DNSSEC validation failures for www.hrsa.gov

Jay Ford jay-ford at uiowa.edu
Fri Jun 24 23:59:16 UTC 2016

I'm getting DNSSEC validation failures by BIND 9.10.4-P1 for www.hrsa.gov.

The pertinent log messages are things like:

    lame-servers: info: no valid RRSIG resolving 'webfarm.dr.hrsa.gov/DS/IN':
    lame-servers: info: no valid RRSIG resolving 'webfarm.dr.hrsa.gov/DS/IN':
    lame-servers: info: no valid DS resolving 'webfarm.dr.hrsa.gov/A/IN':
    lame-servers: info: broken trust chain resolving 'webfarm.dr.hrsa.gov/A/IN':
    lame-servers: info: insecurity proof failed resolving 'dr.hrsa.gov/SOA/IN':
    lame-servers: info: insecurity proof failed resolving 'dr.hrsa.gov/SOA/IN':

The dig output is:

    $ dig www.hrsa.gov @dns-spare.uiowa.edu

    ; <<>> DiG 9.10.3-P4-Debian <<>> www.hrsa.gov @dns-spare.uiowa.edu
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42947
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ; EDNS: version: 0, flags:; udp: 4096
    ;www.hrsa.gov.                  IN      A

    ;; Query time: 103 msec
    ;; SERVER: fd9a:2c75:7d0c:5::2#53(fd9a:2c75:7d0c:5::2)
    ;; WHEN: Fri Jun 24 18:49:06 CDT 2016
    ;; MSG SIZE  rcvd: 41

It doesn't fail with a similar config on 9.10.3-P4, but there are admittedly 
config differences.

Other DNSSEC-signed things validate fine at both versions, so things are
mostly OK.

My guess is that BIND 9.10.4-P1 is checking something more stringently than
previous versions did, & that something is broken with the DNS for
www.hrsa.gov, but I can't spot what it is.  There are some very short TTLs (5
seconds) in the data tree in question, including for SOAs, which seems like a
really bad idea but I'm not sure it definitely breaks things.  There are also
some answers with both "AA" & "AD" set, which seems odd, but again, not
definitely broken.

dnsviz.net reports a couple of warnings, including a non-AA answer from
authoritative servers, but it doesn't say it's bogus.

If anybody can spot something broken for www.hrsa.gov, I'd be very glad to
hear about it.

Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford at uiowa.edu, phone: 319-335-5555

More information about the bind-users mailing list