Re: www.glb.hud.gov

[Chris Thompson]

On Apr 19 2012, Richard Laager wrote:


Are others timing out trying to resolve www.glb.hud.gov? This seems
(though I haven't done extensive testing) to only happen to me with
BIND.

http://dnsviz.net/d/www.glb.hud.gov/dnssec/ shows a couple of DNSKEY
warnings, so maybe that's it. I always suspect DNSSEC when I have
problems with .gov domains, but I commented out dnssec-enable yes in
my named.conf and it didn't help.


There is no DS record in the parent zone, so the zone contents could
not be validated anyway.

The main problem seems to be that the nameservers for glb.hud.gov
never respond to requests for its DNSKEY records (even if EDNS is
turned off in the query). They also don't respond to queries over
TCP about anything.

Specifying dnssec-enable no doesn't stop BIND setting the DO bit
on the queries it sends out. However, if validation is off, I am
not sure why it would be bothering to (try to) fetch the DNSKEY
records.

--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: www.glb.hud.gov

[Casey Deccio]

On Thu, Apr 19, 2012 at 5:59 AM, Chris Thompson c...@cam.ac.uk wrote:

 On Apr 19 2012, Richard Laager wrote:

  Are others timing out trying to resolve www.glb.hud.gov? This seems
 (though I haven't done extensive testing) to only happen to me with
 BIND.

 http://dnsviz.net/d/www.glb.**hud.gov/dnssec/http://dnsviz.net/d/www.glb.hud.gov/dnssec/shows
  a couple of DNSKEY
 warnings, so maybe that's it. I always suspect DNSSEC when I have
 problems with .gov domains, but I commented out dnssec-enable yes in
 my named.conf and it didn't help.


 There is no DS record in the parent zone, so the zone contents could
 not be validated anyway.


Yes, but there's a difference between could not be validated, meaning
there is no chain of trust extending to glb.hud.gov (the hud.gov zone
securely proves that the trust does not extend to glb.hud.gov) and could
not be validated, meaning there should be a chain, but the necessary
DNSKEYs and RRSIGs are not available to validate it.  The first should
yield an insecure (i.e., unauthenticated) response, the second SERVFAIL.
 BIND gets hung up on the fact that the DNSKEY RRset for glb.hud.gov cannot
be retrieved to validate the RRSIGs covering glb.hud.gov names and returns
SERVFAIL, even though technically it should simply return an insecure
response.  Note that unbound responds appropriately:

$ dig +dnssec @localhost www.glb.hud.gov

;  DiG 9.7.3  +dnssec @localhost www.glb.hud.gov
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 61547
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.glb.hud.gov. IN A

;; ANSWER SECTION:
www.glb.hud.gov. 30 IN A 170.97.67.13
www.glb.hud.gov. 30 IN RRSIG A 7 4 30 20120425192819 20120418192819 18872
glb.hud.gov. qeuaykqCRmDoJ/b7+MayUC4LB5GCoJ00931CS8w+Ta6tuT/qv3dGsR1i
NVP5Xh5x/kJVyM6M3red1b2e4zrw930xe5gegPxGyWZqT8CVF7clouOJ
nPr3D+JGre46lvsi62ibhCfS82gfuNLg+028D6EasnWiQgcG70ONI2yU a+w=
www.glb.hud.gov. 30 IN RRSIG A 7 4 30 20120424171101 20120417171101 27647
glb.hud.gov. kVWQcOoRa2BPK+K4mMQQ+SsFKk2F6F2euVS2xrzlKyYMmOHytouRq6LK
En8edmPbm5iYDGnW/Hc7jPLQgqpRYVxkdjKTvjYNf+yjqBK1aBblVZ4b
Y/hDCcbfO5DsVEmJ/HuEg9vlQ65inWB2xpLul0FOXC7xLn7ch/h8A8Jv UfQ=

;; Query time: 85 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Apr 19 07:34:06 2012
;; MSG SIZE  rcvd: 402

Casey
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

www.glb.hud.gov

[Richard Laager]

Are others timing out trying to resolve www.glb.hud.gov? This seems
(though I haven't done extensive testing) to only happen to me with
BIND.

http://dnsviz.net/d/www.glb.hud.gov/dnssec/ shows a couple of DNSKEY
warnings, so maybe that's it. I always suspect DNSSEC when I have
problems with .gov domains, but I commented out dnssec-enable yes in
my named.conf and it didn't help.

-- 
Richard

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users