DNSSEC troubleshooting on a recursive server.

Mark Andrews marka at isc.org
Thu Aug 8 01:17:39 UTC 2013


> > In any event, as Mark has suggested, you don't want to dig the RRSIG
> > yourself. Rather, use:
> >
> > dig +dnssec zygo.com a
> >
> > ...and if you get a SERVFAIL:
> >
> > dig +dnssec +cd zygo.com a
> dig +dnssec +cd zygo.com a resolved the domain.

"RESOLVED THE DOMAIN" is not !@#$#!$!@#!$@#$%@#! enough for anyone
to help you.  WE NEED TO SEE WHAT YOU ARE SEEING.

Mark


> I have started to get other reports of domains with the same problem.
> The same nameservers are having validation issues with these, and all
> the domains use pdns01.domaincontrol.com and pdns02.domaincontrol.com.
> as auth name servers. I guess this points to a problem somewhere in the
> trust chain, butI can't figure out where.
> 
> # dig a zygo.com  +sigchase +trusted-key=root.keys +multiline +qr
> 
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> a zygo.com +sigchase
> +trusted-key=root.keys +multiline +qr
> ;; global options: +cmd
> ;; Sending:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21316
> ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;zygo.com.        IN A
> 
> ;; NO ANSWERS: no more
> We want to prove the non-existence of a type of rdata 1 or of the zone:
> ;; nothing in authority section : impossible to validate the
> non-existence : FAILED
> 
> ;; Impossible to verify the Non-existence, the NSEC RRset can't be
> validated: FAILED
> 
> 
> If I add +topdown then it succeeds.
> 
> -- 
> Grant Keller
> Sonic.net System Operations
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list