[dns-operations] Problems resolving .gov using DLV

Tue Mar 17 17:40:43 UTC 2009

Thanks for the list.

At 16:59 +0000 3/17/09, Lutz Donnerhacke wrote:
>The three other NSEC3 zones are:
>   6.1.f.f.0.e.1.4.1.0.0.2.ip6.arpa.
>   sicherheitsproblem.de.
>   satellite.dnslab.jp.

I set up a BIND 9.5.0-P1 recurser with DLV turned on.

First as a check (dig is 9.6, named is 9.5):

#  $ dig @127.0.0.1 -p 1053 version.bind. chaos txt
#
#  ;; ANSWER SECTION:
#  version.bind.		0	CH	TXT	"9.5.0-P1"
#

Looking at trusty'ol Sweden...

#  $ dig @127.0.0.1 -p 1053 +dnssec se soa
#
#  ; <<>> DiG 9.6.0 <<>> @127.0.0.1 -p 1053 +dnssec se soa
#  ; (1 server found)
#  ;; global options: +cmd
#  ;; Got answer:
#  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45939
#  ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 11, ADDITIONAL: 27

Got an ad bit set.

I presume "securityproblem" isn't in DLV:

#  $ dig @127.0.0.1 -p 1053 +dnssec sicherheitsproblem.de. soa
#
#  ; <<>> DiG 9.6.0 <<>> @127.0.0.1 -p 1053 +dnssec sicherheitsproblem.de. soa
#  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
(no ad bit)
#  ;; ANSWER SECTION:
#  sicherheitsproblem.de.	85833	IN	SOA	nsig2....
#  sicherheitsproblem.de.	85833	IN	RRSIG	SOA ...

log says:

...client 127.0.0.1#52680: query: sicherheitsproblem.de IN SOA +ED

Trying the IPv6 rev map:

#  $ dig @127.0.0.1 -p 1053 +dnssec 6.1.f.f.0.e.1.4.1.0.0.2.ip6.arpa. soa
#
#  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
(no ad bit)
#  ;; ANSWER SECTION:
#  6.1.f.f.0.e.1.4.1.0.0.2.ip6.arpa. 1800 IN SOA	ns1....
#  6.1.f.f.0.e.1.4.1.0.0.2.ip6.arpa. 1800 IN RRSIG	SOA ...

And the log says:

... client 127.0.0.1#52673: query: 6...ip6.arpa IN SOA +ED
... validating @0x87c400: 6...ip6.arpa SOA: no valid signature found

Finally, the satellite:

#  $ dig @127.0.0.1 -p 1053 +dnssec satellite.dnslab.jp. soa
#
#  ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63101

log says:

... client 127.0.0.1#52681: query: satellite.dnslab.jp IN SOA +ED
... validating @0x87c400: satellite.dnslab.jp SOA: no valid signature found
... no valid RRSIG resolving 'satellite.dnslab.jp/SOA/IN': 203.178.129.8#53

I looked deeper...I know there is no DS for the name in the parent. 
And if you ask for +norec you get back this:

#  ;; QUESTION SECTION:
#  ;satellite.dnslab.jp.		IN	SOA
#
#  ;; AUTHORITY SECTION:
#  satellite.dnslab.jp.	76965	IN	NS	ns.satellite.dnslab.jp.
#  satellite.dnslab.jp.	91	IN	RRSIG	NS ...

I.e., it seems stuck on a referral.

 From this I am not yet certain I see a BIND issue.  Perhaps the last 
case is, but can't tell without knowing what NSEC3 anchors are in DLV 
and whether or not they are being given to me (as a BIND 9.5 
validator user).

>Current distribution of unchained KSK summarized by algorithm ID (without
>tests):
>   1 27
>   3 6
>   5 1284
>   7 3

Is that - in the ISC DLV?
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy if you don't want much.