subject:"unresolvable pms.psc.gov, but google\/cloudflare\/unbound work"

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

2023-09-19 Thread Nicholas Miller

Thanks for the help. I guess it is time to move to 9.18.
_
Nicholas Miller, OIT, University of Colorado at Boulder

> On Sep 19, 2023, at 1:53 AM, Ondřej Surý  wrote:
>
> [External Email - Use caution]
>
>
>> On 19. 9. 2023, at 9:25, Petr Špaček  wrote:
>>
>> All can I tell you is "it works on my system" (with BIND, of course):
>
> I can reproduce this on BIND 9.16 (-c /dev/null as named.conf):
>
> ## BIND 9.19-dev
>
> 19-Sep-2023 09:33:51.633 validating pms.psc.gov/CNAME: no valid signature 
> found
> 19-Sep-2023 09:33:52.485   validating ha.psc.gov/DS: no valid signature found
> 19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature 
> found
> 19-Sep-2023 09:33:52.485 validating pms.ha.psc.gov/A: no valid signature found
>
> $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35947
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 76cc17ac4ce491b90100650950c533d1d3531585cef9 (good)
>
> ## BIND 9.18-dev
>
> 19-Sep-2023 09:36:10.717 validating pms.psc.gov/CNAME: no valid signature 
> found
> 19-Sep-2023 09:36:11.581   validating ha.psc.gov/DS: no valid signature found
> 19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature 
> found
> 19-Sep-2023 09:36:11.581 validating pms.ha.psc.gov/A: no valid signature found
>
> $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30482
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: f109de3980764a4201006509507caea9fe0064088c8e (good)
>
>
> ## BIND 9.16-dev
>
> 19-Sep-2023 09:37:17.685 validating pms.psc.gov/CNAME: no valid signature 
> found
> 19-Sep-2023 09:37:27.685 query client=0x7f0b840013b0 
> thread=0x7f0b8ed7b6c0(pms.ha.psc.gov/A): query_gotanswer: unexpected error: 
> timed out
>
> $ bin/dig/dig +short -p 12345 pms.psc.gov @127.0.0.1
>
> $ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45084
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: e5b154394f27002201006509503c139afd80b72dd04a (good)
>
> Those servers are broken with QNAME minimization and should be fixed, but
> as we changed the QNAME minimization algorithm to use NS records instead
> of A records in BIND 9.18.17 and higher, it works now.
>
> I can confirm this works in BIND 9.18.17 and higher. And it's absolutely not
> BIND 9's fault.
>
> Cheers,
> --
> Ondřej Surý (He/Him)
> ond...@isc.org
>
> My working hours and your working hours may be different. Please do not feel 
> obligated to reply outside your normal working hours.
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
>
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

2023-09-19 Thread Petr Špaček


On 19. 09. 23 9:53, Ondřej Surý wrote:

On 19. 9. 2023, at 9:25, Petr Špaček  wrote:

$ bin/dig/dig +short -p 12345 pms.psc.gov @127.0.0.1

$ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45084
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e5b154394f27002201006509503c139afd80b72dd04a (good)

Those servers are broken with QNAME minimization and should be fixed, but
as we changed the QNAME minimization algorithm to use NS records instead
of A records in BIND 9.18.17 and higher, it works now.

I can confirm this works in BIND 9.18.17 and higher. And it's absolutely not
BIND 9's fault.


So all in all, time to upgrade!

BIND 9.16 series will reach end of life at the end of 2023 anyway.

--
Petr Špaček
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

2023-09-19 Thread Ondřej Surý

> On 19. 9. 2023, at 9:25, Petr Špaček  wrote:
> 
> All can I tell you is "it works on my system" (with BIND, of course):

I can reproduce this on BIND 9.16 (-c /dev/null as named.conf):

## BIND 9.19-dev

19-Sep-2023 09:33:51.633 validating pms.psc.gov/CNAME: no valid signature found
19-Sep-2023 09:33:52.485   validating ha.psc.gov/DS: no valid signature found
19-Sep-2023 09:33:52.485 validating ha.psc.gov/DS: no valid signature found
19-Sep-2023 09:33:52.485 validating pms.ha.psc.gov/A: no valid signature found

$ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35947
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 76cc17ac4ce491b90100650950c533d1d3531585cef9 (good)

## BIND 9.18-dev

19-Sep-2023 09:36:10.717 validating pms.psc.gov/CNAME: no valid signature found
19-Sep-2023 09:36:11.581   validating ha.psc.gov/DS: no valid signature found
19-Sep-2023 09:36:11.581 validating ha.psc.gov/DS: no valid signature found
19-Sep-2023 09:36:11.581 validating pms.ha.psc.gov/A: no valid signature found

$ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30482
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f109de3980764a4201006509507caea9fe0064088c8e (good)


## BIND 9.16-dev

19-Sep-2023 09:37:17.685 validating pms.psc.gov/CNAME: no valid signature found
19-Sep-2023 09:37:27.685 query client=0x7f0b840013b0 
thread=0x7f0b8ed7b6c0(pms.ha.psc.gov/A): query_gotanswer: unexpected error: 
timed out

$ bin/dig/dig +short -p 12345 pms.psc.gov @127.0.0.1

$ bin/dig/dig +noall +comments -p 12345 pms.psc.gov @127.0.0.1
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45084
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e5b154394f27002201006509503c139afd80b72dd04a (good)

Those servers are broken with QNAME minimization and should be fixed, but
as we changed the QNAME minimization algorithm to use NS records instead
of A records in BIND 9.18.17 and higher, it works now.

I can confirm this works in BIND 9.18.17 and higher. And it's absolutely not
BIND 9's fault.

Cheers,
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

2023-09-19 Thread Petr Špaček


On 18. 09. 23 15:29, Nicholas Miller wrote:

I know this is an old thread but we are having issues resolving pms.psc.gov as 
well. Disabling DNSSec validation on a test server doesn’t solve the problem. I 
can add a forwarding zone for ha.psc.gov pointed to their NS servers and things 
work. I would love to know what is broken here.


dig pms.psc.gov


; <<>> DiG 9.16.43 <<>> pms.psc.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60669
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 20b2eb2c9840bfbd010065084978288fdde1e6f7c2a6 (good)
;; QUESTION SECTION:
;pms.psc.gov. IN A

;; Query time: 2993 msec
;; SERVER: 128.138.240.1#53(128.138.240.1)
;; WHEN: Mon Sep 18 06:58:32 MDT 2023
;; MSG SIZE  rcvd: 68


That's hard to diagnose without logs or any other supporting data.

All can I tell you is "it works on my system" (with BIND, of course):

$ dig pms.psc.gov

; <<>> DiG 9.19.18-dev <<>> +timeout +retry pms.psc.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29005
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 5f2a9d77850917bd010065094c8ec7febc2147e2408d (good)
;; QUESTION SECTION:
;pms.psc.gov.   IN  A

;; ANSWER SECTION:
pms.psc.gov.3600IN  CNAME   pms.ha.psc.gov.
pms.ha.psc.gov. 30  IN  A   156.40.178.24

;; Query time: 1533 msec
;; SERVER: 127.0.0.111#53(127.0.0.111) (UDP)
;; WHEN: Tue Sep 19 09:23:58 CEST 2023
;; MSG SIZE  rcvd: 105

--
Petr Špaček
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

2023-09-18 Thread Nicholas Miller

I know this is an old thread but we are having issues resolving pms.psc.gov as 
well. Disabling DNSSec validation on a test server doesn’t solve the problem. I 
can add a forwarding zone for ha.psc.gov pointed to their NS servers and things 
work. I would love to know what is broken here. 

> dig pms.psc.gov

; <<>> DiG 9.16.43 <<>> pms.psc.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60669
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 20b2eb2c9840bfbd010065084978288fdde1e6f7c2a6 (good)
;; QUESTION SECTION:
;pms.psc.gov. IN A

;; Query time: 2993 msec
;; SERVER: 128.138.240.1#53(128.138.240.1)
;; WHEN: Mon Sep 18 06:58:32 MDT 2023
;; MSG SIZE  rcvd: 68

_
Nicholas Miller, OIT, University of Colorado at Boulder

> On Aug 22, 2021, at 11:57 AM, Matthew Richardson  
> wrote:
> 
> It looks slightly more subtle than a straight failure.  There is a DS
> record in psc.gov pointing to key 180 in ha.psc.gov:-
> 
>> ha.psc.gov. 56  IN  DS  180 7 1 
>> 8A631C83457F4BDB3C450A725DFDB267C4BAC1CC
> 
> This points correctly to the key.  However digest algorith 1 is now either
> prohibited or discouraged.  Worse there is also a DS:-
> 
>> ha.psc.gov. 56  IN  DS  39093 7 2 
>> DD956C9568726B6EEED24D9814F0EC0D2BD119CF4B8A6352A4BF6968 0880E8E7
> 
> where key 39093 does not exist in ha.psc.gov.
> 
> Buried in the mass of errors & warnings, dnsvis says:-
> 
>> ha.psc.gov/DS (alg 7, id 180): DS records with digest type 1 (SHA-1) are 
>> ignored when DS records with digest type 2 (SHA-256) exist in the same RRset.
> 
> With both Bind & Unbound, I get SERVFAIL.  However, other resolvers may be
> more tolerant of algorithm 1 DS records, in which case they may decide that
> the answer is "valid".
> 
> In any event, it needs fixing.
> 
> However, to answer the OP's question, the solution is to use a "negative
> trust anchor":-
> 
>> # rndc nta -lifetime 1d ha.psc.gov
>> Negative trust anchor added: ha.psc.gov/_default, expires 23-Aug-2021 
>> 18:55:13.000
> 
> which then allowed my Bind to resolve it.
> 
> Best wishes,
> Matthew
> 
> --
>> From: "John W. Blue via bind-users" 
>> To: "bind-users@lists.isc.org" 
>> Cc: 
>> Date: Sun, 22 Aug 2021 16:24:41 +
>> Subject: Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work
> 
>> Your using the wrong tools to troubleshoot or investigate this error.
>> 
>> Instead of relying upon resolvers to provide situational awareness you need 
>> to inspect DNSSEC itself using dnsviz.net:
>> 
>> https://dnsviz.net/d/pms.psc.gov/dnssec/
>> 
>> psc.gov is giving the world ID 5089 when they need to handing out ID 180.
>> 
>> Recommend the pms.psc.gov admins give the psc.gov admins the correct hash.
>> 
>> Sent from Nine<http://www.9folders.com/>
>> 
>> From: Roger Hammerstein 
>> Sent: Sunday, August 22, 2021 9:45 AM
>> To: bind-users@lists.isc.org
>> Subject: unresolvable pms.psc.gov, but google/cloudflare/unbound work
>> 
>> 
>> pms.psc.gov appears to be unresolvable against bind9.16.19
>> and 9.11.34 because of dnssec issues.
>> But it resolves against Cloudflare's 1.1.1.1, Google's 8.8.8.8, and an 
>> Unbound
>> resolver that does dnssec-validation.
>> 
>> There's a ticket open with nih.gov to look into it, but is there anything 
>> that can
>> be changed with Bind to make this domain resolve in the meantime?
>> 
>> (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678
>> 
>> https://dnsviz.net/d/pms.psc.gov/dnssec/
>> https://dnssec-analyzer.verisignlabs.com/pms.psc.gov
>> 
>> dig a pms.psc.gov @8.8.8.8
>> pms.psc.gov.2852IN  CNAME   pms.ha.psc.gov.
>> pms.ha.psc.gov. 29  IN  A   156.40.178.24
>> 
>> 
>> 
>> dig a pms.psc.gov @8.8.8.8 +dnssec
>> 
>> ;; ANSWER SECTION:
>> pms.psc.gov.2835IN  CNAME   pms.ha.psc.gov.
>> pms.psc.gov.2835IN  RRSIG   CNAME 8 3 3600 
>> 20210827000144 20210821230144 5089 psc.gov. 
>> kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 
>> jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP 
>> LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc=
>> pms.ha.psc.gov. 29  IN

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

2021-08-22 Thread Matthew Richardson

It looks slightly more subtle than a straight failure.  There is a DS
record in psc.gov pointing to key 180 in ha.psc.gov:-

>ha.psc.gov. 56  IN  DS  180 7 1 
>8A631C83457F4BDB3C450A725DFDB267C4BAC1CC

This points correctly to the key.  However digest algorith 1 is now either
prohibited or discouraged.  Worse there is also a DS:-

>ha.psc.gov. 56  IN  DS  39093 7 2 
>DD956C9568726B6EEED24D9814F0EC0D2BD119CF4B8A6352A4BF6968 0880E8E7

where key 39093 does not exist in ha.psc.gov.

Buried in the mass of errors & warnings, dnsvis says:-

>ha.psc.gov/DS (alg 7, id 180): DS records with digest type 1 (SHA-1) are 
>ignored when DS records with digest type 2 (SHA-256) exist in the same RRset.

With both Bind & Unbound, I get SERVFAIL.  However, other resolvers may be
more tolerant of algorithm 1 DS records, in which case they may decide that
the answer is "valid".

In any event, it needs fixing.

However, to answer the OP's question, the solution is to use a "negative
trust anchor":-

># rndc nta -lifetime 1d ha.psc.gov
>Negative trust anchor added: ha.psc.gov/_default, expires 23-Aug-2021 
>18:55:13.000

which then allowed my Bind to resolve it.

Best wishes,
Matthew

 --
>From: "John W. Blue via bind-users" 
>To: "bind-users@lists.isc.org" 
>Cc: 
>Date: Sun, 22 Aug 2021 16:24:41 +
>Subject: Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

>Your using the wrong tools to troubleshoot or investigate this error.
>
>Instead of relying upon resolvers to provide situational awareness you need to 
>inspect DNSSEC itself using dnsviz.net:
>
>https://dnsviz.net/d/pms.psc.gov/dnssec/
>
>psc.gov is giving the world ID 5089 when they need to handing out ID 180.
>
>Recommend the pms.psc.gov admins give the psc.gov admins the correct hash.
>
>Sent from Nine<http://www.9folders.com/>
>________
>From: Roger Hammerstein 
>Sent: Sunday, August 22, 2021 9:45 AM
>To: bind-users@lists.isc.org
>Subject: unresolvable pms.psc.gov, but google/cloudflare/unbound work
>
>
>pms.psc.gov appears to be unresolvable against bind9.16.19
>and 9.11.34 because of dnssec issues.
>But it resolves against Cloudflare's 1.1.1.1, Google's 8.8.8.8, and an Unbound
>resolver that does dnssec-validation.
>
>There's a ticket open with nih.gov to look into it, but is there anything that 
>can
>be changed with Bind to make this domain resolve in the meantime?
>
> (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678
>
>https://dnsviz.net/d/pms.psc.gov/dnssec/
>https://dnssec-analyzer.verisignlabs.com/pms.psc.gov
>
> dig a pms.psc.gov @8.8.8.8
>pms.psc.gov.2852IN  CNAME   pms.ha.psc.gov.
>pms.ha.psc.gov. 29  IN  A   156.40.178.24
>
>
>
>dig a pms.psc.gov @8.8.8.8 +dnssec
>
>;; ANSWER SECTION:
>pms.psc.gov.2835IN  CNAME   pms.ha.psc.gov.
>pms.psc.gov.2835IN  RRSIG   CNAME 8 3 3600 20210827000144 
>20210821230144 5089 psc.gov. 
>kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 
>jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP 
>LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc=
>pms.ha.psc.gov. 29  IN  A   156.40.178.24
>pms.ha.psc.gov. 29  IN  RRSIG   A 7 4 30 20210827185442 
>20210820185442 21380 ha.psc.gov. 
>w2XUqBVoBMtLv0qfc5xmccrpv+w2ukwGfaGJvthIKHXr2SdlAk3oQxve 
>xyolEaj2zWn8Uj7lOsaZD8mewBMQ3iEEp8U96aFBslWV/ffEKL+H9oMM 
>sUNU5KwNi7/Nk3KZuNc8R3xxuYTsSVdbu6ai1lQ6fmw2uWAoDP9YIqek 
>jyo/0WFSXM+hxw/5WguijhilSRIywNgG3/6MY3ZmunPPafGTCTXigyex 
>IBACJQJ+meD6vMi0YoRM17mwdD+7Buq2cb6LJyVYaQImh7M2gF8My75n 
>lDns4PWEIx4bSW2uQQEPpB7MA9VI9y5CuVCmqC3wMZ2ow6G8pkaf18wv r/ucSQ==
>
>
>
>
>I can sometimes get a servfail out of 8.8.8.8 with an any query
>dig any pms.psc.gov @8.8.8.8 +dnssec
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36332
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags: do; udp: 512
>;; QUESTION SECTION:
>;pms.psc.gov.   IN  ANY
>;; Query time: 5001 msec

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

2021-08-22 Thread John W. Blue via bind-users

Your using the wrong tools to troubleshoot or investigate this error.

Instead of relying upon resolvers to provide situational awareness you need to 
inspect DNSSEC itself using dnsviz.net:

https://dnsviz.net/d/pms.psc.gov/dnssec/

psc.gov is giving the world ID 5089 when they need to handing out ID 180.

Recommend the pms.psc.gov admins give the psc.gov admins the correct hash.

Sent from Nine<http://www.9folders.com/>

From: Roger Hammerstein 
Sent: Sunday, August 22, 2021 9:45 AM
To: bind-users@lists.isc.org
Subject: unresolvable pms.psc.gov, but google/cloudflare/unbound work


pms.psc.gov appears to be unresolvable against bind9.16.19
and 9.11.34 because of dnssec issues.
But it resolves against Cloudflare's 1.1.1.1, Google's 8.8.8.8, and an Unbound
resolver that does dnssec-validation.

There's a ticket open with nih.gov to look into it, but is there anything that 
can
be changed with Bind to make this domain resolve in the meantime?

 (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678

https://dnsviz.net/d/pms.psc.gov/dnssec/
https://dnssec-analyzer.verisignlabs.com/pms.psc.gov

 dig a pms.psc.gov @8.8.8.8
pms.psc.gov.2852IN  CNAME   pms.ha.psc.gov.
pms.ha.psc.gov. 29  IN  A   156.40.178.24



dig a pms.psc.gov @8.8.8.8 +dnssec

;; ANSWER SECTION:
pms.psc.gov.2835IN  CNAME   pms.ha.psc.gov.
pms.psc.gov.2835IN  RRSIG   CNAME 8 3 3600 20210827000144 
20210821230144 5089 psc.gov. 
kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 
jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP 
LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc=
pms.ha.psc.gov. 29  IN  A   156.40.178.24
pms.ha.psc.gov. 29  IN  RRSIG   A 7 4 30 20210827185442 
20210820185442 21380 ha.psc.gov. 
w2XUqBVoBMtLv0qfc5xmccrpv+w2ukwGfaGJvthIKHXr2SdlAk3oQxve 
xyolEaj2zWn8Uj7lOsaZD8mewBMQ3iEEp8U96aFBslWV/ffEKL+H9oMM 
sUNU5KwNi7/Nk3KZuNc8R3xxuYTsSVdbu6ai1lQ6fmw2uWAoDP9YIqek 
jyo/0WFSXM+hxw/5WguijhilSRIywNgG3/6MY3ZmunPPafGTCTXigyex 
IBACJQJ+meD6vMi0YoRM17mwdD+7Buq2cb6LJyVYaQImh7M2gF8My75n 
lDns4PWEIx4bSW2uQQEPpB7MA9VI9y5CuVCmqC3wMZ2ow6G8pkaf18wv r/ucSQ==




I can sometimes get a servfail out of 8.8.8.8 with an any query
dig any pms.psc.gov @8.8.8.8 +dnssec
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36332
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;pms.psc.gov.   IN  ANY
;; Query time: 5001 msec

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

unresolvable pms.psc.gov, but google/cloudflare/unbound work

2021-08-22 Thread Roger Hammerstein


pms.psc.gov appears to be unresolvable against bind9.16.19
and 9.11.34 because of dnssec issues.
But it resolves against Cloudflare's 1.1.1.1, Google's 8.8.8.8, and an Unbound
resolver that does dnssec-validation.

 

There's a ticket open with nih.gov to look into it, but is there anything that can
be changed with Bind to make this domain resolve in the meantime?

 

 (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678


https://dnsviz.net/d/pms.psc.gov/dnssec/
https://dnssec-analyzer.verisignlabs.com/pms.psc.gov


 dig a pms.psc.gov @8.8.8.8

pms.psc.gov.    2852    IN  CNAME   pms.ha.psc.gov.
pms.ha.psc.gov. 29  IN  A   156.40.178.24

 

 


 

dig a pms.psc.gov @8.8.8.8 +dnssec


;; ANSWER SECTION:
pms.psc.gov.    2835    IN  CNAME   pms.ha.psc.gov.
pms.psc.gov.    2835    IN  RRSIG   CNAME 8 3 3600 20210827000144 20210821230144 5089 psc.gov. kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc=
pms.ha.psc.gov. 29  IN  A   156.40.178.24
pms.ha.psc.gov. 29  IN  RRSIG   A 7 4 30 20210827185442 20210820185442 21380 ha.psc.gov. w2XUqBVoBMtLv0qfc5xmccrpv+w2ukwGfaGJvthIKHXr2SdlAk3oQxve xyolEaj2zWn8Uj7lOsaZD8mewBMQ3iEEp8U96aFBslWV/ffEKL+H9oMM sUNU5KwNi7/Nk3KZuNc8R3xxuYTsSVdbu6ai1lQ6fmw2uWAoDP9YIqek jyo/0WFSXM+hxw/5WguijhilSRIywNgG3/6MY3ZmunPPafGTCTXigyex IBACJQJ+meD6vMi0YoRM17mwdD+7Buq2cb6LJyVYaQImh7M2gF8My75n lDns4PWEIx4bSW2uQQEPpB7MA9VI9y5CuVCmqC3wMZ2ow6G8pkaf18wv r/ucSQ==

 

 

 


 

I can sometimes get a servfail out of 8.8.8.8 with an any query
dig any pms.psc.gov @8.8.8.8 +dnssec

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36332
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;pms.psc.gov.   IN  ANY
;; Query time: 5001 msec

 


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

unresolvable pms.psc.gov, but google/cloudflare/unbound work

8 matches

Site Navigation

Mail list logo

Footer information