Why DNSSEC errors for bund.de?
Chris Thompson
cet1 at cam.ac.uk
Tue May 24 15:08:21 UTC 2011
On May 24 2011, I wrote:
>We are getting DNSSEC-related SERVFAILs on names in bund.de (e.g.
>mx1.bind.de). This happens with all of BIND 9.7.3-P1, 9.7.4b1 and
>9.8.0-P1 configured with the root and dlv.isc.org trust anchors.
>
>However, I can't see what is actually wrong with it, using dig +cd as
>necessary. All the signatures appear to have valid start/stop times, and
>http://dnsviz.net/d/mx1.bund.de/dnssec/ seems pretty happy with it. There
>are a lot of false trails (e.g. the DS records for it in "de") but that
>shouldn't stop BIND finding the one that works (DLV in dlv.isc.org ->
>KSK with tag 10923 -> ZSK with tag 4814), should it?
>
>It may be significant that this problem was reported to us on the same
>day that obscured DNSKEY records were introduced into the "de" zone...
That seems almost certain to be the precipitating event, in fact.
I can produce the same effect for all 31 zones that are both registered
in dlv.isc.org *and* have a DS record in dlv.isc.org:
adns1.de. ralf-pulz.de.
brj-berlin.de. reichel-jens.de.
btw-kinderdorf.de. schrimpe.de.
buergerhaushalt-marzahn.de. sgfun.de.
bund.de. sgmail.de.
com.de. stadtteilzeitung-nordwest.de.
exanames.de. stefan-gransow.de.
gun.de. stegranet.de.
idkom-networks.de. steinmuss.de.
ifw-dresden.de. unixbuero.de.
iks-jena.de. verein-kiekin.de.
ipse-online.de. wartenbergerhof.de.
judo-dresden.de. wikileaks.de.
ombudschaft.de. zrb-kiekin.de.
ombudschaft-jugendhilfe.de.
Among other oddities:
dig +dnssec dnskey [zone] gives the right answer *without* the ad bit
dig +dnssec soa [zone] gives SERVFAIL, unless +cd is used as well.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list