Casey Deccio casey at deccio.net
Thu Apr 19 14:35:39 UTC 2012

On Thu, Apr 19, 2012 at 5:59 AM, Chris Thompson <cet1 at cam.ac.uk> wrote:

> On Apr 19 2012, Richard Laager wrote:
>  Are others timing out trying to resolve www.glb.hud.gov? This seems
>> (though I haven't done extensive testing) to only happen to me with
>> BIND.
>> http://dnsviz.net/d/www.glb.**hud.gov/dnssec/<http://dnsviz.net/d/www.glb.hud.gov/dnssec/>shows a couple of DNSKEY
>> warnings, so maybe that's it. I always suspect DNSSEC when I have
>> problems with .gov domains, but I commented out "dnssec-enable yes" in
>> my named.conf and it didn't help.
> There is no DS record in the parent zone, so the zone contents could
> not be validated anyway.
Yes, but there's a difference between "could not be validated", meaning
there is no chain of trust extending to glb.hud.gov (the hud.gov zone
securely proves that the trust does not extend to glb.hud.gov) and "could
not be validated", meaning there should be a chain, but the necessary
DNSKEYs and RRSIGs are not available to validate it.  The first should
yield an insecure (i.e., unauthenticated) response, the second SERVFAIL.
 BIND gets hung up on the fact that the DNSKEY RRset for glb.hud.gov cannot
be retrieved to validate the RRSIGs covering glb.hud.gov names and returns
SERVFAIL, even though technically it should simply return an insecure
response.  Note that unbound responds appropriately:

$ dig +dnssec @localhost www.glb.hud.gov

; <<>> DiG 9.7.3 <<>> +dnssec @localhost www.glb.hud.gov
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61547
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;www.glb.hud.gov. IN A

www.glb.hud.gov. 30 IN A
www.glb.hud.gov. 30 IN RRSIG A 7 4 30 20120425192819 20120418192819 18872
glb.hud.gov. qeuaykqCRmDoJ/b7+MayUC4LB5GCoJ00931CS8w+Ta6tuT/qv3dGsR1i
nPr3D+JGre46lvsi62ibhCfS82gfuNLg+028D6EasnWiQgcG70ONI2yU a+w=
www.glb.hud.gov. 30 IN RRSIG A 7 4 30 20120424171101 20120417171101 27647
glb.hud.gov. kVWQcOoRa2BPK+K4mMQQ+SsFKk2F6F2euVS2xrzlKyYMmOHytouRq6LK
Y/hDCcbfO5DsVEmJ/HuEg9vlQ65inWB2xpLul0FOXC7xLn7ch/h8A8Jv UfQ=

;; Query time: 85 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Apr 19 07:34:06 2012
;; MSG SIZE  rcvd: 402

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120419/e6e00c9f/attachment.html>

More information about the bind-users mailing list