[dns-operations] Question on DNSSEC Failures

[Anthony Eden]

I have a zone where keys are currently in rotation[1], with the old keys
(both KSK and ZSK) at 1024 bits and the new keys (both KSK and ZSK) at 2048
bits [2]. DNSSEC validating resolvers such as Google's public resolvers are
currently returning SERVFAIL. [3]

I am trying to determine why the lookups are failing at resolvers. Is this
due to the truncation and requirement to switch to TCP? Do I need to reduce
the bit size to something between 1024 and 2048?

Thanks!

-Anthony

[1] DS lookup

; <<>> DiG 9.12.1 <<>> avisi.net ds
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54679
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;avisi.net. IN DS

;; ANSWER SECTION:
avisi.net. 86399 IN DS 43144 8 2
FCED288098D07789ECF678130AB7067A0B4BC6A32AEB3CF6CBEDA915 BB17FAEF
avisi.net. 86399 IN DS 814 8 2
55C0CDFA96D35060D4A16E747D4C82550BDF773684DEE151E798F7A8 D60BDF15

;; Query time: 48 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 15 13:19:23 CEST 2018
;; MSG SIZE  rcvd: 134

[2] DNSKEY lookup at authoritative

; <<>> DiG 9.12.1 <<>> @ns1.dnsimple.com avisi.net dnskey
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53736
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65535
;; QUESTION SECTION:
;avisi.net. IN DNSKEY

;; ANSWER SECTION:
avisi.net. 3600 IN DNSKEY 256 3 8
AwEAAdGV37X55G9mrcdE5aGnGD8TN+3nL0Bh1tUor0Y2m/dzi+fw9mnc
yxPEm+YXfq2fk0m0UCq/pUCKGJ3h+YJPiRayJnNGaqdrf5+N/sD3FkBV
K/XbyxAJo6x+WmEIqLAG86X3CS/aLaMcJggABHbQvANgaCn0hRadSDnF pRwAKGJN
avisi.net. 3600 IN DNSKEY 256 3 8
AwEAAe28LyXeKkCAPssNxjizQV7tltdf7PbE/N9Cz+znIWq+cIqKS1th
mOzCLSmvOfTCL3NuACotz5lmtshGrCrKTtUX6c29UZyqDGi+5CuioL81
is9SRdBZWCQMxHV7CmvXz/8CI5jfdNMKoIh1x3sq5YLe3P41HZL7PZAV DSWrNmEf
avisi.net. 3600 IN DNSKEY 257 3 8
AwEAAcdQiEoApNVhI9tnxpvwZOsVuskjGprvOm5l/eFaMGT8MEnf8iNd
Qn8GPpmMMPyiLtby8u/NGKwMquqN+GC8vNxtL6X1aH56qk6CQ8hw0gzj
tq7U7upD2aatzUyGM1pQg8mLyZmDxDOV7Go8+O7PeAzkd1MZk3O+OWft
DqEQ8daATqT+nFep7C5RB+UGch3oIKP/kgHQcOSkcYY5t/h07XmqjpcC
PbR9ckhd7KnYgoigM4Pxy1gNbdffdlYqMCrv3j8k8BxdFkoYJAYwdwl8
s/mKFtH1wMInSSWrC3S57SbB5duvmutnhj6lfi+gpZpz9PLSNDl3WW+S hR/RXSMd8DM=
avisi.net. 3600 IN DNSKEY 257 3 8
AwEAAckqvGwehFdAuYYb+b8IgXEtgcsfeVRMfk2jde7WfXOMFwIwT8pH
HOY0QXUNx0OFU5L9f2sMxWTUvp8EyW+F/lLgENBjDUzeUzMWMPp+EQUM
TJKAwE3rnUTx8Zow6uZTy7FO6KvAI2wVi5KN0b7jXZZ97Z8S5uZ7S8Go
wt4t+fthOgQ/mPW7vVbvZSo5v3H7dqBFgIQGXgjsggCQeoSxS528pge/
4ii4nx7TsbntAYBqfovIu3g46l2/nnOuUoNE7aOKYvC7SKPmrpAfnUUL
j5E7704shGOM38XPOTvAkSl9NyqGM4ln0LgiFYLxO/m2tN0ySQVS4A5A SHFdR0Ai64E=

;; Query time: 50 msec
;; SERVER: 162.159.24.4#53(162.159.24.4)
;; WHEN: Fri Jun 15 13:17:21 CEST 2018
;; MSG SIZE  rcvd: 886

[3] DNSKEY lookup at resolver

; <<>> DiG 9.12.1 <<>> @8.8.8.8 avisi.net DNSKEY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63216
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;avisi.net. IN DNSKEY

;; Query time: 3708 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 15 13:18:46 CEST 2018
;; MSG SIZE  rcvd: 38


-- 
DNSimple.com
http://dnsimple.com/
Twitter: @dnsimple
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180615/2bd5343e/attachment.html>