[dns-operations] What's wrong with my domain?

Mark Andrews marka at isc.org
Wed Jul 2 11:07:08 UTC 2014 

The DS record for gu.edu does not have a matching self signed DNSKEY
record.  The DS record is for keyid 3078.  There are no DNSKEY records
with that keyid nor signatures generated with that keyid for the DNSKEY
rrset.

I suspect a botched KSK key rollover.

Mark

; <<>> DiG 9.11.0pre-alpha <<>> ds gu.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1308
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gu.edu.				IN	DS

;; ANSWER SECTION:
gu.edu.			86083	IN	DS	3078 7 1 B4C9FB14D6519C3ECE5CC43E80C463D5847D73ED

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 02 21:01:54 EST 2014
;; MSG SIZE  rcvd: 71


; <<>> DiG 9.11.0pre-alpha <<>> +dnssec +rrcomments dnskey gu.edu @141.161.200.28
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19143
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gu.edu.				IN	DNSKEY

;; ANSWER SECTION:
gu.edu.			86400	IN	DNSKEY	257 3 7 AwEAAb6JcEZnTcIg2P2yv7uIBG8F8ZNOFh1EzJHp2OlYnNZL70KufziL Xye72PEeCoMKCArnw3vH/7zV9SvFfFsfaEEAPDwASUYs4kGlP0IJ297C hm9x1b+vQ+tMIbGhf8z9qGqFqT/N63EGcN5Wl6B9JhFrWWZIw/7hpX6Y GSNM9fHgE79O363FOQNnUk4tUkaPSKhBZRh4jYtGKCcFt0Sc0SiDjdz1 vPhzzq2p2XklLijHUAOHfuMFfDSUFu5/8JOz84CvtGhjpoSAJ7MffcTz M9Luzk9/DkvDoteK3VHtn90vZoOea/V8CbNWX2i7S0keZQ7f9SmMg3PE gRXue/kZVnE=  ; KSK; alg = NSEC3RSASHA1; key id = 39339
gu.edu.			86400	IN	DNSKEY	257 3 7 AwEAAa2FnxIFT7YpOPNV6VLfpzWCh5W5Fo9zsvA1zI4psLtj//c2Xrwy UFsCYktsIVnGD8mElKXq1w1zfxeo8xudMrS2v7QQmVnioF84rFHhh+CR RVPd+8DKD+hVSQVfUfticewC9DBLLrDSuprxFIZt8VHUn3vzTN9zYK45 /dGGSOXCN8Pj7kXvhLSOYy3WjKwLK84j+gr3jTytH9gsaRTl9FrOskB+ pyYqOOro4UolRa5aPYv2BVqENYgauuowfghSqObpWATIpLCujpm5SBRX IfW4veFKIfhBlNoHLG/iQKmcrj8DAtEe8ZTNJt2GNhn8dt+J7IJOSaYb QUGRzzZ9//0=  ; KSK; alg = NSEC3RSASHA1; key id = 35043
gu.edu.			86400	IN	DNSKEY	256 3 7 AwEAAb/7TwBkoZFMtAzV7MrojlnEM52p43LGGbm2XyaxrZYZ2dgO6aFv GZKUkzTDKn6a0Ko3qDL71uxAVdqInARg2DDv1mjC1ONS8axhu2T4clIb wUE9R0sWKW+AzlX048bC7yFfolhg8bocnrbBLe4ED8zJw4TGHEW1PoDH DMGgXmB4ZP/UP7FBOPOMbAk0/dGKjiiRBezF3i8GmQ2w9sZB5Y9ns+uE N3BqJE5rM21kNw/KB8GCfhiDqI4jsq8w3EQ3gM/slbdHFl3oUbaEho2B ZMpmQ+lRwEVG2XBGrxwMxU4gKhmS6anPAywBjMl/I+49FgqV2FtNcCIl sHJZQkqKrX8=  ; ZSK; alg = NSEC3RSASHA1; key id = 38702
gu.edu.			86400	IN	DNSKEY	256 3 7 AwEAAbk4F64sFJvk8JEtpOW2sa/8No8f5MNT4N1qQaXZHfhobBKw8Jb7 JxNQqGLhmCnzHXMXS28zMx00YsgTUV90rE0fAY6d6pA5khO4Fq+nTLyS jbLeGozYFsLRvr3WnAc1j3Htsuo7phZWb/rAxe0KvVT6oV0JnGptflGh GjFTlFAIQiO4RldyVEOSk9pu9vZAGc75318JREcdez9QI1GM6yxT9qgh H1WrRHSBA/Mn3CitLMgIgatZ7N4tkclH+P0lphWPrREumIC9Il5ZAi6e Ayh/BSMpcpugPX03dXHssVRJEKXC6h6JoP7W1ZL4i4K6coLF+6QmXxjn N+GILy70XzU=  ; ZSK; alg = NSEC3RSASHA1; key id = 25247
gu.edu.			86400	IN	RRSIG	DNSKEY 7 2 86400 20140705183107 20140628183107 39339 gu.edu. V90hsL73pY7thRDBFUICo5M/m46+nvR8nSkC7FCjSSCK6ZVuwIO2GoPV ytvmX9zVLcVZmgkP/a3nyV79ENN76j1RGhTrJLq8ekD6fl7P4djk66sB yrMiyijY8dr6CcuVVp1LnMzgDACSyPMoWnmsXEAX2zxgCJxN1FKm3INM AzEL8d/AThWG2fRTww6whQlISKYkvuN9zflK4qxUsucshccmimQj0799 7GjQh50yUYhjVOFdYdiyU3q/MtHOmjMOL7bnmquiBvXC39Qan2+e1Kys CT17b4zWUYy54qF6hEejafCsrsTy6jZIk5aXGhqA1LG/mqPI1gt74Bpu 2JI+WQ==
gu.edu.			86400	IN	RRSIG	DNSKEY 7 2 86400 20140705183107 20140628183107 35043 gu.edu. Im5/h/K08KpcnZIXKXjTBTshEYTjMdeZeCx1qgVzhRq5jQs9ERXG8wzn Plvs809SGTuvHbSBqoziCw7eWbGhlDthj1sc7AzAr22lGRRZB7KuKJx6 BbyGRSCcte2cbec03tzf4axFIjV/AWUKPVwZz+FyLjlE8M+1m+9wf1rd RAC/sHyeRIk+UgMzbxfu4NtP+obeh3QK00acFSWzGq/GOvijub8AiD40 tMAl8eszWhi6nvRgXgCIbrILJscL0dVZVgUxe4wdJPM9l0t97y8D8/jA 8RWFSETipEgN9x1SK9OBjCA0+e7Xb1GL5u2XvgZ+47I6t5fI9a2aCTuZ cdjRxA==
gu.edu.			86400	IN	RRSIG	DNSKEY 7 2 86400 20140705183107 20140628183107 38702 gu.edu. I0hR/eirR7oCcWXty592yeHa7ceOePt4h/ktKAMcptlYzxzyVsNZE00p JVO2RwTTyc4ROG7IjU4hrlXk47w8cRFh2HlawF/wDbqxrMAJnZl1cR/4 lNpdpdDCAvXE0YCNE9MDJJ2RlTdK0EKE1/Z6uxvdZwlLSNmdTRQZq3U6 Er8BrKydIpyaOATGTHEeDVdv6862cp/JnGbyfnPQH8zUqLwjeEwV++q7 EzdX8009sqoM0qKS+QSKD33rTwfBmgDYX4A4KePCK8VqLg3VFVuMzjLv +mlm4QJ7QVxpiKPoiCPDUCw5OPZICl3ZPgbB06FgHHAbqf1USG63Vazg SmTujQ==
gu.edu.			86400	IN	RRSIG	DNSKEY 7 2 86400 20140705183107 20140628183107 25247 gu.edu. E4HC0HzDzSwXhRHCJuPPuLeLAsOs7hjEHqnKxt9SRx4oKOt5g/A33mHZ tr7YbGtuf5+5MkPeXaIAAwaywBzkGCFbUVlD6tGEvpDLrm/Cw12w8rfs FY0OfvJrovr15ZeH57SswhiLtTuh1NA5WqALxmbENRg/ja9Due86Js6I G7ImoajhkD2oSS0QCpwuk+pKv0xpfllawE/pzszL7vcLZSCPmXvsAwr9 TqmvmP70B+YjnGeNlEFAx1YGgS4urnNIf7/aMSk+sqrFH+1su8Q6zO94 miiz18q2xbCebSQJoRkf61n84gdVyJ+My4UfQ9sP1um8w4yD+M0i84SZ r02fGg==

;; Query time: 436 msec
;; SERVER: 141.161.200.28#53(141.161.200.28)
;; WHEN: Wed Jul 02 21:02:26 EST 2014
;; MSG SIZE  rcvd: 2291

In message <CAEU_gmctGP0TcQvZt6ivjwBDOf8OxQZ=Q0SCU-Eu-MnxP=zBGg at mail.gma
il.com>, Mohamed Lrhazi writes:
> --===============7582107217492035289==
> Content-Type: multipart/alternative; boundary=047d7b2e3d92c70dd404fd33
> 5ec9
> 
> --047d7b2e3d92c70dd404fd335ec9
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> I am sure I messed up something, but cant figure out what! Some DNS
> servers, notably Google's, return SERVFAIL, since a couple of days now
> .
> 
> This dns report says the NS records do not have A records... but they 
> do in
> my zone data.
> 
> http://www.dnssy.com/report.php?q=3Dgu.edu
> 
> 
> 
> =E2=9E=9C  ~  dig any gu.edu @8.8.8.8
> 
> ; <<>> DiG 9.9.5-3-Ubuntu <<>> any gu.edu @8.8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24840
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;gu.edu. IN ANY
> 
> ;; Query time: 80 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Jul 02 06:21:49 EDT 2014
> ;; MSG SIZE  rcvd: 35
> 
> --047d7b2e3d92c70dd404fd335ec9
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr"><div>I am sure I messed up something, but cant figure
>  out =
> what! Some DNS servers, notably Google's, return SERVFAIL, since a
>  coup=
> le of days now.</div><div><br></div><div>This dns report says the NS r
> ecord=
> s do not have A records... but they do in my zone data.</div>
> 
> <div><br></div><div><a href=3D"http://www.dnssy.com/report.php?q=3Dgu.
> edu">=
> http://www.dnssy.com/report.php?q=3Dgu.edu</a><br></div><div><br></div
> ><div=
> ><br></div><div><br></div><div><div>=E2=9E=9C =C2=A0~ =C2=A0dig any <a
>  href=
> =3D"http://gu.edu">gu.edu</a> @<a href=3D"http://8.8.8.8">8.8.8.8</a><
> /div>
> 
> <div><br></div><div>; <<>> DiG 9.9.5-3-Ubuntu <<>
> > =
> any <a href=3D"http://gu.edu">gu.edu</a> @<a href=3D"http://8.8.8.8">8
> .8.8.=
> 8</a></div><div>;; global options: +cmd</div><div>;; Got answer:</div>
> <div>
> 
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24840
> </div=
> ><div>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONA
> L: 1<=
> /div><div><br></div><div>;; OPT PSEUDOSECTION:</div><div>; EDNS: versi
> on: 0=
> , flags:; udp: 512</div>
> 
> <div>;; QUESTION SECTION:</div><div>;<a href=3D"http://gu.edu">gu.edu<
> /a>.<=
> span class=3D"" style=3D"white-space:pre">				
> </span>IN<span class=3D"" sty=
> le=3D"white-space:pre">	</span>ANY</div><div><br></div><div>;; Q
> uery time: =
> 80 msec</div>
> 
> <div>;; SERVER: 8.8.8.8#53(8.8.8.8)</div><div>;; WHEN: Wed Jul 02 06:2
> 1:49 =
> EDT 2014</div><div>;; MSG SIZE =C2=A0rcvd: 35</div></div><div><br></di
> v></d=
> iv>
> 
> --047d7b2e3d92c70dd404fd335ec9--
> 
> --===============7582107217492035289==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> --===============7582107217492035289==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list