DNSSEC validation on 9.7.4 not working
Alan Clegg
alan at clegg.com
Wed Jun 24 13:03:36 UTC 2015
I've always recommended either a cache flush or a complete restart of
named after turning on DNSSEC.
I thought I opened a ticket about this, but probably not.
AlanC
On 6/24/15 3:46 AM, frnkblk at iname.com wrote:
> Ding-ding-ding -- issuing "rndc flushname ." did the trick, Mark.
>
> I'd encourage this troubleshooting tip to be documented in one of those
> how-to guides. I don't think waiting for a TTL is a good idea if most
> queries are failing with "bad cache hit".
>
> Frank
>
> -----Original Message-----
> From: Mark Andrews [mailto:marka at isc.org]
> Sent: Tuesday, June 23, 2015 11:03 PM
> To: Frank Bulk
> Cc: bind-users at isc.org
> Subject: Re: DNSSEC validation on 9.7.4 not working
>
>
> I suspect that the DNSKEY record for the root will be marked as a
> 'answer' rather than 'secure' (rndc dumpdb) and flushing the cache
> will fix the issue as will waiting ~30703 seconds. 'rndc flushname .'
> should also work though I forget where we added flushname.
>
> Mark
>
> In message <005701d0ae2f$ef2798f0$cd76cad0$@iname.com>, "Frank Bulk" writes:
>> Here you go:
>>
>> root at nagios:/etc/bind# dig @127.0.0.1 +dnssec +cd ds com; dig @127.0.0.1
>> +dnssec +cd dnskey .
>>
>> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +dnssec +cd ds com
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38536
>> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;com. IN DS
>>
>> ;; ANSWER SECTION:
>> com. 86400 IN DS 30909 8 2
>> E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
>> com. 86400 IN RRSIG DS 8 1 86400
> 20150703170000
>> 20150623160000 48613 .
>> ioJ6KyZ9ig0PsFBdo5jfM/9hLEX9qn06QaitkJubhcH3m/DPBi2o9xTu
>> Cs9Aabwm/tSlGc+JVc3oBVSwv6LakHUY9v7aJn77pD244tnnlgNeR+z4
>> kkZSn1Kp5tHmhKx8sNYe8Fe9rTA/9hC+3IokE949ppf+3CEyjJ4uhJhm lN0=
>>
>> ;; Query time: 54 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Tue Jun 23 22:41:31 2015
>> ;; MSG SIZE rcvd: 239
>>
>>
>> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +dnssec +cd dnskey .
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11727
>> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;. IN DNSKEY
>>
>> ;; ANSWER SECTION:
>> . 30703 IN DNSKEY 256 3 8
>> AwEAAZyIkCwEYeG29NV+4cOdKE4DPng/4BqJeoOhKqzJbl+LR33TPWsr
>> wBRfmAi9wvR/Qc6IV4MFMXjmkclXns+atIQZ9uQV3YAvKv/cVuO7Mneu
>> MssIQixaMw+jp73R7zIUNMbLBgJRQXI57Rl+pvXBAkgHndVwv+aJkf7y GEuE9Dtj
>> . 30703 IN DNSKEY 256 3 8
>> AwEAAa67bQck1JjopOOFc+iMISFcp/osWrEst2wbKbuQSUWu77QC9UHL
>> ipiHgWN7JlqVAEjKITZz49hhkLmOpmLK55pTq+RD2kwoyNWk9cvpc+tS
>> nIxT7i93O+3oVeLYjMWrkDAz7K45rObbHDuSBwYZKrcSIUCZnCpNMUtn PFl/04cb
>> . 30703 IN DNSKEY 257 3 8
>> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
>> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
>> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
>> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
>> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
>> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
>> . 30703 IN RRSIG DNSKEY 8 0 172800
>> 20150705235959 20150620000000 19036 .
>> W6ZIOh5tJ1ph3C0c9Fqot+55jCewbk/cWRquGOeRnWkag7rx/XgsEfvd
>> HLr1HsSIlag+lt1OvTlsLgvVk/yUcOAZA/NvMRPbFfbyrEi82YpZ70Z2
>> B995qkT7dCf/3uBynAzubAPshUfEi7LuBy9bzyYPMvtRZptEnBz3xsAf
>> 4gmrRTX0BW66ve2xqvitZrPVH2WaYR70iJbJWbKKDCPl9rwEcit95gyi
>> CNQLOIPFq2XgHDmo01Pr4evPbSowny6kNXzuDHgKQn1+BWX5zhbr74OE
>> 3FZXo2DUXm8BA5OhMY0bMg32kjzQLu+lxBWpaXabjFoALNFG4WRRdx1s 4+Wuhg==
>>
>> ;; Query time: 0 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Tue Jun 23 22:41:31 2015
>> ;; MSG SIZE rcvd: 883
>>
>> root at nagios:/etc/bind# date -u
>> Wed Jun 24 03:41:52 UTC 2015
>> root at nagios:/etc/bind#
>>
>> Frank
>>
>> -----Original Message-----
>> From: Mark Andrews [mailto:marka at isc.org]
>> Sent: Tuesday, June 23, 2015 10:31 PM
>> To: Frank Bulk <frnkblk at iname.com>
>> Cc: bind-users at isc.org
>> Subject: Re: DNSSEC validation on 9.7.4 not working
>>
>>
>> Should have asked for +dnssec on those queries. Also "date -u".
>>
>>
>> In message <005601d0ae2c$b698b6c0$23ca2440$@iname.com>, "Frank Bulk"
> writes:
>>> Mark,
>>>
>>> Sorry for top-posting -- my email client makes it difficult to do
>> otherwise.
>>>
>>> Yes, I'm absolutely sure there's no software or physical firewall (we're
>> an
>>> ISP), and there's also no load-balancer in front of this box. I've also
>>> used the EDNS tests and I can get a 4000+ byte response. There's also
> no
>>> forwarder configured.
>>>
>>> Here's the requested output:
>>>
>>>
>>> root at nagios:/etc/bind# dig @127.0.0.1 +cd ds com; dig @127.0.0.1 +cd
>> dnskey
>>> .
>>>
>>> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd ds com
>>> ; (1 server found)
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55498
>>> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;com. IN DS
>>>
>>> ;; ANSWER SECTION:
>>> com. 86400 IN DS 30909 8 2
>>> E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
>>>
>>> ;; Query time: 17 msec
>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>> ;; WHEN: Tue Jun 23 22:17:58 2015
>>> ;; MSG SIZE rcvd: 69
>>>
>>> ;; Truncated, retrying in TCP mode.
>>>
>>> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd dnskey .
>>> ; (1 server found)
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25167
>>> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;. IN DNSKEY
>>>
>>> ;; ANSWER SECTION:
>>> . 32115 IN DNSKEY 256 3 8
>>> AwEAAa67bQck1JjopOOFc+iMISFcp/osWrEst2wbKbuQSUWu77QC9UHL
>>> ipiHgWN7JlqVAEjKITZz49hhkLmOpmLK55pTq+RD2kwoyNWk9cvpc+tS
>>> nIxT7i93O+3oVeLYjMWrkDAz7K45rObbHDuSBwYZKrcSIUCZnCpNMUtn PFl/04cb
>>> . 32115 IN DNSKEY 257 3 8
>>> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
>>> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
>>> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
>>> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
>>> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
>>> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
>>> . 32115 IN DNSKEY 256 3 8
>>> AwEAAZyIkCwEYeG29NV+4cOdKE4DPng/4BqJeoOhKqzJbl+LR33TPWsr
>>> wBRfmAi9wvR/Qc6IV4MFMXjmkclXns+atIQZ9uQV3YAvKv/cVuO7Mneu
>>> MssIQixaMw+jp73R7zIUNMbLBgJRQXI57Rl+pvXBAkgHndVwv+aJkf7y GEuE9Dtj
>>>
>>> ;; Query time: 0 msec
>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>> ;; WHEN: Tue Jun 23 22:17:59 2015
>>> ;; MSG SIZE rcvd: 586
>>>
>>>
>>> Frank
>>>
>>>
>>> -----Original Message-----
>>> From: Mark Andrews [mailto:marka at isc.org]
>>> Sent: Tuesday, June 23, 2015 10:11 PM
>>> To: Frank Bulk <frnkblk at iname.com>
>>> Cc: bind-users at isc.org
>>> Subject: Re: DNSSEC validation on 9.7.4 not working
>>>
>>>
>>> In message <003d01d0ae24$682fc080$388f4180$@iname.com>, "Frank Bulk"
>> writes:
>>>> I'm running BIND 9.7.3 on Debian and having trouble configuring DNSSEC
>>>> validation.
>>>>
>>>> I'm using the excellent guides at
>>>>
>>>
>>
> http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#easy-start-guide-
>>>> for-recursive-servers and
>>>>
>>>
>>
> https://www.surf.nl/binaries/content/assets/surf/en/knowledgebase/2012/rappo
>>>> rt_Deploying_DNSSEC_v20.pdf and http://dnssec.vs.uni-due.de/ which
>> provide
>>>> 9.7.x configuration instructions and so I'm feeling a bit slow that I
>>> can't
>>>> make this work.
>>>>
>>>> I'm have a copy of bind.keys from
>>>> https://www.isc.org/downloads/bind/bind-keys/ in /etc/bind/
>>>>
>>>> This statement in /etc/bind/bind.conf:
>>>>
>>>> managed-keys {
>>>> "." initial-key 257 3 8
>>>> "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
>>>> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
>>>> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
>>>> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
>>>> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
>>>> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
> QxA+Uk1ihz0=";
>>>> };
>>>>
>>>> and the following in /etc/bind/bind.conf.options:
>>>>
>>>> options {
>>>> <snip>
>>>> dnssec-enable yes;
>>>> dnssec-validation yes;
>>>> <snip>
>>>> }
>>>>
>>>> But when I issue "rdnc reconifg" I immediately get repeated log lines
>>> about
>>>> the following and then similar statements for each domains:
>>>>
>>>> 23-Jun-2015 20:43:47.402 dnssec: info: validating @0x7fcec948ce40:
> com
>>> DS:
>>>> no valid signature found
>>>> 23-Jun-2015 20:43:47.402 dnssec: info: validating @0x7fcec8c41bf0:
> com
>>> DS:
>>>> no valid signature found
>>>> 23-Jun-2015 20:43:47.438 dnssec: info: validating @0x7fcec8c39b80: .
> NS:
>>> no
>>>> valid signature found
>>>> <snip>
>>>> 23-Jun-2015 20:43:48.750 dnssec: info: validating @0x7fced04fd9e0: .
> NS:
>>> no
>>>> valid signature found
>>>> 23-Jun-2015 20:43:48.754 dnssec: info: validating @0x7fcee55996a0:
>>>> a1075.dscg.akamai.net AAAA: bad cache hit (net/DS)
>>>> 23-Jun-2015 20:43:48.757 dnssec: info: validating @0x7fceca621970:
>>>> wwwp.wip.rackspace.com AAAA: bad cache hit (com/DS)
>>>> 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fceca621970:
>>>> a1526.dscg.akamai.net AAAA: bad cache hit (net/DS)
>>>> 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fced04fd9e0:
>>>> a1784.dscg.akamai.net AAAA: bad cache hit (net/DS)
>>>> 23-Jun-2015 20:43:48.761 dnssec: info: validating @0x7fced04fd9e0:
>>>> e1181.dscb.akamaiedge.net AAAA: bad cache hit (net/DS)
>>>>
>>>> Of course, once the TLDs aren't considered valid everything goes
> south.
>>
>>>>
>>>> What am I doing wrong?
>>>>
>>>> Regards,
>>>>
>>>> Frank Bulk
>>>
>>> Are you sure that there isn't a firewall that is block RRSIGs getting
>>> through or that you aren't using a forwarder that isn't also
>>> validating. These sorts of messages come when named is forced back
>>> to plain DNS to get a response.
>>>
>>> What do "dig +cd ds com" and "dig +cd dnskey ." return.
>>>
>>> Mark
>>>
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from
>>>> this list
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>> --
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>>>
>>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 561 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150624/693aff1a/attachment.bin>
More information about the bind-users
mailing list