[dns-operations] Research Project: Identifying DNSSEC Validators

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Sep 5 08:40:43 UTC 2012 

On Tue, Sep 04, 2012 at 01:57:20PM -0700,
 Wessels, Duane <dwessels at verisign.com> wrote 
 a message of 36 lines which said:

> <a href="http://prefetch.validatorsearch.verisignlabs.com"></a>

On my machines, I can resolve the name with BIND but not with Unbound
(SERVFAIL, even with ). On OARC's ODVR both BIND and Unbound work.

With my Unbound, validation fails, but I can get data with +cd:

% dig +cd A prefetch.validatorsearch.verisignlabs.com 

; <<>> DiG 9.8.1-P1 <<>> +cd A prefetch.validatorsearch.verisignlabs.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43366
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;prefetch.validatorsearch.verisignlabs.com. IN A

;; ANSWER SECTION:
prefetch.validatorsearch.verisignlabs.com. 604500 IN A 127.0.0.1

;; AUTHORITY SECTION:
validatorsearch.verisignlabs.com. 3296 IN NS    vfns2.verisignlabs.com.
validatorsearch.verisignlabs.com. 3296 IN NS    vfns1.verisignlabs.com.
validatorsearch.verisignlabs.com. 3296 IN RRSIG NS 5 3 3600 20120906203607 20120807203607 58962 validatorsearch.verisignlabs.com. rWe8hzHOfLmi/NwT7LC64sL2LqjtIgPS1bDL6o6/PYlkgBpBDzEprYlL kJM/d3KsJzpvSwfcK1KFoDk7mwKdNED5Z3QCSnRrt2qlYD1H1KgOAeFX CciD380ZV7Qsn+UbpygdmGja6wTHqNAyiRgX7DIuMNjxytkT5xI0UluS v1U=

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Sep  5 10:36:57 2012
;; MSG SIZE  rcvd: 318

The log says:

Sep  5 10:31:53 batilda unbound: [1976:0] info: iterator operate: query validatorsearch.verisignlabs.com. AAAA IN
Sep  5 10:31:53 batilda unbound: [1976:0] info: processQueryTargets: validatorsearch.verisignlabs.com. AAAA IN
Sep  5 10:31:53 batilda unbound: [1976:0] debug: cache memory msg=4456279 rrset=4456090 infra=2550870 val=1090917
Sep  5 10:31:53 batilda unbound: [1976:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
Sep  5 10:31:53 batilda unbound: [1976:0] info: iterator operate: query validatorsearch.verisignlabs.com. AAAA IN
Sep  5 10:31:53 batilda unbound: [1976:0] info: sanitize: removing overreaching NSEC RRset: validatorsearch.verisignlabs.
com. NSEC IN
Sep  5 10:31:53 batilda unbound: [1976:0] info: response for validatorsearch.verisignlabs.com. AAAA IN
Sep  5 10:31:53 batilda unbound: [1976:0] info: reply from <validatorsearch.verisignlabs.com.> 72.13.58.101#53
Sep  5 10:31:53 batilda unbound: [1976:0] info: query response was DNSSEC LAME

My analysis: the NSEC is not signed. It is surprising that BIND acceps
that:

%  dig +dnssec @vfns1.verisignlabs.com. AAAA prefetch.validatorsearch.verisignlabs.com         

; <<>> DiG 9.7.3 <<>> @vfns1.verisignlabs.com. AAAA prefetch.validatorsearch.verisignlabs.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10966
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;prefetch.validatorsearch.verisignlabs.com. IN AAAA

;; AUTHORITY SECTION:
validatorsearch.verisignlabs.com. 3600 IN SOA   vfns1.verisignlabs.com. root.packet-pushers.com. 2012080700 3600 300 604800 3600
prefetch.validatorsearch.verisignlabs.com. 3600 IN NSEC validatorsearch.verisignlabs.com. A RRSIG NSEC

;; Query time: 92 msec
;; SERVER: 72.13.58.100#53(72.13.58.100)
;; WHEN: Wed Sep  5 10:39:31 2012
;; MSG SIZE  rcvd: 154

More information about the dns-operations mailing list