[dns-operations] Problems resolving .gov using DLV

Michael Sinatra michael at rancid.berkeley.edu
Mon Mar 16 21:27:21 UTC 2009 

More info:

It appears that gov is using a KSK with algorithm 7, which my version of
BIND (9.5.1-P1) on FreeBSD doesn't support, according to the log:

/var/log/named/named.log.1:16-Mar-2009 14:00:50.936 error:
named.trustedkeys:4: configuring trusted key for 'GOV.': algorithm is
unsupported

Doing a crash upgrade to 9.6.0-P1 appears to fix the problem.

Is it possible that gov started using an algorithm that BIND 9.5.1-P1
doesn't support?

On 03/16/09 13:54, Michael Sinatra wrote:
> Hi,
> 
> Is anyone else having problems resolving .gov using the ISC DLV?  Just
> about an hour ago, my caching resolvers started choking on .gov
> addresses with the following errors (the timestamp in PDT [offset -0700]
> represents the earliest log entry in my resolvers.
> 
> I am currently trying to manually grab the trust anchor and add it to my
> BIND config to see if that helps.  In the meantime I am wondering if
> anyone else is seeing the problem.  (Note that I only have two trust
> anchors: One for the DLV and one for .se.  I currently do not have any
> manually added trust anchors for .gov or any subdomain thereof.)
> 
> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x842f89000:
> GT6F85BNJETCHV2RSE9H4U44V5QRHFON.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8428cc000:
> NHQ1OKBN4C6SVH684SOJTC25JFOHEB23.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x842f89000:
> GT6F85BNJETCHV2RSE9H4U44V5QRHFON.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8377e7000:
> 01BQVVC92HDUCS6JO571RA0M7AAB1TJ2.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8377e6000:
> FCHQ9FMNKR7B37322STB71CNCNRB6C02.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8377e7000:
> 01BQVVC92HDUCS6JO571RA0M7AAB1TJ2.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8377e6000:
> FCHQ9FMNKR7B37322STB71CNCNRB6C02.gov TYPE50: no valid signature found
> 16-Mar-2009 12:43:40.946 dnssec: info:   validating @0x842f93000: gov
> SOA: no valid signature found
> 16-Mar-2009 12:43:40.946 dnssec: info:   validating @0x842f93000: gov
> SOA: no valid signature found
> 
> 
> michael
>

More information about the dns-operations mailing list