[dns-operations] DNSSEC, DLV, and delegation-only

Mark Andrews Mark_Andrews at isc.org
Thu May 14 23:05:05 UTC 2009 

In message <4A0C9403.3030504 at ee.lbl.gov>, Craig Leres writes:
> This is a multi-part message in MIME format.
> --------------020404050703040804060708
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
> 
> I'm not using delegation-only or root-delegation-only in any of my
> named configs and I'm also not currently able to lookup anything
> in the se TLD or even isc.org from any of my DLV enabled 9.6.0-P1
> servers including:
> 
>      nsx.lbl.gov
>      ns1.lbl.gov
>      ns2.lbl.gov
> 
> These might be different problems because I get two different failure
> syslogs:
> 
>      ;; connection timed out; no servers could be reached
> 
> and
> 
>      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2075
> 
> As before, neither flushing the cache nor stopping and restarting
> named fixes any of this.
> 
> I built 9.5.1-P2 and 9.6.1b1 on a spare machine and found that
> 9.5.1-P2 and 9.6.0-P1 both can not currently resolve se or isc.org:
> 
>      May 14 14:48:37 fun.ee.lbl.gov named[47070]: not insecure resolving 
> 'se/DNSKEY/IN': 194.146.106.22#53
>      May 14 14:48:40 fun.ee.lbl.gov named[47070]: not insecure resolving 
> 'se/DNSKEY/IN': 81.228.10.57#53
>      May 14 14:48:44 fun.ee.lbl.gov named[47070]: not insecure resolving 
> 'isc.org/DNSKEY/IN': 131.243.64.3#53
>      May 14 14:48:44 fun.ee.lbl.gov named[47070]: not insecure resolving 
> 'isc.org/DNSKEY/IN': 128.3.34.186#53
> 
> However 9.6.1b1 is able to after a short delay and produces these
> syslog entries:
> 
>      May 14 14:50:39 fun.ee.lbl.gov named[47116]: not insecure resolving 
> 'se/DNSKEY/IN': 131.243.64.3#53
>      May 14 14:50:45 fun.ee.lbl.gov named[47116]: not insecure resolving 
> 'se/DNSKEY/IN': 131.243.64.2#53
>      May 14 14:50:47 fun.ee.lbl.gov inetd[970]: comsat from 131.243.2.202
>      May 14 14:50:48 fun.ee.lbl.gov named[47116]: success resolving 
> 'se/DNSKEY' (in 'se'?) after reducing the advertised EDNS UDP packet 
> size to 512 octets
>      May 14 14:50:52 fun.ee.lbl.gov named[47116]: not insecure resolving 
> 'isc.org/DNSKEY/IN': 131.243.64.3#53
>      May 14 14:50:52 fun.ee.lbl.gov named[47116]: not insecure resolving 
> 'isc.org/DNSKEY/IN': 131.243.64.2#53
>      May 14 14:50:54 fun.ee.lbl.gov named[47116]: not insecure resolving 
> 'isc.org/DNSKEY/IN': 128.3.34.186#53

	128.3.34.186 is not a server for isc.org.  Has the entire
	path been upgraded?  I suspect the forwarder is falling
	back to plain DNS too aggressively.  BIND 9.6.1b1 has this
	fix which stops named taking a extra fallback steps.  In
	particular when it falls back to TCP.

2564.   [bug]           Only take EDNS fallback steps when processing timeouts.
                        [RT #19405]

	Note we keep thinking about not falling back from EDNS to plain
	DNS on timeout.  This however will cause some sited to go dead
	as the servers for those sites fail to respond to EDNS queries.
	I suspect the tipping point in that decision is coming soon.
	
	Mark
>      May 14 14:50:57 fun.ee.lbl.gov named[47116]: success resolving 
> 'isc.org/DNSKEY' (in 'isc.org'?) after reducing the advertised EDNS UDP 
> packet size to 512 octets
> 
> I've attached a file with the dnssec related parts of the config.
> 
> It seems as if DLV has degraded over the last few weeks and if I
> can't come up with working config I'm probably going to have to
> turn it off. I hate to do it but I can't take many more service
> hits (the se TLD has been down for more than 24 hours) and I don't
> see a solution in site.
> 
> 		Craig
> 
> --------------020404050703040804060708
> Content-Type: text/plain;
>  name="named.conf"
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline;
>  filename="named.conf"
> 
> // @(#) $Id: named.conf,v 1.19 2009/05/04 16:11:55 root Exp root $ (LBL)
> //
> 
> [...]
> 
> // ISC DNSSEC Look-aside Validation
> trusted-keys {
> 	dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDC
> E1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO
> 2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucM
> TwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTg
> NboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
> };
> 
> 
> [...]
> 
> options {
> 	directory "/etc/namedb";
> 	dump-file "/var/dump/named_dump.db";
> 	// fake-iquery yes;
> 	auth-nxdomain no;
> 	transfers-in 6;
> 	check-names master warn;
> 	check-names slave ignore;
> 	version "9.something";
> 	recursive-clients 2000;
> 	tcp-clients 200;
> 	max-ncache-ttl 900;
> 	notify no;
> 	allow-recursion {
> 		lbl_gov_clients;
> 	};
> 	allow-transfer {
> 		lbl_gov_servers;
> 	};

> 	// DNSSEC
> 	dnssec-enable yes;
> 	dnssec-validation yes;
> 	dnssec-lookaside . trust-anchor dlv.isc.org.;
> };
> 
> [...]
> 
> --------------020404050703040804060708
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> --------------020404050703040804060708--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list