[dns-operations] DNSSEC problem at one.com

bert hubert bert.hubert at netherlabs.nl
Mon Apr 29 13:50:15 UTC 2013

On Mon, Apr 29, 2013 at 09:16:08AM -0400, WBrown at e1b.org wrote:
> "However, we have become aware of an error in a particular version of the 
> DNS-software BIND, which we know are being used by several ISP's in Sweden 
> like TeliaSonera, Telenor, Tele2, Bredbandsbolaget and Bredband2. "

It works like this. 

If BIND experiences a timeout on a query for a domain, it assumes this might
be because of EDNS0 compatibility issues, and retries without EDNS0.

BIND does this even for domains for which it wants to do validation.  Since
it does not get RRSIGs if it does not use EDNS0, it declares all future
answers bogus.  Unbound does not do EDNS0 fallback for domains for which it
has seen a trust anchor or DS.

So far for the BIND part. On the PowerDNS side, there are queries which we
don't send out correct answers for, which BIND interprets as a timeout
(since it can't match up our answer to its original question).  This is our
bug. Once BIND has seen a few timeouts, it stops doing EDNS0 with us at all.

The upshot of this is that PowerDNS and BIND together generate a bad
situation in which validation fails.

The solution is to either change BIND (no patches are available as yet, but
Unbound is nice) or to patch PowerDNS

One.com has now patched their PowerDNS, as have other large operators.

We also have snapshots, tarballs and packages available with this patch in


PowerDNS Website: http://www.powerdns.com/

More information about the dns-operations mailing list