[dns-operations] Another possible .gov validation problem?

Cricket Liu cricket at nxdomain.com
Sat Feb 12 05:54:43 UTC 2011


I'm seeing what looks like another validation problem in .gov, but (I think) due to problems below nasa.gov.

When I try to resolve atmos.pds.nasa.gov, I get a validation failure.  BIND (9.7.2) logs the following:

Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid RRSIG) resolving 'atmos.pds.nasa.gov/DS/IN': 198.116.4.181#53
Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid RRSIG) resolving 'atmos.pds.nasa.gov/DS/IN': 198.116.4.189#53
Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid RRSIG) resolving 'atmos.pds.nasa.gov/DS/IN': 198.116.4.185#53
Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid DS) resolving 'atmos.pds.nasa.gov/A/IN': 198.116.4.181#53
Feb 11 21:33:42 bigmo named[67012]: dnssec: info: validating @0x8373000: atmos.pds.nasa.gov A: bad cache hit (atmos.pds.nasa.gov/DS)
Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (broken trust chain) resolving 'atmos.pds.nasa.gov/A/IN': 198.116.4.185#53

Apparently BIND is expecting pds.nasa.gov to be secure, but it's not:

$ dig @ns1.nasa.gov. any pds.nasa.gov. +norec 

; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. any pds.nasa.gov. +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60070
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3

;; QUESTION SECTION:
;pds.nasa.gov.			IN	ANY

;; ANSWER SECTION:
pds.nasa.gov.		3600	IN	A	128.149.132.22
pds.nasa.gov.		3600	IN	NS	ns3.nasa.gov.
pds.nasa.gov.		3600	IN	NS	ns1.nasa.gov.
pds.nasa.gov.		3600	IN	NS	ns2.nasa.gov.
pds.nasa.gov.		3600	IN	SOA	ns1.nasa.gov. dns.nasa.gov. 2008041906 10800 3600 604800 86400

Note the absence of a DS RR.

However, an explicit query for a DS RR returns something surprising:

$ dig @ns1.nasa.gov. ds pds.nasa.gov. +norec

; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. ds pds.nasa.gov. +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3502
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;pds.nasa.gov.			IN	DS

Note the NXDOMAIN RCODE.

The response to a DNSKEY query looks saner:

$ dig @ns1.nasa.gov. dnskey pds.nasa.gov. +norec

; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. dnskey pds.nasa.gov. +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30896
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;pds.nasa.gov.			IN	DNSKEY

Any chance the weird DS response is throwing the validator off?  Or is there something else wrong that I haven't spotted?

cricket


More information about the dns-operations mailing list