Troubleshooting DNSSEC issue w/

Ray Van Dolson rvandolson at
Wed Jul 17 16:49:18 UTC 2013


Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version --
bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving that seems to be DNSSEC related.

Am fairly certain of this because if I set dnssec-enable and
dnssec-validation to no (have them at 'yes' normally), resolution

If I run a dig @nameserver from a client machine, dig just
hangs for a bit then eventually times out.  dig @nameserver
works fine....

On my BIND server, I see the following in a packet capture:

  0.000000 -> DNS Standard query A
  0.026504 -> DNS Standard query response
  0.026927 -> DNS Standard query DS
  0.042998 -> DNS Standard query response, No such name
  0.043485 -> DNS Standard query DS
  0.048186 -> DNS Standard query response, No such name
  0.048595 -> DNS Standard query DS
  0.053765 -> DNS Standard query response, No such name
 30.043683 -> DNS Standard query DS
 30.061169 -> DNS Standard query response, No such name

So it seems like the issue is related to the DS records queried not
existing, but I've checked a few DNSSEC validation tools out there by
plugging in and things appear to check out.  This could be
firewall related on my side (we have Checkpoint firewalls), but other
DNSSEC queries appear to be working OK.

A dig @ +dnssec works OK as well also making me think
the issue is somehow on my side....

Am reading up on additional troubleshooting steps for DNSSEC, but still
wrapping my head around concepts.

Anyone have any tips as to where to start "digging" next based on what
I'm seeing above?


More information about the bind-users mailing list