Bind/PowerDNS interoperatiblity issue
Aki Tuomi
cmouse at cmouse.fi
Wed Feb 19 10:16:19 UTC 2014
Hi!
We are investigating an interoperatibility issue with bind and powerdns.
Scenario:
We have DNSSEC secured domain using NSEC, pasilehto.fi.
This domain has two insecure delegations
0.0.0.0.pasilehto.fi
and
1.0.0.0.pasilehto.fi
We have A records
5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi
and
5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.pasilehto.fi
Now. If I ask DNSSEC validating BIND version 9.9.3-P2 or 9.9.4-P2 to
resolve either of those A records, I get errors, while While google's
8.8.8.8 and unbound accept these as valid.
You can go ahead and test this live, these domains are publicly available for
now.
There is also open issue in github for PowerDNS.
https://github.com/PowerDNS/pdns/issues/1289
The errors are here:
Feb 19 10:45:52 cmouse-virtual-machine named[15177]: client 80.64.8.203#57968 (5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi): query: 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi IN A +E (80.64.8.203)
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 194.100.90.53#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 80.64.12.65#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::4:2#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::3:2#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::5:2#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) resolving '0.pasilehto.fi/DS/IN': 62.236.49.41#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid DS) resolving '5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/A/IN': 62.236.49.41#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: validating @0x7fa3406146e0: 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi A: bad cache hit (0.pasilehto.fi/DS)
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (broken trust chain) resolving '5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/A/IN': 194.100.90.53#53
Kind regards,
Aki Tuomi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140219/f98cbd07/attachment.bin>
More information about the bind-users
mailing list