[dns-operations] Problems resolving .gov using DLV
Michael Sinatra
michael at rancid.berkeley.edu
Mon Mar 16 21:27:21 UTC 2009
More info:
It appears that gov is using a KSK with algorithm 7, which my version of
BIND (9.5.1-P1) on FreeBSD doesn't support, according to the log:
/var/log/named/named.log.1:16-Mar-2009 14:00:50.936 error:
named.trustedkeys:4: configuring trusted key for 'GOV.': algorithm is
unsupported
Doing a crash upgrade to 9.6.0-P1 appears to fix the problem.
Is it possible that gov started using an algorithm that BIND 9.5.1-P1
doesn't support?
On 03/16/09 13:54, Michael Sinatra wrote:
> Hi,
>
> Is anyone else having problems resolving .gov using the ISC DLV? Just
> about an hour ago, my caching resolvers started choking on .gov
> addresses with the following errors (the timestamp in PDT [offset -0700]
> represents the earliest log entry in my resolvers.
>
> I am currently trying to manually grab the trust anchor and add it to my
> BIND config to see if that helps. In the meantime I am wondering if
> anyone else is seeing the problem. (Note that I only have two trust
> anchors: One for the DLV and one for .se. I currently do not have any
> manually added trust anchors for .gov or any subdomain thereof.)
>
> 16-Mar-2009 12:43:40.920 dnssec: info: validating @0x842f89000:
> GT6F85BNJETCHV2RSE9H4U44V5QRHFON.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.920 dnssec: info: validating @0x8428cc000:
> NHQ1OKBN4C6SVH684SOJTC25JFOHEB23.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.920 dnssec: info: validating @0x842f89000:
> GT6F85BNJETCHV2RSE9H4U44V5QRHFON.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.920 dnssec: info: validating @0x8377e7000:
> 01BQVVC92HDUCS6JO571RA0M7AAB1TJ2.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.920 dnssec: info: validating @0x8377e6000:
> FCHQ9FMNKR7B37322STB71CNCNRB6C02.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.920 dnssec: info: validating @0x8377e7000:
> 01BQVVC92HDUCS6JO571RA0M7AAB1TJ2.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.920 dnssec: info: validating @0x8377e6000:
> FCHQ9FMNKR7B37322STB71CNCNRB6C02.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.946 dnssec: info: validating @0x842f93000: gov
> SOA: no valid signature found
> 16-Mar-2009 12:43:40.946 dnssec: info: validating @0x842f93000: gov
> SOA: no valid signature found
>
>
> michael
>
More information about the dns-operations
mailing list