Troubleshooting DNSSEC issue w/

Bill Owens owens at
Wed Jul 17 17:58:25 UTC 2013

On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote:
> Hello;
> Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version --
> bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving
> that seems to be DNSSEC related.
> Am fairly certain of this because if I set dnssec-enable and
> dnssec-validation to no (have them at 'yes' normally), resolution
> succeeds.
> If I run a dig @nameserver from a client machine, dig just
> hangs for a bit then eventually times out.  dig @nameserver
> works fine....

This is one of the weirder ones I've seen. . . there are TXT and MX records for, both correctly signed:

;; ANSWER SECTION:     261 IN  RRSIG   MX 7 3 600 20131014154120 20130716154120 32497 kuorwabpVJ5QJqPhInJXhAQZgCSbB/xT6A7lkvoqJck5EBzn62UANtMk mYVcNNXXJUWPZATKbldsCbluos8NJyE33vdRft/I7+YRCgUsJ/ZFSmdR OknrSTQbc8M4YzvclEKVRuDBu5P8wuufmWWqNtXl+vrUgTo97CE9EYQ7 CJw=     261 IN  MX  10     261 IN  RRSIG   TXT 7 3 600 20131014154120 20130716154120 32497 iWlwUHl1KrUopGu6ixdCoNyquco3UNaip8cFONOpHNo8p/KjEYmiDyhL z2DWslNwbUuvh/nConYy86clgPZB3Q9MaxuhMNbiZCpsRPds98Yh+Fbg 4U3WDRy+ww8DFLpozZc+3gBLYtcnS9UDtZOmNEjxEzDf6Zw5eyUfggpX nxY=     261 IN  TXT "v=spf1 a mx ip4: ?all"

There's also an NSEC3 record for, asserting that there are only MX, TXT and RRSIG records for it: 370 IN NSEC3 1 0 10 BBAB 7PPJ5IC2PQQ5HTFGU7I2908P3DRN5FUO MX TXT RRSIG

However, that NSEC3 record is not signed. If you ask for with checking disabled but also request DNSSEC records, you'll get it. If you ask with checking enabled, you won't, because it can't be validated. This seems to be true for the whole zone, at least the records I checked. So any query to that returns a record will be okay, anything that doesn't will end up with a SERVFAIL.


More information about the bind-users mailing list