[dns-operations] Problems resolving .gov using DLV

Michael Sinatra michael at rancid.berkeley.edu
Mon Mar 16 22:23:40 UTC 2009


The problem is that the DLV supports RSASHA1-NSEC3-SHA1, but BIND <
9.6.0 doesn't.  That (apparently) means that systems using the DLV that
run older versions of BIND CANNOT resolve hosts in a zone that in signed
with a RSASHA1-NSEC3-SHA1 key!

This appears to occur regardless of the query being made (to answer Alan
Clegg's question).

OUCH!

michael

PS. Upgrading to 9.6.0-P1 now.

On 03/16/09 14:37, Dave Knight wrote:
> 
> Algorithm 7 is RSASHA1-NSEC3-SHA1, see
> http://www.iana.org/assignments/dns-sec-alg-numbers/
> 
> BIND didn't gain NSEC3 support until 9.6.0, see
> https://www.isc.org/software/bind/new-features/9.6
> 
> dave
> 
> On 16-Mar-09, at 5:27 PM, Michael Sinatra wrote:
> 
>> More info:
>>
>> It appears that gov is using a KSK with algorithm 7, which my version of
>> BIND (9.5.1-P1) on FreeBSD doesn't support, according to the log:
>>
>> /var/log/named/named.log.1:16-Mar-2009 14:00:50.936 error:
>> named.trustedkeys:4: configuring trusted key for 'GOV.': algorithm is
>> unsupported
>>
>> Doing a crash upgrade to 9.6.0-P1 appears to fix the problem.
>>
>> Is it possible that gov started using an algorithm that BIND 9.5.1-P1
>> doesn't support?
>>
>> On 03/16/09 13:54, Michael Sinatra wrote:
>>> Hi,
>>>
>>> Is anyone else having problems resolving .gov using the ISC DLV?  Just
>>> about an hour ago, my caching resolvers started choking on .gov
>>> addresses with the following errors (the timestamp in PDT [offset -0700]
>>> represents the earliest log entry in my resolvers.
>>>
>>> I am currently trying to manually grab the trust anchor and add it to my
>>> BIND config to see if that helps.  In the meantime I am wondering if
>>> anyone else is seeing the problem.  (Note that I only have two trust
>>> anchors: One for the DLV and one for .se.  I currently do not have any
>>> manually added trust anchors for .gov or any subdomain thereof.)
>>>
>>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x842f89000:
>>> GT6F85BNJETCHV2RSE9H4U44V5QRHFON.gov TYPE50: no valid signature found
>>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8428cc000:
>>> NHQ1OKBN4C6SVH684SOJTC25JFOHEB23.gov TYPE50: no valid signature found
>>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x842f89000:
>>> GT6F85BNJETCHV2RSE9H4U44V5QRHFON.gov TYPE50: no valid signature found
>>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8377e7000:
>>> 01BQVVC92HDUCS6JO571RA0M7AAB1TJ2.gov TYPE50: no valid signature found
>>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8377e6000:
>>> FCHQ9FMNKR7B37322STB71CNCNRB6C02.gov TYPE50: no valid signature found
>>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8377e7000:
>>> 01BQVVC92HDUCS6JO571RA0M7AAB1TJ2.gov TYPE50: no valid signature found
>>> 16-Mar-2009 12:43:40.920 dnssec: info:   validating @0x8377e6000:
>>> FCHQ9FMNKR7B37322STB71CNCNRB6C02.gov TYPE50: no valid signature found
>>> 16-Mar-2009 12:43:40.946 dnssec: info:   validating @0x842f93000: gov
>>> SOA: no valid signature found
>>> 16-Mar-2009 12:43:40.946 dnssec: info:   validating @0x842f93000: gov
>>> SOA: no valid signature found
>>>
>>>
>>> michael
>>>
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations




More information about the dns-operations mailing list