[dns-operations] .gov has been re-inserted into dlv.isc.org

Michael Sinatra michael at rancid.berkeley.edu
Fri May 1 16:07:59 UTC 2009 

On 05/01/09 05:03, Michael Graff wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> .gov has just been re-inserted into dlv.isc.org.  Please report any
> problems to dlv-registry at isc.org.

I was getting SERVFAILs on most of my caching boxes after the key was 
added.  'rndc flushname gov' effectively fixed that problem.  The only 
box that didn't have the problem was the least-busy one, so I assume 
there were caching issues involved.  In some cases, gov was resolvable 
(although insecure) but subdomains in gov (e.g. nist.gov) were not.  (In 
the example below, gov itself was not resolvable.)  After 'rndc 
flushname gov', gov resolves with the ad bit set; nist.gov resolves but 
is still insecure (doesn't appear to be a DS record in the parent).  dig 
output from one of the boxes is below.

dnssec.log on each box indicates problems resolving hosts in gov (mostly 
time.nist.gov which presumably some hosts were using for ntp) beginning 
around 0600 lt (1300 GMT), although one box started logging "no valid 
signature" as early as 0542.

I suspect this was a caching issue where cached parent data was insecure 
after the DLV key was inserted.  The TTL on time.nist.gov (and 
ns1.nist.gov, but not the other NS) is 1800, so when it expired from 
cache, presumably there would have been resolution problems trying to 
get authoritative delegation information from a parent zone (i.e. gov) 
that was insecure in cache but should now have been secure owing to the 
presence of a DLV record.

'rndc flush' is the recommended course of action when first enabling 
validation or when adding keys to the local trust anchor repository 
(usually done at the same time), so it may be the case that this is to 
be expected (although certainly not desired) when keys are added to the 
DLV for a zone that has a lot of delegations.  The question is whether a 
similar effect will occur in the presence of a signed root, when a DS 
record is added to the root zone for a TLD (say, com).

RFC 4035 (and 4033-4) are quiet about this kind of situation; RFC 4641, 
section 4.2 discusses cached data in the context of key rollovers, but I 
can't find reference to the specific example of when a trust anchor or 
some sort of delegation key (DS or DLV) is added for a particular zone 
and old (insecure) information about that zone is cached.

michael



drl2# dig +dnssec gov @drl2

; <<>> DiG 9.6.0-P1 <<>> +dnssec gov @drl2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61532
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gov.                           IN      A

;; Query time: 529 msec
;; SERVER: 2607:f140:ffff:8000:0:8001:0:2#53(2607:f140:ffff:8000:0:8001:0:2)
;; WHEN: Fri May  1 08:16:55 2009
;; MSG SIZE  rcvd: 32

drl2# dig +dnssec nist.gov @drl2

; <<>> DiG 9.6.0-P1 <<>> +dnssec nist.gov @drl2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22273
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nist.gov.                      IN      A

;; Query time: 1375 msec
;; SERVER: 169.229.128.150#53(169.229.128.150)
;; WHEN: Fri May  1 08:17:20 2009
;; MSG SIZE  rcvd: 37

drl2# rndc flushname gov
drl2# dig +dnssec nist.gov @drl2

; <<>> DiG 9.6.0-P1 <<>> +dnssec nist.gov @drl2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16576
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nist.gov.                      IN      A

;; ANSWER SECTION:
nist.gov.               1800    IN      A       129.6.13.45
nist.gov.               1800    IN      RRSIG   A 5 2 1800 
20090530183420 20090430183420 63462 nist.gov. 
oTVsdWbx7gkhP9NgLLoRybgk3ejK98jnlwAn2NF5vSqGn5+Ey1cVvJip 
Btw1n3i2XtitBYR8LfqDfnCCg1Hz2K9ZCWsEz96eErzFaN21SV8gz7TT 
+DiBDlPe4N03lvkaYzQsPG+3cs5FfvlSM8x6ePQUneG42JfKVdQCAeqB hF8= 


;; AUTHORITY SECTION:
nist.gov.               65026   IN      NS      ns1.nist.gov.
nist.gov.               65026   IN      NS      dns-x.boulder.nist.gov.
nist.gov.               65026   IN      RRSIG   NS 5 2 86400 
20090530183420 20090430183420 63462 nist.gov. 
YDx7OPeuomVV2v0qQXUKSQGm9fpCsa/M5aRZ8ZDnLhlEqWi0kTb9RuuO 
VrLSbZ+deFL8dmfQnYrYb3WnP99DU4JALW2Rbb9oPAcUyMZehgQQEu5O 
9/jCOxcG15ysgdAaP5bhegEJOXSS37OCcvNrGOWA2pAGfnn3Ri6MRVJP 810= 


;; ADDITIONAL SECTION:
dns-x.boulder.nist.gov. 76136   IN      A       132.163.4.9
dns-x.boulder.nist.gov. 76136   IN      RRSIG   A 5 4 86400 
20090201120000 20080318211639 61107 boulder.nist.gov. 
pfp8EHFPL4B6QYTkZD8lqFjLnYR7G53B/tvYiMYCPhkVBwFbaKoCGXkL 
Xe7W7GW0lQ5kv6Sm35YFsWF88KvealGS9p4sr+kg+4hH+VyQuCKipGur 
LM7LER/8WVW2pCWBpwtW2Miw4G2noM/J0VPxzCO3KhJR2f6qddu074g+ wJE=

;; Query time: 120 msec
;; SERVER: 2607:f140:ffff:8000:0:8001:0:2#53(2607:f140:ffff:8000:0:8001:0:2)
;; WHEN: Fri May  1 08:17:29 2009
;; MSG SIZE  rcvd: 627

drl2# dig +dnssec gov @drl2

; <<>> DiG 9.6.0-P1 <<>> +dnssec gov @drl2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24298
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gov.                           IN      A

;; AUTHORITY SECTION:
gov.                    10800   IN      SOA     A.GOV.ZONEEDIT.COM. 
govcontact.ZONEEDIT.COM. 1241186464 3600 900 1814400 86400
gov.                    10800   IN      RRSIG   SOA 7 1 259200 
20090506130105 20090501130105 31802 gov. 
kAYdnSLxmRAhGrET+7oSjxmPJlrq7qkcWaocQvFlM6bS/owahmdFFQuR 
PudqQWufP/hth0heCQy6a/IntxiNrzgAsGzszUfutzkxac8FseN+LMKO 
sCqAkRbjzpO7o2s3A3DXp1TgeHM01AAU3K3nFYOAAm+WFmrAjK+Q++G5 
CA38Wb7LoUrnkGVdAwqF9RWTt0MlswLTfzRQvnljTaCpMdX8ZnWCUS90 
ngWRqTvfUVcRJTWln5N44ce64b93s0vjorNVwaZ5Ws+7K+O7aGOSeJ0N 
SafNTc5COb9x2xXwmAyIULC37RnJ1+eoGG1ivyW4mMuR4KTdTQ+rElc4 SjHueQ==
VVSOMCNUB7A79EALVJEH4VN12192C715.gov. 10800 IN RRSIG NSEC3 7 2 86400 
20090506130105 20090501130105 31802 gov. 
c6PK6kDitsv9DvcFf4zC77WuXk7mo6dXax59MbakQqVk8EpbyP71WOMp 
ZlJL0wmtQEVorUbYXg+GPspIgGJcM/obvJ3OVZlV7EOtvlmZbvYALENt 
WXXc2FPXtcIYU7UGD2Qgz6OQOKKu4+SzCBEGVZ6NYxsU3nMO1mao0kWH 
7gpClnUNB0e3rPVnRA7F107sI6xH+7nSrJNeXf0kr5/6FuVBFVxGZ0R1 
Z/6T0wQGrDe2LFEt4l4oIL2KZlE6E/nNQY3Ar0GO9WRV+FLiu610drJv 
M9ojF9YkBgQWX9tkd7mtXv10H6v+E9UFN+bjipMrDaxCcef871CyTOIA ZHo6rg==
VVSOMCNUB7A79EALVJEH4VN12192C715.gov. 10800 IN NSEC3 1 0 10 ABAB 
0002H1U5Q5HGQCITMSB0QRETCK0N6FLT NS SOA RRSIG DNSKEY NSEC3PARAM

;; Query time: 86 msec
;; SERVER: 2607:f140:ffff:8000:0:8001:0:2#53(2607:f140:ffff:8000:0:8001:0:2)
;; WHEN: Fri May  1 08:17:34 2009
;; MSG SIZE  rcvd: 761

More information about the dns-operations mailing list