[dns-operations] DNSSEC, DLV, and delegation-only

Craig Leres leres at ee.lbl.gov
Thu May 14 21:58:27 UTC 2009 

I'm not using delegation-only or root-delegation-only in any of my
named configs and I'm also not currently able to lookup anything
in the se TLD or even isc.org from any of my DLV enabled 9.6.0-P1
servers including:

     nsx.lbl.gov
     ns1.lbl.gov
     ns2.lbl.gov

These might be different problems because I get two different failure
syslogs:

     ;; connection timed out; no servers could be reached

and

     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2075

As before, neither flushing the cache nor stopping and restarting
named fixes any of this.

I built 9.5.1-P2 and 9.6.1b1 on a spare machine and found that
9.5.1-P2 and 9.6.0-P1 both can not currently resolve se or isc.org:

     May 14 14:48:37 fun.ee.lbl.gov named[47070]: not insecure resolving 
'se/DNSKEY/IN': 194.146.106.22#53
     May 14 14:48:40 fun.ee.lbl.gov named[47070]: not insecure resolving 
'se/DNSKEY/IN': 81.228.10.57#53
     May 14 14:48:44 fun.ee.lbl.gov named[47070]: not insecure resolving 
'isc.org/DNSKEY/IN': 131.243.64.3#53
     May 14 14:48:44 fun.ee.lbl.gov named[47070]: not insecure resolving 
'isc.org/DNSKEY/IN': 128.3.34.186#53

However 9.6.1b1 is able to after a short delay and produces these
syslog entries:

     May 14 14:50:39 fun.ee.lbl.gov named[47116]: not insecure resolving 
'se/DNSKEY/IN': 131.243.64.3#53
     May 14 14:50:45 fun.ee.lbl.gov named[47116]: not insecure resolving 
'se/DNSKEY/IN': 131.243.64.2#53
     May 14 14:50:47 fun.ee.lbl.gov inetd[970]: comsat from 131.243.2.202
     May 14 14:50:48 fun.ee.lbl.gov named[47116]: success resolving 
'se/DNSKEY' (in 'se'?) after reducing the advertised EDNS UDP packet 
size to 512 octets
     May 14 14:50:52 fun.ee.lbl.gov named[47116]: not insecure resolving 
'isc.org/DNSKEY/IN': 131.243.64.3#53
     May 14 14:50:52 fun.ee.lbl.gov named[47116]: not insecure resolving 
'isc.org/DNSKEY/IN': 131.243.64.2#53
     May 14 14:50:54 fun.ee.lbl.gov named[47116]: not insecure resolving 
'isc.org/DNSKEY/IN': 128.3.34.186#53
     May 14 14:50:57 fun.ee.lbl.gov named[47116]: success resolving 
'isc.org/DNSKEY' (in 'isc.org'?) after reducing the advertised EDNS UDP 
packet size to 512 octets

I've attached a file with the dnssec related parts of the config.

It seems as if DLV has degraded over the last few weeks and if I
can't come up with working config I'm probably going to have to
turn it off. I hate to do it but I can't take many more service
hits (the se TLD has been down for more than 24 hours) and I don't
see a solution in site.

		Craig
-------------- next part --------------
// @(#) $Id: named.conf,v 1.19 2009/05/04 16:11:55 root Exp root $ (LBL)
//

[...]

// ISC DNSSEC Look-aside Validation
trusted-keys {
	dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};


[...]

options {
	directory "/etc/namedb";
	dump-file "/var/dump/named_dump.db";
	// fake-iquery yes;
	auth-nxdomain no;
	transfers-in 6;
	check-names master warn;
	check-names slave ignore;
	version "9.something";
	recursive-clients 2000;
	tcp-clients 200;
	max-ncache-ttl 900;
	notify no;
	allow-recursion {
		lbl_gov_clients;
	};
	allow-transfer {
		lbl_gov_servers;
	};

	// DNSSEC
	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside . trust-anchor dlv.isc.org.;
};

[...]

More information about the dns-operations mailing list