www.glb.hud.gov

Casey Deccio casey at deccio.net
Thu Apr 19 14:35:39 UTC 2012 

On Thu, Apr 19, 2012 at 5:59 AM, Chris Thompson <cet1 at cam.ac.uk> wrote:

> On Apr 19 2012, Richard Laager wrote:
>
>  Are others timing out trying to resolve www.glb.hud.gov? This seems
>> (though I haven't done extensive testing) to only happen to me with
>> BIND.
>>
>> http://dnsviz.net/d/www.glb.**hud.gov/dnssec/<http://dnsviz.net/d/www.glb.hud.gov/dnssec/>shows a couple of DNSKEY
>> warnings, so maybe that's it. I always suspect DNSSEC when I have
>> problems with .gov domains, but I commented out "dnssec-enable yes" in
>> my named.conf and it didn't help.
>>
>
> There is no DS record in the parent zone, so the zone contents could
> not be validated anyway.
>
>
Yes, but there's a difference between "could not be validated", meaning
there is no chain of trust extending to glb.hud.gov (the hud.gov zone
securely proves that the trust does not extend to glb.hud.gov) and "could
not be validated", meaning there should be a chain, but the necessary
DNSKEYs and RRSIGs are not available to validate it.  The first should
yield an insecure (i.e., unauthenticated) response, the second SERVFAIL.
 BIND gets hung up on the fact that the DNSKEY RRset for glb.hud.gov cannot
be retrieved to validate the RRSIGs covering glb.hud.gov names and returns
SERVFAIL, even though technically it should simply return an insecure
response.  Note that unbound responds appropriately:

$ dig +dnssec @localhost www.glb.hud.gov

; <<>> DiG 9.7.3 <<>> +dnssec @localhost www.glb.hud.gov
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61547
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.glb.hud.gov. IN A

;; ANSWER SECTION:
www.glb.hud.gov. 30 IN A 170.97.67.13
www.glb.hud.gov. 30 IN RRSIG A 7 4 30 20120425192819 20120418192819 18872
glb.hud.gov. qeuaykqCRmDoJ/b7+MayUC4LB5GCoJ00931CS8w+Ta6tuT/qv3dGsR1i
NVP5Xh5x/kJVyM6M3red1b2e4zrw930xe5gegPxGyWZqT8CVF7clouOJ
nPr3D+JGre46lvsi62ibhCfS82gfuNLg+028D6EasnWiQgcG70ONI2yU a+w=
www.glb.hud.gov. 30 IN RRSIG A 7 4 30 20120424171101 20120417171101 27647
glb.hud.gov. kVWQcOoRa2BPK+K4mMQQ+SsFKk2F6F2euVS2xrzlKyYMmOHytouRq6LK
En8edmPbm5iYDGnW/Hc7jPLQgqpRYVxkdjKTvjYNf+yjqBK1aBblVZ4b
Y/hDCcbfO5DsVEmJ/HuEg9vlQ65inWB2xpLul0FOXC7xLn7ch/h8A8Jv UfQ=

;; Query time: 85 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Apr 19 07:34:06 2012
;; MSG SIZE  rcvd: 402

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120419/e6e00c9f/attachment.html>

More information about the bind-users mailing list