On Thu, Apr 19, 2012 at 5:59 AM, Chris Thompson c...@cam.ac.uk wrote:
On Apr 19 2012, Richard Laager wrote:
Are others timing out trying to resolve www.glb.hud.gov? This seems
(though I haven't done extensive testing) to only happen to me with
BIND.
http://dnsviz.net/d/www.glb.**hud.gov/dnssec/http://dnsviz.net/d/www.glb.hud.gov/dnssec/shows
a couple of DNSKEY
warnings, so maybe that's it. I always suspect DNSSEC when I have
problems with .gov domains, but I commented out dnssec-enable yes in
my named.conf and it didn't help.
There is no DS record in the parent zone, so the zone contents could
not be validated anyway.
Yes, but there's a difference between could not be validated, meaning
there is no chain of trust extending to glb.hud.gov (the hud.gov zone
securely proves that the trust does not extend to glb.hud.gov) and could
not be validated, meaning there should be a chain, but the necessary
DNSKEYs and RRSIGs are not available to validate it. The first should
yield an insecure (i.e., unauthenticated) response, the second SERVFAIL.
BIND gets hung up on the fact that the DNSKEY RRset for glb.hud.gov cannot
be retrieved to validate the RRSIGs covering glb.hud.gov names and returns
SERVFAIL, even though technically it should simply return an insecure
response. Note that unbound responds appropriately:
$ dig +dnssec @localhost www.glb.hud.gov
; DiG 9.7.3 +dnssec @localhost www.glb.hud.gov
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 61547
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.glb.hud.gov. IN A
;; ANSWER SECTION:
www.glb.hud.gov. 30 IN A 170.97.67.13
www.glb.hud.gov. 30 IN RRSIG A 7 4 30 20120425192819 20120418192819 18872
glb.hud.gov. qeuaykqCRmDoJ/b7+MayUC4LB5GCoJ00931CS8w+Ta6tuT/qv3dGsR1i
NVP5Xh5x/kJVyM6M3red1b2e4zrw930xe5gegPxGyWZqT8CVF7clouOJ
nPr3D+JGre46lvsi62ibhCfS82gfuNLg+028D6EasnWiQgcG70ONI2yU a+w=
www.glb.hud.gov. 30 IN RRSIG A 7 4 30 20120424171101 20120417171101 27647
glb.hud.gov. kVWQcOoRa2BPK+K4mMQQ+SsFKk2F6F2euVS2xrzlKyYMmOHytouRq6LK
En8edmPbm5iYDGnW/Hc7jPLQgqpRYVxkdjKTvjYNf+yjqBK1aBblVZ4b
Y/hDCcbfO5DsVEmJ/HuEg9vlQ65inWB2xpLul0FOXC7xLn7ch/h8A8Jv UfQ=
;; Query time: 85 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Apr 19 07:34:06 2012
;; MSG SIZE rcvd: 402
Casey
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users