Re: NSEC3 ISSUE
On 01/07/11 14:25, rams wrote: I have trouble resolving the host name dnssecnsec3qatestdomain.com http://dnssecnsec3qatestdomain.com. which is NSEC3 signed. This is the parent and child zone. If I run dig ( dnssec query) with the +cd option I which is a proper response: What version of bind are you using? My wild guess is that it's not recent enough to recognize NSEC3 signatures. Bind 9.4.3 was not, and I got exactly the same symptoms. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
NSEC3 ISSUE
I have trouble resolving the host name dnssecnsec3qatestdomain.com. which is NSEC3 signed. This is the parent and child zone. If I run dig ( dnssec query) with the +cd option I which is a proper response: [r...@stulcqanusbind1 ~]# dig dnssecnsec3qatestdomain.com. any +dnssec *+cd * ; DiG 9.7.1-P2 dnssecnsec3qatestdomain.com. any +dnssec +cd ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1601 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 8, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssecnsec3qatestdomain.com. IN ANY ;; ANSWER SECTION: dnssecnsec3qatestdomain.com. 86396 IN RRSIG A 7 2 86400 2020083100 20100831205954 61559 dnssecnsec3qatestdomain.com. A4HqcGYSyEoM7Y75MoRaK4zzNiuL45tq+AnfUIrxxEIPkIOI12FmFyhY JOQN216QkTbYkJBlNwe2Ky1SRGjwhQ== dnssecnsec3qatestdomain.com. 86396 IN A 12.12.1.0 dnssecnsec3qatestdomain.com. 86396 IN A 255.12.1.0 dnssecnsec3qatestdomain.com. 86396 IN RRSIG SOA 7 2 86400 2020083100 20100831205954 61559 dnssecnsec3qatestdomain.com. eAV/LHcB3WLA9ULvsz/kcVJ63XeJCX/YAOu9ZFUM+SVDIW/BAUXNfq9O iNBuukgDBlFZFOQyblfgjpcSW3CQMw== dnssecnsec3qatestdomain.com. 86396 IN SOA udns1.ultradns.net. bitbuck...@qa.neustar.com. 2009111903 10800 3600 2592000 86400 dnssecnsec3qatestdomain.com. 86396 IN RRSIG NS 7 2 86400 2020083100 20100831205954 61559 dnssecnsec3qatestdomain.com. r11osNc3HFoVFWjC1iNN9Yv3IKGvApbZwkNLdK5HTlPt+3UDB2Do7RvT 9SSJaZYLj4PEC8Gp6lT1L+0LlsEP9w== dnssecnsec3qatestdomain.com. 86396 IN NS udns2.ultradns.net. dnssecnsec3qatestdomain.com. 86396 IN NS udns1.ultradns.net. ;; AUTHORITY SECTION: dnssecnsec3qatestdomain.com. 86396 IN NS udns2.ultradns.net. dnssecnsec3qatestdomain.com. 86396 IN NS udns1.ultradns.net. dnssecnsec3qatestdomain.com. 86396 IN RRSIG NS 7 2 86400 2020083100 20100831205954 61559 dnssecnsec3qatestdomain.com. r11osNc3HFoVFWjC1iNN9Yv3IKGvApbZwkNLdK5HTlPt+3UDB2Do7RvT 9SSJaZYLj4PEC8Gp6lT1L+0LlsEP9w== But dig (dnssec query)without +cd option returns servfail. [r...@stulcqanusbind1 ~]# dig dnssecnsec3qatestdomain.com. any +dnssec ; DiG 9.7.1-P2 @ dnssecnsec3qatestdomain.com. any +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 7437 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssecnsec3qatestdomain.com. IN ANY In my logs I am getting messages: Jan 7 13:17:55 named[17154]: error (no valid RRSIG) resolving ' dnssecnsec3qatestdomain.com/DNSKEY/IN': 10.31.142.103#53 Jan 7 13:17:55 named[17154]: error (broken trust chain) resolving ' dnssecnsec3qatestdomain.com/ANY/IN': 10.31.142.103#53 When doing query without +cd option. Can you figure out what would be the exact problem? Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NSEC3 ISSUE
Perhaps if dnssecnsec3qatestdomain.com existed we would be able to tell you. As it is there is not enough information here to workout what is broken. In message aanlktik4qlwtydstmwxm-hse8yx88h6tfkpx4cxy8...@mail.gmail.com, rams writes: I have trouble resolving the host name dnssecnsec3qatestdomain.com. which is NSEC3 signed. This is the parent and child zone. If I run dig ( dnssec query) with the +cd option I which is a proper response: [r...@stulcqanusbind1 ~]# dig dnssecnsec3qatestdomain.com. any +dnssec *+cd * ; DiG 9.7.1-P2 dnssecnsec3qatestdomain.com. any +dnssec +cd ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1601 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 8, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssecnsec3qatestdomain.com. IN ANY ;; ANSWER SECTION: dnssecnsec3qatestdomain.com. 86396 IN RRSIG A 7 2 86400 2020083100 20100831205954 61559 dnssecnsec3qatestdomain.com. A4HqcGYSyEoM7Y75MoRaK4zzNiuL45tq+AnfUIrxxEIPkIOI12FmFyhY JOQN216QkTbYkJBlNwe2Ky1SRGjwhQ== dnssecnsec3qatestdomain.com. 86396 IN A 12.12.1.0 dnssecnsec3qatestdomain.com. 86396 IN A 255.12.1.0 dnssecnsec3qatestdomain.com. 86396 IN RRSIG SOA 7 2 86400 2020083100 20100831205954 61559 dnssecnsec3qatestdomain.com. eAV/LHcB3WLA9ULvsz/kcVJ63XeJCX/YAOu9ZFUM+SVDIW/BAUXNfq9O iNBuukgDBlFZFOQyblfgjpcSW3CQMw== dnssecnsec3qatestdomain.com. 86396 IN SOA udns1.ultradns.net. bitbuck...@qa.neustar.com. 2009111903 10800 3600 2592000 86400 dnssecnsec3qatestdomain.com. 86396 IN RRSIG NS 7 2 86400 2020083100 20100831205954 61559 dnssecnsec3qatestdomain.com. r11osNc3HFoVFWjC1iNN9Yv3IKGvApbZwkNLdK5HTlPt+3UDB2Do7RvT 9SSJaZYLj4PEC8Gp6lT1L+0LlsEP9w== dnssecnsec3qatestdomain.com. 86396 IN NS udns2.ultradns.net. dnssecnsec3qatestdomain.com. 86396 IN NS udns1.ultradns.net. ;; AUTHORITY SECTION: dnssecnsec3qatestdomain.com. 86396 IN NS udns2.ultradns.net. dnssecnsec3qatestdomain.com. 86396 IN NS udns1.ultradns.net. dnssecnsec3qatestdomain.com. 86396 IN RRSIG NS 7 2 86400 2020083100 20100831205954 61559 dnssecnsec3qatestdomain.com. r11osNc3HFoVFWjC1iNN9Yv3IKGvApbZwkNLdK5HTlPt+3UDB2Do7RvT 9SSJaZYLj4PEC8Gp6lT1L+0LlsEP9w== But dig (dnssec query)without +cd option returns servfail. [r...@stulcqanusbind1 ~]# dig dnssecnsec3qatestdomain.com. any +dnssec ; DiG 9.7.1-P2 @ dnssecnsec3qatestdomain.com. any +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 7437 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssecnsec3qatestdomain.com. IN ANY In my logs I am getting messages: Jan 7 13:17:55 named[17154]: error (no valid RRSIG) resolving ' dnssecnsec3qatestdomain.com/DNSKEY/IN': 10.31.142.103#53 Jan 7 13:17:55 named[17154]: error (broken trust chain) resolving ' dnssecnsec3qatestdomain.com/ANY/IN': 10.31.142.103#53 When doing query without +cd option. Can you figure out what would be the exact problem? Thanks Regards, Ramesh -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
