[dns-operations] Problem resolving some uppercase .GOV domains

Gani, Paul * Paul.Gani at fda.hhs.gov
Mon May 11 21:22:10 UTC 2009 

Good idea.  This is the log.

11-May-2009 17:16:23.997 dnssec: debug 3: validating @cce850:
www.cashlink2.gov A: starting
11-May-2009 17:16:24.004 dnssec: debug 3: validating @cce850:
www.cashlink2.gov A: attempting insecurity proof
11-May-2009 17:16:24.004 dnssec: debug 3: validating @cce850:
www.cashlink2.gov A: checking existence of DS at 'cashlink2.gov'
11-May-2009 17:16:24.005 dnssec: debug 3: validating @cce850:
www.cashlink2.gov A: marking as answer
11-May-2009 17:16:24.005 dnssec: debug 3: validator @cce850:
dns_validator_destroy
11-May-2009 17:16:32.687 dnssec: debug 3: validating @cce850:
WWW.CASHLINK2.GOV A: starting
11-May-2009 17:16:32.687 dnssec: debug 3: validating @cce850:
WWW.CASHLINK2.GOV A: attempting insecurity proof
11-May-2009 17:16:32.687 dnssec: debug 3: validating @cce850:
WWW.CASHLINK2.GOV A: checking existence of DS at 'CASHLINK2.GOV'
11-May-2009 17:16:32.687 dnssec: debug 3: validating @cce850:
WWW.CASHLINK2.GOV A: checking existence of DS at 'WWW.CASHLINK2.GOV'
11-May-2009 17:16:32.804 dnssec: debug 3: validating @cce850:
WWW.CASHLINK2.GOV A: in dsfetched2: SERVFAIL
11-May-2009 17:16:32.804 dnssec: debug 3: validator @cce850:
dns_validator_destroy

However, I think I found the bug:

2554.	 [bug]	 Validation of uppercase queries from NSEC3 zones could
fail. [RT #19297]

Paul Gani
FDA | OIM | DOI - Network Security

-----Original Message-----
From: Jeremy C. Reed 
Sent: Monday, May 11, 2009 5:04 PM
To: Gani, Paul *
Subject: Re: [dns-operations] Problem resolving some uppercase .GOV
domains

> [ns:/root]# dig WWW.CASHLINK2.GOV
> 
> ; <<>> DiG 9.6.0-P1 <<>> WWW.CASHLINK2.GOV
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> [ns:/root]#

Do you have any "dnssec" logging enabled? Does it or your other named 
logging tell you anything about this?

Maybe you can temporarily enable "dnssec" logging to test this.

logging {
        channel dnssec_log {
# make directory or choose different file destination
                file "/var/log/bind/dnssec" versions 3 size 20m;
                print-time yes;
                print-category yes; 
                print-severity yes;
                severity debug 3;
        };
        category dnssec { dnssec_log; };
};

More information about the dns-operations mailing list