DNSSEC troubleshooting on a recursive server.

Ryan Pavely paradox at nac.net
Wed Aug 7 00:27:16 UTC 2013 

I haven't had a chance to sit down an fully investigate however a few 
weeks ago I was forced to disable dnssec on the nac.net zone.  We use 
inline signing and for whatever reason our secondary (ns2) machine was 
giving out stale copies of the zone.  Nuking the zone and related files, 
restarting named, nothing.  It was getting it's answers from god knows 
where.

I've been meaning to tear it apart and post here.

So not much help, but I just recently had a similar issue.


   Ryan Pavely
    Net Access Corporation
    http://www.nac.net/

On 8/6/2013 7:09 PM, Grant Keller wrote:
> Hello,
>
> We have 7 recursive DNS servers running Bind 9.9.2, and we are seeing
> some strange behavoir validating DNSSEC. We have seen this happen a few
> times, and in the past the problem has gone away when the server is
> rebooted, so my first guess is that some record is stuck in the cache.
> An example from one of the servers in question:
>
> # dig a zygo.com @pdns02.domaincontrol.com +nocomments
>
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> a zygo.com
> @pdns02.domaincontrol.com +nocomments
> ;; global options: +cmd
> ;zygo.com.            IN    A
> zygo.com.        86400    IN    A    50.28.48.60
> zygo.com.        3600    IN    NS    pdns01.domaincontrol.com.
> zygo.com.        3600    IN    NS    pdns02.domaincontrol.com.
> ;; Query time: 83 msec
> ;; SERVER: 208.109.255.50#53(208.109.255.50)
> ;; WHEN: Tue Aug  6 16:04:26 2013
> ;; MSG SIZE  rcvd: 98
>
> # dig rrsig zygo.com @pdns02.domaincontrol.com +nocomments
>
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> rrsig zygo.com
> @pdns02.domaincontrol.com +nocomments
> ;; global options: +cmd
> ;zygo.com.            IN    RRSIG
> zygo.com.        86400    IN    RRSIG    A 7 2 86400 20130812183056
> 20130728183056 19712 zygo.com.
> FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK
> 8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3
> O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU=
> zygo.com.        3600    IN    RRSIG    NS 7 2 3600 20130812183056
> 20130728183056 19712 zygo.com.
> YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01
> 7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3
> qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhWj si4=
> zygo.com.        3600    IN    RRSIG    SOA 7 2 3600 20130812183056
> 20130728183056 19712 zygo.com.
> XDFuwBva0CzYYyXJIWI7HWWrFgK2GrhhOqb/fxtvDA7623WEb5DkROHg
> nx1cfI7w585MU3R0P2ZmrAXKULMFaZ0i24WvWa+hZf/GpBaO9wYGm1oS
> jWnUXpxNT15G/XXB91rVS0kCU4vEdLkVCXgh3k63QB+Drs0gfrPHjeSj Co8=
> zygo.com.        86400    IN    RRSIG    MX 7 2 86400 20130812183056
> 20130728183056 19712 zygo.com.
> dsRwujkNkm2P/lgBf9CfF5d1qzgaFYrQob5RDEXLYQkA2BkYd26yakQF
> xb8doXp1q3AxxlQ8yZpyUUGZmT13Aw/IBm8hFMdy+PmSxDGqoveUeah9
> dh3abPVrWlP+jbcLXVX9r5Lg5yVxXFAqplfmPj8fuupFJSkOEfMMB6P0 iMw=
> zygo.com.        86400    IN    RRSIG    TXT 7 2 86400 20130812183056
> 20130728183056 19712 zygo.com.
> LV05eG+KKxv1dLUvKL3xddiEtKuQ+gOM5dPFfAn6Qpzt+xg13E0rLvwR
> wV3w9Ol10r2cbGZr5leQciXHNoJtRKo8gNuMdxOFu/F+vu3zZZDYvR2I
> CrWrO5Acm7oVORllTs0gEIvYzXkmJErFEnwlc6uXENZlVEt08drmq0Lq 8nc=
> zygo.com.        3600    IN    RRSIG    DNSKEY 7 2 3600 20130812183056
> 20130728183056 54396 zygo.com.
> iZ5qg7HIuCb7N/0SCPPj0JRiNWBYLc8DupV2VSfjhv12fiqMvaLimDb+
> xYaxFGaHzNySM6rgDfZf1sod5iCwaTUVXDwru/zgDoDv2PV5xYUZ0U9v
> ubgiACKmJAE+uPe2CI5ECaLX6fzuKP5hrBIurk33jt0znauogIPyzpOP
> y9woc4tSxlmllFWJcO6PUU0ZBrHESepxll+v7St9aMVCiGe8g22O8NPn
> 3JKazq8OHQPptGAY0TnqU0oZoDIiYY1oEscTGr2hOWdAh9Kz95rMRtfq
> 4L6aP63MnEIbYPUzzTbMiQqfZJkJshwfttnRTxlcZ+7/WDYl2YJVIR+S RtYsYA==
> zygo.com.        3600    IN    RRSIG    NSEC3PARAM 7 2 3600
> 20130812183056 20130728183056 19712 zygo.com.
> Zt+Bak9VK/apMNCXmPxUdYtIdKJtVo5IwMtnuYv8SgZMOPZIvl2ROD1y
> Ra48JWEeQ3vMErRt0BsJPwl4Y3a6auM6tZMxhG+Ja6ZWoL2IaMcgGpct
> CW9Pl8hUIykRcL4QfzyPlQM6o8ZwSuhAAPw2+7N9dvhSWzPT6IKq9B2T DQQ=
> zygo.com.        3600    IN    NS    pdns01.domaincontrol.com.
> zygo.com.        3600    IN    NS    pdns02.domaincontrol.com.
> ;; Query time: 83 msec
> ;; SERVER: 208.109.255.50#53(208.109.255.50)
> ;; WHEN: Tue Aug  6 16:05:13 2013
> ;; MSG SIZE  rcvd: 1386
>
> That is the correct answer from the auth name server. When I query the
> local server, I get this:
>
> # dig a zygo.com @127.0.0.1 +nocomments
>
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> a zygo.com
> @127.0.0.1 +nocomments
> ;; global options: +cmd
> ;zygo.com.            IN    A
> ;; Query time: 162 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Aug  6 16:06:10 2013
> ;; MSG SIZE  rcvd: 26
>
> # dig rrsig zygo.com @127.0.0.1 +nocomments
>
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> rrsig zygo.com
> @127.0.0.1 +nocomments
> ;; global options: +cmd
> ;zygo.com.            IN    RRSIG
> zygo.com.        5    IN    RRSIG    DS 8 2 86400 20130811043747
> 20130804032747 8795 com.
> cKYDb9z9EcoVHk4AWohaECz7LwphvX+LGqinfh2H6ZeWz6oWWFMGs8Pc
> ZAYwh63e7+czbwhfy1LALwBKVRh9ijyg43NW0Ag7ZamQ56yc5k27UiuR
> x9skNeOLe+CDpfYM9LwbEnPKG2bJhAXAZ9lZEPT/seB5ID23HBwy9jfy wig=
> zygo.com.        153315    IN    NS    pdns02.domaincontrol.com.
> zygo.com.        153315    IN    NS    pdns01.domaincontrol.com.
> pdns01.domaincontrol.com. 4258    IN    A    216.69.185.50
> pdns01.domaincontrol.com. 6156    IN    AAAA    2607:f208:207::32
> pdns02.domaincontrol.com. 43034    IN    A    208.109.255.50
> pdns02.domaincontrol.com. 3041    IN    AAAA    2607:f208:303::32
> ;; Query time: 80 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Aug  6 16:06:41 2013
> ;; MSG SIZE  rcvd: 333
>
> The thing that really confuses me is that the ttl on the RRSIG DS record
> has been stuck at 5 for about a day now. I tried doing a rndc flushname
> zygo.com, which did not help. What else can I do to troubleshoot this,
> and if it is a cache problem, what can I do to clear the records? Thanks.
>
>
>

More information about the bind-users mailing list