DNSSEC troubles (no valid NSEC) ?

Frantisek Hanzlik franta at hanzlici.cz
Wed Jul 25 17:07:15 UTC 2012

I solve problem with delivering mail to address  "XY at br.ds.mfcr.cz".
MTA obviously isn't able resolve MX records for this domain.
"dig @localhost -t MX br.ds.mfcr.cz" ends with SERVFAIL error:

; <<>> DiG 9.7.4-P1-RedHat-9.7.4-2.P1.fc14 <<>> @localhost -t MX br.ds.mfcr.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43325
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;br.ds.mfcr.cz.			IN	MX

;; Query time: 4219 msec
;; WHEN: Wed Jul 25 15:51:56 2012
;; MSG SIZE  rcvd: 31

and in BIND (v9.7.4 i686) log are after this query three records:

error (no valid NSEC) resolving 'br.ds.mfcr.cz/MX/IN':
error (no valid NSEC) resolving 'br.ds.mfcr.cz/MX/IN':
error (no valid NSEC) resolving 'br.ds.mfcr.cz/MX/IN':

I tried find some info about this error message, but without luck.
Problem will be perhaps something with DNSSEC. What is interesting,
BIND v9.9.1, essentially with the same configuration (relevant
"options" paragraph part of named.conf is in both:

        allow-query { localhost; };
        recursion yes;
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
queried MX records solve without problems.
It is older version BIND problem?
Or it is fault at DNS server (ns1.mfcr.cz) site?
Is possible solve this issue with some BIND configuration changes
(but keeping DNSSEC validation)?
Is there some tool for a DNSSEC domain records validation?

Thanks in advance, Franta

More information about the bind-users mailing list