Trouble with host and DNSSEC

Timothy Holtzen tah at NebrWesleyan.edu
Wed Sep 15 14:34:29 UTC 2010 

 I am having trouble resolving the host name cod.ed.gov which I believe
may be dnssec related.  If I run dig with the +cdflag option I get what
appears to be a proper response:

; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2 <<>> +cdflag cod.ed.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43205
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;cod.ed.gov.                    IN      A

;; ANSWER SECTION:
cod.ed.gov.             30      IN      A       12.198.185.50

;; AUTHORITY SECTION:
cod.ed.gov.             2948    IN      NS      ns2.dotsconnecthosting.com.
cod.ed.gov.             2948    IN      NS      ns1.dotsconnecthosting.com.

but a normal query returns a SERVFAIL response:

; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2 <<>> cod.ed.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61516
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cod.ed.gov.                    IN      A

in my logs I am getting the messages:

validating @0x2ab727eb5810: cod.ed.gov A: got insecure response; parent
indicates it should be secure
dnssec: info: validating @0x2ab727eb5810: cod.ed.gov A: got insecure
response; parent indicates it should be secure
error (insecurity proof failed) resolving 'cod.ed.gov/A/IN': 63.150.74.34#53

Which would seem to indicate that the chain or trust has been broken. 
My server is running bind 9.7.1-P2 on RHEL 5.5 and is configured with
both the signed root key and the DLV key.  We have been running DNSSEC
validation for some time and this problem didn't appear until Monday
afternoon.  Is anyone else able to get a DNSSEC validated response for
this site?  I admit I'm a bit of a novice when it comes to DNSSEC.  I'm
having some trouble figuring out exactly where along the chain things
are broken if that is indeed the problem.  Then if it is the problem how
do I resolve it. 

-- 
Timothy A. Holtzen
Campus Network Administrator
Nebraska Wesleyan University

More information about the bind-users mailing list