query so we can't know for sure, but if you are indeed running with dnssec=process this line hints at the fact that the client requested validation:
"Sending out SERVFAIL for cape-epic.com|A because recursor or query demands it for Bogus results" Please be aware that recent version of dig set the AD and DO bits to 1 by default, and you have to use +nodnssec +noadflag to be sure they are not set. Best regards, Remi On 03/12/2018 10:22 AM, Greg Antic wrote: > Hi Remi, > > Thanks. Yes I read [1] during my troubleshooting. When doing a dig or just > browsing from the FTTH customer the A record would not get returned. When I > "turned off" the dnssec we were answered with the A record. I tested this on > version 4.1.1 and 4.0.6. > > See below traces and journal log, the trace receives the A record but if you > specifically query it you get SERVFAIL > > Current DNSSEC config: > dnssec=process > dnssec-log-bogus=yes > > > rec_control trace-regex 'cape-epic.com' > ok > ok > ok > > dig a cape-epic.com +trace -b 41.x.y.z > > ; <<>> DiG 9.10.3-P4-Ubuntu <<>> a cape-epic.com +trace -b 41.x.y.z > ;; global options: +cmd > . 3420 IN NS b.root-servers.net. > . 3420 IN NS e.root-servers.net. > . 3420 IN NS i.root-servers.net. > . 3420 IN NS d.root-servers.net. > . 3420 IN NS k.root-servers.net. > . 3420 IN NS m.root-servers.net. > . 3420 IN NS l.root-servers.net. > . 3420 IN NS h.root-servers.net. > . 3420 IN NS c.root-servers.net. > . 3420 IN NS g.root-servers.net. > . 3420 IN NS f.root-servers.net. > . 3420 IN NS a.root-servers.net. > . 3420 IN NS j.root-servers.net. > . 3420 IN RRSIG NS 8 0 518400 20180325050000 > 20180312040000 41824 . > dSAaK8AjXy31BE5RQ+2a/F+ZLfOdStqejfFkKhRSyGptTP0GjSB/Q6pi > vB/lI3725G+qEylD7MylOQqyvE1uA/CU3KJDNc00xbGTlEFiTbarzK6p > gwbReoujqD09C3ZKGKqAkpql4LHwe5LB4kcD8eapBzs+tCFS8ioNW9kF > XOpeTaeB/yJxSPS/AwQSwZGnmW/XOkh13iurfa69tOlJ/3f5Zw5FLsoQ > 2u2sL2ZSFUzkBiSlPA3eLgzYiWwBubfrA7HJudhktUkK/LK4IaK+U7u/ > FuBMwGyLjARCltI9Q8wR1S/x93UmEi1XF4FCRwCWE7jj1QjBv93M+q5m j8SZwQ== > ;; Received 540 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms > > com. 172800 IN NS d.gtld-servers.net. > com. 172800 IN NS b.gtld-servers.net. > com. 172800 IN NS k.gtld-servers.net. > com. 172800 IN NS l.gtld-servers.net. > com. 172800 IN NS e.gtld-servers.net. > com. 172800 IN NS a.gtld-servers.net. > com. 172800 IN NS j.gtld-servers.net. > com. 172800 IN NS h.gtld-servers.net. > com. 172800 IN NS m.gtld-servers.net. > com. 172800 IN NS i.gtld-servers.net. > com. 172800 IN NS f.gtld-servers.net. > com. 172800 IN NS c.gtld-servers.net. > com. 172800 IN NS g.gtld-servers.net. > com. 86400 IN DS 30909 8 2 > E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 > com. 86400 IN RRSIG DS 8 1 86400 20180325050000 > 20180312040000 41824 . > P1ZaS7sTZ3Cyn5XPnodl1rgsi6yZujPwnm8sWHG/pFXc3+muO+YFIe9S > dF5aOqzitsIJIc4Sp3M1aRjiOakvgVPx4IiSVinBUWA84HPeZ0I+eyUK > 7KUFRH24ixXGhJGjzIdj867RwatqGq64veehKAU2xUcaitysyaewEJ2K > qM060xVV38rkXZA2WIpEz7fTZqyJ/7jfRmZTkixkEWfZbIWhht4OWCqa > jKbNN/0poaRYa2M+rQ56OtYWwOY6ZMFvMVOSpzXZ8Y+gyYkSzhXDhceE > Yd0FFEpeUyKVfUdvwG1NPj3sepkUgg8EGcqL0rKLNmOYxLMFZSx95BU+ IWmGJg== > ;; Received 1173 bytes from 202.12.27.33#53(m.root-servers.net) in 177 ms > > cape-epic.com. 172800 IN NS pdns11.domaincontrol.com. > cape-epic.com. 172800 IN NS pdns12.domaincontrol.com. > cape-epic.com. 86400 IN DS 64969 8 1 > 2AA8209D01A6283ECBD60F083BFB552F64783536 > cape-epic.com. 86400 IN DS 22732 8 1 > ABFD3FC903A8DE4DEEC3EC90D18D936C61523BAF > cape-epic.com. 86400 IN RRSIG DS 8 2 86400 20180316045929 > 20180309044929 46967 com. > T0NAU9r4tknlWi/Vl4U1Lby4H5xWsR0I7Om6xXvppBZjxtkYxSWq7Oqp > R/okDcPjKwOkDeJwLlX6WdQzEtk9G+L3vleC1NQeOAFXke9F1G5C4P+/ > haNCklxBPhEoo3fJT9OABhIt1lPl1NR9PtJ3jUMhWL/m/wk90/4ZGHxu pw4= > ;; Received 421 bytes from 192.55.83.30#53(m.gtld-servers.net) in 157 ms > > cape-epic.com. 600 IN A 154.0.167.107 > cape-epic.com. 600 IN RRSIG A 8 2 600 20180315200642 > 20180228200642 32211 cape-epic.com. > Xx8/sbvlElY8Ix80/bEn9xia3algcBHNZNfaeOjj5Ly/Z0ZdrMHINR8C > noTDzwJtIHreVNsygOgbQxweN/OgnZ/h5yZ4aWHiAXxfB2YB8tRx0pmv > Qoq5yEkFS8vHpawW5nRfEQn3E188jVAxOIIt8kM3BaOvZheK10P5yUs1 mu0= > cape-epic.com. 3600 IN NS pdns12.domaincontrol.com. > cape-epic.com. 3600 IN NS pdns11.domaincontrol.com. > cape-epic.com. 3600 IN NS ns.otherdns.com. > cape-epic.com. 3600 IN NS ns.otherdns.net. > cape-epic.com. 3600 IN NS ns.dns2.co.za. > cape-epic.com. 3600 IN NS ns.dns1.co.za. > cape-epic.com. 3600 IN RRSIG NS 8 2 3600 20180315200642 > 20180228200642 32211 cape-epic.com. > cQRz7CUiv0FIF1zjZqaBX0oBrYrfpVj3NAYxjRXMiUMJpCd0s5+KItvM > LSnGBtm4TIiTnG5GF0b2hpvY0UGhUHQQxFD1IETXarDeZrvJhx6qfKSJ > N0QrqobqSsjTw19J39kLyvVE7OM5YqyFqj9yXC+LPXjc4xjzARNpSQNH OHw= > ;; Received 564 bytes from 216.69.185.55#53(pdns11.domaincontrol.com) in 157 > ms > > dig a cape-epic.com @41.x.y.z > > ; <<>> DiG 9.10.3-P4-Ubuntu <<>> a cape-epic.com @41.x.y.z > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14308 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;cape-epic.com. IN A > > ;; Query time: 159 msec > ;; SERVER: 41.x.y.z#53(41.x.y.z) > ;; WHEN: Mon Mar 12 11:15:23 SAST 2018 > ;; MSG SIZE rcvd: 42 > > journalctl -u pdns-recursor -n 100 > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > accept answer 'cape-epic.com|NS|ns.otherdns.com.' from 'cape-epic.com' > nameservers? ttl=3600, > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > accept answer 'cape-epic.com|NS|ns.otherdns.net.' from 'cape-epic.com' > nameservers? ttl=3600, > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > accept answer 'cape-epic.com|NS|ns.dns2.co.za.' from 'cape-epic.com' > nameservers? ttl=3600, pl > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > accept answer 'cape-epic.com|NS|ns.dns1.co.za.' from 'cape-epic.com' > nameservers? ttl=3600, pl > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > accept answer 'cape-epic.com|RRSIG|NS 8 2 3600 20180315200642 20180228200642 > 32211 cape-epic.c > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: OPT > answer '.' from 'cape-epic.com' nameservers > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got status > Secure for name cape-epic.com (from cape-epic.com) > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got initial zone > status Secure for record cape-epic.com > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Validating > non-additional record for cape-epic.com > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieving DNSKeys > for cape-epic.com > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > Wants DNSSEC processing, auth data in query for DNSKEY > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > DNSKEY is negatively cached via 'cape-epic.com' for another 1003 seconds > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > updating validation state with negative cache content for cape-epic.com to > Bogus > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieved 0 > DNSKeys for cape-epic.com, state is Bogus > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] validation state > was Secure, state update is Bogus, validation state is now Bogus > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got status > Secure for name cape-epic.com (from cape-epic.com) > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got initial zone > status Secure for record cape-epic.com > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Validating > non-additional record for cape-epic.com > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieving DNSKeys > for cape-epic.com > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > Wants DNSSEC processing, auth data in query for DNSKEY > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > DNSKEY is negatively cached via 'cape-epic.com' for another 1003 seconds > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > updating validation state with negative cache content for cape-epic.com to > Bogus > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieved 0 > DNSKeys for cape-epic.com, state is Bogus > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > determining status after receiving this packet > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > answer is in: resolved to '154.0.167.107|A' > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got > upwards/level NS record 'cape-epic.com' -> 'pdns12.domaincontrol.com.', had > 'cape-epic.com > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got > upwards/level NS record 'cape-epic.com' -> 'pdns11.domaincontrol.com.', had > 'cape-epic.com > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got > upwards/level NS record 'cape-epic.com' -> 'ns.otherdns.com.', had > 'cape-epic.com' > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got > upwards/level NS record 'cape-epic.com' -> 'ns.otherdns.net.', had > 'cape-epic.com' > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got > upwards/level NS record 'cape-epic.com' -> 'ns.dns2.co.za.', had > 'cape-epic.com' > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got > upwards/level NS record 'cape-epic.com' -> 'ns.dns1.co.za.', had > 'cape-epic.com' > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > status=got results, this level of recursion done > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: > validation status is Bogus > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: Starting validation of > answer to cape-epic.com|A for 41.x.y.z:58365 > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: Answer to cape-epic.com|A > for 41.x.y.z:58365 validates as Bogus > Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: Sending out SERVFAIL for > cape-epic.com|A because recursor or query demands it for Bogus results > > -----Original Message----- > From: Pdns-users [mailto:[email protected]] On Behalf > Of Remi Gacogne > Sent: Friday, 09 March 2018 5:20 PM > To: [email protected] > Subject: Re: [Pdns-users] dnssec domain validates as bogus > > Hi Greg, > > On 03/09/2018 03:44 PM, Greg Antic wrote: >> We are running recursor 4.1.1. We are having a problem with a domain >> that is signed with bogus dnssec records, the domain is cape-epic.com. >> We have tried the different dnssec modes but only process-no-validate >> allows the domain to be resolved. We tried adding an nta for the >> domain but the domain still would not resolve. >> >> Does anyone have any suggestions how we can accommodate and still >> resolve bogus domains but still offer dnssec validation? > > Running with dnssec=process should only return a ServFail if the client > actually asks for DNSSEC validation, as described in [1]. > Adding a NTA should also work, would you mind sharing your configuration and > a trace (running with --trace or enabling it for this single domain via > rec_control trace-regex 'cape-epic.com')? > > > [1]: https://doc.powerdns.com/recursor/dnssec.html#what-when > > Best regards, > > -- > Remi Gacogne > PowerDNS.COM BV - https://www.powerdns.com/ > -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
