[dns-operations] Problems resolving .gov using DLV

Dave Knight dknight at ca.afilias.info
Mon Mar 16 21:37:05 UTC 2009 

Algorithm 7 is RSASHA1-NSEC3-SHA1, see http://www.iana.org/assignments/dns-sec-alg-numbers/

BIND didn't gain NSEC3 support until 9.6.0, see https://www.isc.org/software/bind/new-features/9.6

dave

On 16-Mar-09, at 5:27 PM, Michael Sinatra wrote:

> More info:
>
> It appears that gov is using a KSK with algorithm 7, which my  
> version of
> BIND (9.5.1-P1) on FreeBSD doesn't support, according to the log:
>
> /var/log/named/named.log.1:16-Mar-2009 14:00:50.936 error:
> named.trustedkeys:4: configuring trusted key for 'GOV.': algorithm is
> unsupported
>
> Doing a crash upgrade to 9.6.0-P1 appears to fix the problem.
>
> Is it possible that gov started using an algorithm that BIND 9.5.1-P1
> doesn't support?
>
> On 03/16/09 13:54, Michael Sinatra wrote:
>> Hi,
>>
>> Is anyone else having problems resolving .gov using the ISC DLV?   
>> Just
>> about an hour ago, my caching resolvers started choking on .gov
>> addresses with the following errors (the timestamp in PDT [offset  
>> -0700]
>> represents the earliest log entry in my resolvers.
>>
>> I am currently trying to manually grab the trust anchor and add it  
>> to my
>> BIND config to see if that helps.  In the meantime I am wondering if
>> anyone else is seeing the problem.  (Note that I only have two trust
>> anchors: One for the DLV and one for .se.  I currently do not have  
>> any
>> manually added trust anchors for .gov or any subdomain thereof.)
>>
>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x842f89000:
>> GT6F85BNJETCHV2RSE9H4U44V5QRHFON.gov TYPE50: no valid signature found
>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8428cc000:
>> NHQ1OKBN4C6SVH684SOJTC25JFOHEB23.gov TYPE50: no valid signature found
>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x842f89000:
>> GT6F85BNJETCHV2RSE9H4U44V5QRHFON.gov TYPE50: no valid signature found
>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8377e7000:
>> 01BQVVC92HDUCS6JO571RA0M7AAB1TJ2.gov TYPE50: no valid signature found
>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8377e6000:
>> FCHQ9FMNKR7B37322STB71CNCNRB6C02.gov TYPE50: no valid signature found
>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8377e7000:
>> 01BQVVC92HDUCS6JO571RA0M7AAB1TJ2.gov TYPE50: no valid signature found
>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8377e6000:
>> FCHQ9FMNKR7B37322STB71CNCNRB6C02.gov TYPE50: no valid signature found
>> 16-Mar-2009 12:43:40.946 dnssec: info:   validating @0x842f93000: gov
>> SOA: no valid signature found
>> 16-Mar-2009 12:43:40.946 dnssec: info:   validating @0x842f93000: gov
>> SOA: no valid signature found
>>
>>
>> michael
>>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list