[dns-operations] Question on DNSSEC Failures
Mats Dufberg
mats.dufberg at iis.se
Fri Jun 15 12:08:38 UTC 2018
I can query for SOA, but when querying for DNSKEY I get SERVFAIL.
Mats
###############
; <<>> DiG 9.10.6 <<>> avisi.net soa @162.159.26.4 +dns +norec +mult
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20580
;; flags: qr aa ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;avisi.net. IN SOA
;; ANSWER SECTION:
avisi.net. 3600 IN SOA ns1.dnsimple.com. admin.dnsimple.com. (
1494881373 ; serial
86400 ; refresh (1 day)
7200 ; retry (2 hours)
604800 ; expire (1 week)
300 ; minimum (5 minutes)
)
avisi.net. 300 IN RRSIG SOA 8 2 3600 (
20180616180003 20180318180003 48360 avisi.net.
mWibMCt4gcKHZfRVJejPNmAGjmm5AmpWEKXQh32nkeTt
+EYwULu2QH5hQJkEVvdCLnfupeVFOjh6Y+iEzwvYi1eM
h+997fZRSB5zJkGimU3+gPrlJRh10mbfrOjKPFlb0Mqh
qfs5e7L1KoJH8cNvxs7CtObKkGYcxhZJ41JaD1U= )
avisi.net. 300 IN RRSIG SOA 8 2 3600 (
20180911190001 20180613190001 61413 avisi.net.
EAgrmduDlkA8dZdskSLwTBd5croc6gZXCXdlMOyCfr48
3Sd8L/rI0oFM7MGZ5KIQjwHhART7QCjIwPm9Ck4HAwFW
iZhoD6y8IUm6vX1JXxHd1ISX6gKy1vL7NxoAO5gQh3Ci
1w/hgi1jgM3qGZ9bU4+JgrBojvQHmywxdsaggKI= )
;; Query time: 283 msec
;; SERVER: 162.159.26.4#53(162.159.26.4)
;; WHEN: Fri Jun 15 14:06:11 CEST 2018
;; MSG SIZE rcvd: 434
###############
; <<>> DiG 9.10.6 <<>> avisi.net dnskey @162.159.26.4 +dns +norec +mult
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55158
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;avisi.net. IN DNSKEY
;; Query time: 1700 msec
;; SERVER: 162.159.26.4#53(162.159.26.4)
;; WHEN: Fri Jun 15 14:07:22 CEST 2018
;; MSG SIZE rcvd: 38
---
Mats Dufberg
DNS Specialist, IIS
Mobile: +46 73 065 3899
https://www.iis.se/en/
From: dns-operations <dns-operations-bounces at dns-oarc.net> on behalf of Anthony Eden <anthony.eden at dnsimple.com>
Date: Friday, 15 June 2018 at 13:54
To: "dns-operations at lists.dns-oarc.net" <dns-operations at dns-oarc.net>
Subject: [dns-operations] Question on DNSSEC Failures
I have a zone where keys are currently in rotation[1], with the old keys (both KSK and ZSK) at 1024 bits and the new keys (both KSK and ZSK) at 2048 bits [2]. DNSSEC validating resolvers such as Google's public resolvers are currently returning SERVFAIL. [3]
I am trying to determine why the lookups are failing at resolvers. Is this due to the truncation and requirement to switch to TCP? Do I need to reduce the bit size to something between 1024 and 2048?
Thanks!
-Anthony
[1] DS lookup
; <<>> DiG 9.12.1 <<>> avisi.net<http://avisi.net> ds
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54679
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;avisi.net<http://avisi.net>. IN DS
;; ANSWER SECTION:
avisi.net<http://avisi.net>. 86399 IN DS 43144 8 2 FCED288098D07789ECF678130AB7067A0B4BC6A32AEB3CF6CBEDA915 BB17FAEF
avisi.net<http://avisi.net>. 86399 IN DS 814 8 2 55C0CDFA96D35060D4A16E747D4C82550BDF773684DEE151E798F7A8 D60BDF15
;; Query time: 48 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 15 13:19:23 CEST 2018
;; MSG SIZE rcvd: 134
[2] DNSKEY lookup at authoritative
; <<>> DiG 9.12.1 <<>> @ns1.dnsimple.com<http://ns1.dnsimple.com> avisi.net<http://avisi.net> dnskey
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53736
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65535
;; QUESTION SECTION:
;avisi.net<http://avisi.net>. IN DNSKEY
;; ANSWER SECTION:
avisi.net<http://avisi.net>. 3600 IN DNSKEY 256 3 8 AwEAAdGV37X55G9mrcdE5aGnGD8TN+3nL0Bh1tUor0Y2m/dzi+fw9mnc yxPEm+YXfq2fk0m0UCq/pUCKGJ3h+YJPiRayJnNGaqdrf5+N/sD3FkBV K/XbyxAJo6x+WmEIqLAG86X3CS/aLaMcJggABHbQvANgaCn0hRadSDnF pRwAKGJN
avisi.net<http://avisi.net>. 3600 IN DNSKEY 256 3 8 AwEAAe28LyXeKkCAPssNxjizQV7tltdf7PbE/N9Cz+znIWq+cIqKS1th mOzCLSmvOfTCL3NuACotz5lmtshGrCrKTtUX6c29UZyqDGi+5CuioL81 is9SRdBZWCQMxHV7CmvXz/8CI5jfdNMKoIh1x3sq5YLe3P41HZL7PZAV DSWrNmEf
avisi.net<http://avisi.net>. 3600 IN DNSKEY 257 3 8 AwEAAcdQiEoApNVhI9tnxpvwZOsVuskjGprvOm5l/eFaMGT8MEnf8iNd Qn8GPpmMMPyiLtby8u/NGKwMquqN+GC8vNxtL6X1aH56qk6CQ8hw0gzj tq7U7upD2aatzUyGM1pQg8mLyZmDxDOV7Go8+O7PeAzkd1MZk3O+OWft DqEQ8daATqT+nFep7C5RB+UGch3oIKP/kgHQcOSkcYY5t/h07XmqjpcC PbR9ckhd7KnYgoigM4Pxy1gNbdffdlYqMCrv3j8k8BxdFkoYJAYwdwl8 s/mKFtH1wMInSSWrC3S57SbB5duvmutnhj6lfi+gpZpz9PLSNDl3WW+S hR/RXSMd8DM=
avisi.net<http://avisi.net>. 3600 IN DNSKEY 257 3 8 AwEAAckqvGwehFdAuYYb+b8IgXEtgcsfeVRMfk2jde7WfXOMFwIwT8pH HOY0QXUNx0OFU5L9f2sMxWTUvp8EyW+F/lLgENBjDUzeUzMWMPp+EQUM TJKAwE3rnUTx8Zow6uZTy7FO6KvAI2wVi5KN0b7jXZZ97Z8S5uZ7S8Go wt4t+fthOgQ/mPW7vVbvZSo5v3H7dqBFgIQGXgjsggCQeoSxS528pge/ 4ii4nx7TsbntAYBqfovIu3g46l2/nnOuUoNE7aOKYvC7SKPmrpAfnUUL j5E7704shGOM38XPOTvAkSl9NyqGM4ln0LgiFYLxO/m2tN0ySQVS4A5A SHFdR0Ai64E=
;; Query time: 50 msec
;; SERVER: 162.159.24.4#53(162.159.24.4)
;; WHEN: Fri Jun 15 13:17:21 CEST 2018
;; MSG SIZE rcvd: 886
[3] DNSKEY lookup at resolver
; <<>> DiG 9.12.1 <<>> @8.8.8.8<http://8.8.8.8> avisi.net<http://avisi.net> DNSKEY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63216
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;avisi.net<http://avisi.net>. IN DNSKEY
;; Query time: 3708 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 15 13:18:46 CEST 2018
;; MSG SIZE rcvd: 38
--
DNSimple.com
http://dnsimple.com/
Twitter: @dnsimple
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180615/ed025fc5/attachment.html>
More information about the dns-operations
mailing list