Troubleshooting DNSSEC issue w/

Brad Bendily Brad.Bendily at LA.GOV
Mon Jul 29 15:25:21 UTC 2013

Hi Ray,
Did you ever get a resolution on this?
We have had intermittent trouble getting to: sites and the fix has been a full restart
of the named service. I wasn't really sure how or where to 
start troubleshooting but when I saw this email I was hopeful
there would be a fix.

As someone indicated, it appears to be a problem with all .gov sites.
Has anyone confirmed if this has been fixed?


-----Original Message-----
From: at [ at] On Behalf Of Ray Van Dolson
Sent: Wednesday, July 17, 2013 11:49 AM
To: bind-users at
Subject: Troubleshooting DNSSEC issue w/


Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version --
bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving that seems to be DNSSEC related.

Am fairly certain of this because if I set dnssec-enable and dnssec-validation to no (have them at 'yes' normally), resolution succeeds.

If I run a dig @nameserver from a client machine, dig just hangs for a bit then eventually times out.  dig @nameserver works fine....

On my BIND server, I see the following in a packet capture:

  0.000000 -> DNS Standard query A
  0.026504 -> DNS Standard query response
  0.026927 -> DNS Standard query DS
  0.042998 -> DNS Standard query response, No such name
  0.043485 -> DNS Standard query DS
  0.048186 -> DNS Standard query response, No such name
  0.048595 -> DNS Standard query DS
  0.053765 -> DNS Standard query response, No such name
 30.043683 -> DNS Standard query DS
 30.061169 -> DNS Standard query response, No such name

So it seems like the issue is related to the DS records queried not existing, but I've checked a few DNSSEC validation tools out there by plugging in and things appear to check out.  This could be firewall related on my side (we have Checkpoint firewalls), but other DNSSEC queries appear to be working OK.

A dig @ +dnssec works OK as well also making me think the issue is somehow on my side....

Am reading up on additional troubleshooting steps for DNSSEC, but still wrapping my head around concepts.

Anyone have any tips as to where to start "digging" next based on what I'm seeing above?

Please visit to unsubscribe from this list

bind-users mailing list
bind-users at

More information about the bind-users mailing list