DNSSEC validation on 9.7.4 not working

Mark Andrews marka at isc.org
Wed Jun 24 03:30:55 UTC 2015 

Should have asked for +dnssec on those queries.  Also "date -u".


In message <005601d0ae2c$b698b6c0$23ca2440$@iname.com>, "Frank Bulk" writes:
> Mark,
> 
> Sorry for top-posting -- my email client makes it difficult to do otherwise.
> 
> Yes, I'm absolutely sure there's no software or physical firewall (we're an
> ISP), and there's also no load-balancer in front of this box.  I've also
> used the EDNS tests and I can get a 4000+ byte response.  There's also no
> forwarder configured.
> 
> Here's the requested output:
> 
> 
> root at nagios:/etc/bind# dig @127.0.0.1 +cd ds com; dig @127.0.0.1 +cd dnskey
> .
> 
> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd ds com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55498
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;com.                           IN      DS
> 
> ;; ANSWER SECTION:
> com.                    86400   IN      DS      30909 8 2
> E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
> 
> ;; Query time: 17 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jun 23 22:17:58 2015
> ;; MSG SIZE  rcvd: 69
> 
> ;; Truncated, retrying in TCP mode.
> 
> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd dnskey .
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25167
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;.                              IN      DNSKEY
> 
> ;; ANSWER SECTION:
> .                       32115   IN      DNSKEY  256 3 8
> AwEAAa67bQck1JjopOOFc+iMISFcp/osWrEst2wbKbuQSUWu77QC9UHL
> ipiHgWN7JlqVAEjKITZz49hhkLmOpmLK55pTq+RD2kwoyNWk9cvpc+tS
> nIxT7i93O+3oVeLYjMWrkDAz7K45rObbHDuSBwYZKrcSIUCZnCpNMUtn PFl/04cb
> .                       32115   IN      DNSKEY  257 3 8
> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
> .                       32115   IN      DNSKEY  256 3 8
> AwEAAZyIkCwEYeG29NV+4cOdKE4DPng/4BqJeoOhKqzJbl+LR33TPWsr
> wBRfmAi9wvR/Qc6IV4MFMXjmkclXns+atIQZ9uQV3YAvKv/cVuO7Mneu
> MssIQixaMw+jp73R7zIUNMbLBgJRQXI57Rl+pvXBAkgHndVwv+aJkf7y GEuE9Dtj
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jun 23 22:17:59 2015
> ;; MSG SIZE  rcvd: 586
> 
> 
> Frank
> 
> 
> -----Original Message-----
> From: Mark Andrews [mailto:marka at isc.org] 
> Sent: Tuesday, June 23, 2015 10:11 PM
> To: Frank Bulk <frnkblk at iname.com>
> Cc: bind-users at isc.org
> Subject: Re: DNSSEC validation on 9.7.4 not working
> 
> 
> In message <003d01d0ae24$682fc080$388f4180$@iname.com>, "Frank Bulk" writes:
> > I'm running BIND 9.7.3 on Debian and having trouble configuring DNSSEC
> > validation.  
> > 
> > I'm using the excellent guides at
> >
> http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#easy-start-guide-
> > for-recursive-servers and
> >
> https://www.surf.nl/binaries/content/assets/surf/en/knowledgebase/2012/rappo
> > rt_Deploying_DNSSEC_v20.pdf and http://dnssec.vs.uni-due.de/ which provide
> > 9.7.x configuration instructions and so I'm feeling a bit slow that I
> can't
> > make this work.
> > 
> > I'm have a copy of bind.keys from
> > https://www.isc.org/downloads/bind/bind-keys/ in /etc/bind/
> > 
> > This statement in /etc/bind/bind.conf:
> > 
> > managed-keys {
> >       "." initial-key 257 3 8
> > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
> > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
> > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
> > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
> > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
> > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
> > };
> > 
> > and the following in /etc/bind/bind.conf.options:
> > 
> > options {
> >        <snip>
> >        dnssec-enable yes;
> >        dnssec-validation yes;
> >        <snip>
> > }
> > 
> > But when I issue "rdnc reconifg" I immediately get repeated log lines
> about
> > the following and then similar statements for each domains:
> > 
> > 23-Jun-2015 20:43:47.402 dnssec: info:   validating @0x7fcec948ce40: com
> DS:
> > no valid signature found
> > 23-Jun-2015 20:43:47.402 dnssec: info:   validating @0x7fcec8c41bf0: com
> DS:
> > no valid signature found
> > 23-Jun-2015 20:43:47.438 dnssec: info: validating @0x7fcec8c39b80: . NS:
> no
> > valid signature found
> > <snip>
> > 23-Jun-2015 20:43:48.750 dnssec: info: validating @0x7fced04fd9e0: . NS:
> no
> > valid signature found
> > 23-Jun-2015 20:43:48.754 dnssec: info: validating @0x7fcee55996a0:
> > a1075.dscg.akamai.net AAAA: bad cache hit (net/DS)
> > 23-Jun-2015 20:43:48.757 dnssec: info: validating @0x7fceca621970:
> > wwwp.wip.rackspace.com AAAA: bad cache hit (com/DS)
> > 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fceca621970:
> > a1526.dscg.akamai.net AAAA: bad cache hit (net/DS)
> > 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fced04fd9e0:
> > a1784.dscg.akamai.net AAAA: bad cache hit (net/DS)
> > 23-Jun-2015 20:43:48.761 dnssec: info: validating @0x7fced04fd9e0:
> > e1181.dscb.akamaiedge.net AAAA: bad cache hit (net/DS)
> > 
> > Of course, once the TLDs aren't considered valid everything goes south.  
> > 
> > What am I doing wrong?
> > 
> > Regards,
> > 
> > Frank Bulk
> 
> Are you sure that there isn't a firewall that is block RRSIGs getting
> through or that you aren't using a forwarder that isn't also
> validating.  These sorts of messages come when named is forced back
> to plain DNS to get a response.
> 
> What do "dig +cd ds com" and "dig +cd dnskey ." return.  
> 
> Mark
> 
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from
> >  this list
> > 
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list