DNSSEC troubleshooting on a recursive server.
Mark Andrews
marka at isc.org
Thu Aug 8 01:17:39 UTC 2013
> > In any event, as Mark has suggested, you don't want to dig the RRSIG
> > yourself. Rather, use:
> >
> > dig +dnssec zygo.com a
> >
> > ...and if you get a SERVFAIL:
> >
> > dig +dnssec +cd zygo.com a
> dig +dnssec +cd zygo.com a resolved the domain.
"RESOLVED THE DOMAIN" is not !@#$#!$!@#!$@#$%@#! enough for anyone
to help you. WE NEED TO SEE WHAT YOU ARE SEEING.
Mark
> I have started to get other reports of domains with the same problem.
> The same nameservers are having validation issues with these, and all
> the domains use pdns01.domaincontrol.com and pdns02.domaincontrol.com.
> as auth name servers. I guess this points to a problem somewhere in the
> trust chain, butI can't figure out where.
>
> # dig a zygo.com +sigchase +trusted-key=root.keys +multiline +qr
>
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> a zygo.com +sigchase
> +trusted-key=root.keys +multiline +qr
> ;; global options: +cmd
> ;; Sending:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21316
> ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;zygo.com. IN A
>
> ;; NO ANSWERS: no more
> We want to prove the non-existence of a type of rdata 1 or of the zone:
> ;; nothing in authority section : impossible to validate the
> non-existence : FAILED
>
> ;; Impossible to verify the Non-existence, the NSEC RRset can't be
> validated: FAILED
>
>
> If I add +topdown then it succeeds.
>
> --
> Grant Keller
> Sonic.net System Operations
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list