stub zone and dnssec processing fails?

Mark Andrews marka at isc.org
Fri Oct 2 00:53:36 UTC 2009


In message <alpine.LFD.1.10.0910011047530.21986 at newtla.xelerance.com>, Paul Wou
ters writes:
> 
> Hi,
> 
> I've been trying to configure bind to use a stub zone, for which I
> have keys configured. When I do this, I see a ServFail, with the
> logs pointing to:
> 
> 01-Oct-2009 11:00:03.053 lame-servers: info: not insecure resolving 'xeleranc
> e.ca/DNSKEY/IN': 193.110.157.135#53
> 
> 
> When I disable the trusted-keys {} for this zone, the resolving
> works, but then it seems to ignore the stub and go out via the
> regular path
> 
> Enabling/disabling DLV did not make a difference. The relevant parts of
> the named.conf:
> 
> options {
>          dnssec-enable yes;
>          dnssec-validation yes;
>          // dnssec-lookaside . trust-anchor dlv.isc.org.;
>  	recursion yes;
> };
> 
> zone "ca." IN {
>          type stub;
>          masters { 192.228.22.190; 192.228.22.189; };
> };
> 
> trusted-keys {
> "ca." 257  3  7 "AwEAAbTcBX0/Z6uh4gUFmPhNMExALpP8eVy+KyHQ3IY8z/XlDoRVoe2Cv0IX
> BWp
> MFme3sQpAEGg9Ps1+lYXpn2zO0BfpcED2nVlZ9KFBwh1MuEHvaAAkYKZtT/aqOIDJftRdmU8ClFZg
> aeJ
> c8Scvf5boGczVvG/ZdbDpHVM73x6a4rQqjTDlgwSaNU+/vimOWii5d4lWBxUDQKsqkQ27UGqyGtYQ
> xNY
> giRGx80phZkmhxOnSwfXIG/RJa0Hl6CtlsG3klywJ+7NAZM/n8Y0TQqjOHudC0SedXSCmQ0C/Ds0Q
> X5M
> 7c/S7alVBYsOdHhJF05MaIA5ij0thAmuvJUW7ofqO5ec=" ; // key id = 46215
> };
> 
> Paul
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

To make the test signed ca work you need to replace the NS RRet
with the names of the nameservers that serve the signed CA zone.
At the moment you end up with those that server unsigned content
which is correctly rejected.  Stubs pre-populate the delegation,
they do not override the delegation.

The alternative is to override the addresses for ?.ca-servers.ca
with those of servers that serve the signed version of ca.  You
will also need to ensure that these servers serve the zones that
are othewise delgated to them using these names. You will still get
the odd failure due to talking to ns-ext.isc.org.

You could just override these if you can't get the content of
ca-servers.ca as ca-servers.ca is delegated to [a-f].ca-servers.ca.
You will get more failures however.

ca.                     86400   IN      NS      j.ca-servers.ca.
ca.                     86400   IN      NS      k.ca-servers.ca.
ca.                     86400   IN      NS      l.ca-servers.ca.
ca.                     86400   IN      NS      m.ca-servers.ca.

I use a similar technique to test IPv6 connectivity for the root
servers.

Mark

; <<>> DiG 9.3.6-P1 <<>> ca ns +norec @192.228.22.190
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56860
;; flags: qr aa; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ca.				IN	NS

;; ANSWER SECTION:
ca.			86400	IN	NS	e.ca-servers.ca.
ca.			86400	IN	NS	d.ca-servers.ca.
ca.			86400	IN	NS	l.ca-servers.ca.
ca.			86400	IN	NS	c.ca-servers.ca.
ca.			86400	IN	NS	a.ca-servers.ca.
ca.			86400	IN	NS	b.ca-servers.ca.
ca.			86400	IN	NS	k.ca-servers.ca.
ca.			86400	IN	NS	f.ca-servers.ca.
ca.			86400	IN	NS	ns-ext.isc.org.
ca.			86400	IN	NS	m.ca-servers.ca.
ca.			86400	IN	NS	j.ca-servers.ca.

;; Query time: 251 msec
;; SERVER: 192.228.22.190#53(192.228.22.190)
;; WHEN: Fri Oct  2 10:36:50 2009
;; MSG SIZE  rcvd: 219


; <<>> DiG 9.3.6-P1 <<>> +dnssec ca @ns-ext.isc.org.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36584
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ca.				IN	A

;; AUTHORITY SECTION:
ca.			3600	IN	SOA	jbq01.tor.cira.ca. admin-dns.cira.ca. 2009100120 1800 900 604800 3600

;; Query time: 168 msec
;; SERVER: 2001:4f8:0:2::13#53(2001:4f8:0:2::13)
;; WHEN: Fri Oct  2 10:43:20 2009
;; MSG SIZE  rcvd: 92

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list