[dns-operations] Another possible .gov validation problem?
Cricket Liu
cricket at nxdomain.com
Sat Feb 12 05:54:43 UTC 2011
I'm seeing what looks like another validation problem in .gov, but (I think) due to problems below nasa.gov.
When I try to resolve atmos.pds.nasa.gov, I get a validation failure. BIND (9.7.2) logs the following:
Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid RRSIG) resolving 'atmos.pds.nasa.gov/DS/IN': 198.116.4.181#53
Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid RRSIG) resolving 'atmos.pds.nasa.gov/DS/IN': 198.116.4.189#53
Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid RRSIG) resolving 'atmos.pds.nasa.gov/DS/IN': 198.116.4.185#53
Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (no valid DS) resolving 'atmos.pds.nasa.gov/A/IN': 198.116.4.181#53
Feb 11 21:33:42 bigmo named[67012]: dnssec: info: validating @0x8373000: atmos.pds.nasa.gov A: bad cache hit (atmos.pds.nasa.gov/DS)
Feb 11 21:33:42 bigmo named[67012]: lame-servers: info: error (broken trust chain) resolving 'atmos.pds.nasa.gov/A/IN': 198.116.4.185#53
Apparently BIND is expecting pds.nasa.gov to be secure, but it's not:
$ dig @ns1.nasa.gov. any pds.nasa.gov. +norec
; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. any pds.nasa.gov. +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60070
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3
;; QUESTION SECTION:
;pds.nasa.gov. IN ANY
;; ANSWER SECTION:
pds.nasa.gov. 3600 IN A 128.149.132.22
pds.nasa.gov. 3600 IN NS ns3.nasa.gov.
pds.nasa.gov. 3600 IN NS ns1.nasa.gov.
pds.nasa.gov. 3600 IN NS ns2.nasa.gov.
pds.nasa.gov. 3600 IN SOA ns1.nasa.gov. dns.nasa.gov. 2008041906 10800 3600 604800 86400
Note the absence of a DS RR.
However, an explicit query for a DS RR returns something surprising:
$ dig @ns1.nasa.gov. ds pds.nasa.gov. +norec
; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. ds pds.nasa.gov. +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3502
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;pds.nasa.gov. IN DS
Note the NXDOMAIN RCODE.
The response to a DNSKEY query looks saner:
$ dig @ns1.nasa.gov. dnskey pds.nasa.gov. +norec
; <<>> DiG 9.7.2 <<>> @ns1.nasa.gov. dnskey pds.nasa.gov. +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30896
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;pds.nasa.gov. IN DNSKEY
Any chance the weird DS response is throwing the validator off? Or is there something else wrong that I haven't spotted?
cricket
More information about the dns-operations
mailing list