DNSSEC SERVFAIL when parent zone has no DS record

Sergio Charpinel Jr. sergiocharpinel at gmail.com
Wed Oct 5 12:21:55 UTC 2011


After suplying DS and the respective NS record for subdomain in the
parent zone (domain.com), it works. If I disable dnssec in my
recursive server, it also works.
So, if a zone is not signed properly (or doesnt have DS records) the
query will fail? Isn't it better to query  those misconfigured servers
without DNSSEC, just like it does when the zone is not signed?

And what about the second case, when I query www.subdomain.domain.com
. If I run two queries, the first fail with the same error, but the
second works (I think the second comes from cache).

How can I provide more data for diagnose??


2011/10/5 Marc Lampo <marc.lampo at eurid.eu>:
> Hello,
> You do not provide sufficient data for diagnose !
> But it seems to me that bind is not complaining about the DS of
> subdomain.domain.com.
> but rather about a
> "missing RRSIG for a NSEC when fetching DS of domain.com."
> Admittingly, logmessages could be somewhat more userfriendly,
> but I'd check if domain.com. itself is properly signed.
> Kind regards,
> Marc Lampo
> -----Original Message-----
> From: Sergio Charpinel Jr. [mailto:sergiocharpinel at gmail.com]
> Sent: 05 October 2011 01:57 PM
> To: bind-users at lists.isc.org
> Subject: DNSSEC SERVFAIL when parent zone has no DS record
> Hi,
> Dig  returns SERVFAIL while trying to resolve a dnssec enabled zone
> without DS record in parent zone. For example, I have these two DNSSEC
> enabled zones:
> domain.com
> subdomain.domain.com
> domain.com zone has NO DS record for subdomain.domain.com zone, and
> subdomain.domain.com has an A record for the zone, and an A record for
> www .
> If I query subdomain.domain.com , I get SERVFAIL from dig and these
> log messages:
> 03-Oct-2011 11:03:07.893   validating @0x7f9ea305b2d0: domain.com SOA:
> no valid signature found
> 03-Oct-2011 11:03:07.894 createfetch: domain.com DS
> 03-Oct-2011 11:03:07.894   validating @0x7f9ea305df70: domain.com
> NSEC: no valid signature found
> 03-Oct-2011 11:03:07.895 createfetch: domain.com DS
> 03-Oct-2011 11:03:07.896 error (broken trust chain) resolving
> 'subdomain.domain.com/DNSKEY/IN': x.x.x.x#53
> 03-Oct-2011 11:03:07.896 error (broken trust chain) resolving
> 'subdomain.domain.com/A/IN': x.x.x.x#53
> If I run the query again, I get NXDOMAIN (from cache). So I can't
> query subdomain.domain.com zone.
> Now, if I query www.subdomain.domain.com I get the same, but when I
> run the query again I get a valid answer (from cache).
> I know the DS is not configured properly and so DNSSEC shouldn't work,
> but bind shouldn't behave like this. If the zone is not configured
> properly, bind should query it anyway, the same way it does when the
> zone isn't signed.
> I didn't find any related bugs. Is this a known bug?
> Btw, I'm using bind 9.7.3 from debian 6.0.2.
> Thanks.
> --
> Sergio Roberto Charpinel Jr.

Sergio Roberto Charpinel Jr.

More information about the bind-users mailing list