Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled

Matthew Pounsett matt at conundrum.com
Mon Mar 29 08:28:20 UTC 2010 

On 2010/03/28, at 18:48, Roy Badami wrote:

> configured).  The queries are resulting in SERVFAIL, and I'm pretty
> sure the failures are DNSSEC-related, as when I've seen problems as
> they occur (dig failing from the command line) then repeating the
> query with the CD bit allowed it to succeed.

It looks to me like your example, freebsd.org, is insecure.  

There are no DS records for freebsd.org in the org zone, so BIND can't follow the trust chain from the org.dlv.isc.org DLV record.

; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec +dnssec IN DS freebsd.org @a0.org.afilias-nst.info
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52863
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
[...]

There also appears to be no DLV record for freebsd.org:

; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec +dnssec IN DLV freebsd.org.dlv.isc.org @ns.isc.afilias-nst.info
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23858
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;freebsd.org.dlv.isc.org.	IN	DLV

;; AUTHORITY SECTION:
dlv.isc.org.		3600	IN	SOA	ns-int.isc.org. hostmaster.isc.org. 2010032802 7200 3600 2419200 3600
dlv.isc.org.		3600	IN	RRSIG	SOA 5 3 3600 20100427130003 20100328130003 64263 dlv.isc.org. IbRdfwxFInY6FuHtsfVatqrNvMIoifQTrohzEZF1UsTx9XAowU1Zz57L YcHPu3ReAdYOL+IwkG8syNQ/LSLnpZY3K3Av/HSmPV524KWbm39J+k+G BMmIIsnvC4I40UUr7f/AXF14JgdAu9eokvvLvqR0CcAY0dq9HGHjdXC1 HbI=
flame.org.dlv.isc.org.	3600	IN	NSEC	863.freenum.org.dlv.isc.org. RRSIG NSEC DLV
flame.org.dlv.isc.org.	3600	IN	RRSIG	NSEC 5 5 3600 20100427130003 20100328130003 64263 dlv.isc.org. KZRZadIqTS8p6V3fRz7bsOrP3A/gTqJzeVtWTOqhrRbChLt0jVbhY4fR 1pBogkhc84xcv7i0odHMzWCIpmQdv4Q/ODnophPdgrfPcxB93s3dMQ/D j0o2KTYsx1qJo0O1RWqhicUdwGoVYm5rZFLxy/uBV0dJe0KGrSmY21Gw U/c=
org.dlv.isc.org.	3600	IN	NSEC	1mg.org.dlv.isc.org. RRSIG NSEC DLV
org.dlv.isc.org.	3600	IN	RRSIG	NSEC 5 4 3600 20100427130003 20100328130003 64263 dlv.isc.org. YCe9L3iuJ5YD5hj7s1Z9wGsDkhLhqchNki+bSffHGxoYZVaQnMZXgWpS fYJZsFyJA3h1uEs5FvuLeLv1Poej2EhDyXucMHAgTJy4fbDjaw3Q8/MP et17Ki0TSNvMFdusCJl93aSZBnKponKR67ofvb8wwt5SDCYrR41EgvzE WZs=

;; Query time: 58 msec
;; SERVER: 199.254.63.254#53(199.254.63.254)
;; WHEN: Mon Mar 29 04:22:48 2010
;; MSG SIZE  rcvd: 721

Note both the NXDOMAIN status and the NSEC record covering flame.org.dlv.isc.org through 863.freenum.org.dlv.isc.org.  The NSEC record is used to prove that no domains which sort between those two names exist in the dlv.isc.org zone.

Just to make sure, I looked for RRSIGs in the freebsd.org zone, wondering if maybe the DLV record has simply disappeared from the dlv.isc.org zone somehow.. but it doesn't look like freebsd.org has been signed at all:

; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec +dnssec IN AAAA mx2.freebsd.org @ns2.isc-sns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17599
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 11

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mx2.freebsd.org.		IN	AAAA

;; ANSWER SECTION:
mx2.freebsd.org.	3600	IN	AAAA	2001:4f8:fff6::35

Note the absence of an RRSIG in the ANSWER section.  If freebsd.org were signed, you'd expect to see an answer similar to this:

; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec +dnssec IN AAAA ns1.isc-sns.net @ns1.isc-sns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52801
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns1.isc-sns.net.		IN	AAAA

;; ANSWER SECTION:
ns1.isc-sns.net.	3600	IN	AAAA	2001:470:1a::1
ns1.isc-sns.net.	3600	IN	RRSIG	AAAA 5 3 3600 20100426233330 20100327233330 10377 isc-sns.net. qk8txlEYx6d8Mor155Rz0Te2vdQSPDoaJZM5FaXLfyNpruv7z3gdwtAI BrmDCKhzmyYni4GQmqZPYmceVjp1rcD17B5O+2/NET+obm3pcHKuzRZs e0PyP1LITahboUZzBoIyd7/jqs2+EwFKJgUs7v41UNp5oIz2vs0YuBo6 1Hc=


Have you checked the other domains you're having problems with to see that they're actually secured?
If you supply some info from your resolver configuration, someone here might be able to help debug the problem.

Matt

More information about the bind-users mailing list