DNSSEC troubleshooting on a recursive server.

Mark Andrews marka at isc.org
Thu Aug 8 21:20:28 UTC 2013 

In message <5203CA6C.9000406 at corp.sonic.net>, Grant Keller writes:
> On 08/08/2013 09:34 AM, Phil Mayers wrote:
> > On 08/08/13 17:22, Grant Keller wrote:
> >
> >> Its strange, I get the records when querying one of my other DNS
> >> servers:
> >
> > As per my original email - firewall? middlebox? crazy ISP transparent
> > caching DNS server?
> >
> > I would break out tcpdump; clear the cache on the affected server,
> > re-do the dig, then trawl through the tcpdump looking for the relevant
> > queries and replies. Prove to yourself whether the RRSIGs are arriving
> > at the "broken" DNS server. If so, go on from there. If not, harass
> > your network/security team or upstream ;o)
> >
> 
> I don't think it is anything upstream. As a test, I flushed the cache on
> one of the affected servers, and now it is validating successfully:

Upgrade: BIND 9.9.2 -> BIND 9.9.3-P2.  There is a bug in another
vendor's DNSSEC implementation that tickles this bug.  The other
vendor has shipped a fix for that bug.

3376.  [bug]           Lack of EDNS support was being recorded without a
                       successful response. [RT #30811]

> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> +dnssec zygo.com a
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58342
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;zygo.com.            IN    A
> 
> ;; ANSWER SECTION:
> zygo.com.        86400    IN    A    50.28.48.60
> zygo.com.        86400    IN    RRSIG    A 7 2 86400 20130812183056
> 20130728183056 19712 zygo.com.
> FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK
> 8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3
> O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU=
> 
> ;; AUTHORITY SECTION:
> zygo.com.        3600    IN    NS    pdns02.domaincontrol.com.
> zygo.com.        3600    IN    NS    pdns01.domaincontrol.com.
> zygo.com.        3600    IN    RRSIG    NS 7 2 3600 20130812183056
> 20130728183056 19712 zygo.com.
> YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01
> 7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3
> qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhWj si4=
> 
> ;; ADDITIONAL SECTION:
> pdns01.domaincontrol.com. 172786 IN    A    216.69.185.50
> pdns02.domaincontrol.com. 172786 IN    A    208.109.255.50
> 
> ;; Query time: 23 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Aug  8 09:38:24 2013
> ;; MSG SIZE  rcvd: 477
> 
> 
> I still have a few more servers that are affected, and I would prefer to
> not flush the cache on all of them.
> 
> -- 
> Grant Keller
> Sonic.net System Operations
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list