dnssec validation issue

dhungyel grdhungyel at gmail.com
Thu Aug 31 04:21:18 UTC 2017 

Hi Mukund

> Are you able to reproduce the bug with the latest stock version of BIND 
> 9.9?  9.9.4 is very old and that branch has had numerous bugfixes since. 

> I'm not able to reproduce such a validation failure with 9.9.11: 

At the moment the latest patched version of bind available for CentOS 7 is
9.9.4-50. The policy has been to stick with the patches / versions
distributed by the Distro rather than getting the latest. So, I will have to
try the new version and see if the problem persists.

I have looked around a bit more and this is where it starts getting
interesting. For hosts that are not mapped to CNAME, this works perfectly
fine. See below for host ns.icann.org

# dig @localhost ns.icann.org A +dnssec

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost ns.icann.org A
+dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31866
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns.icann.org.			IN	A

;; ANSWER SECTION:
ns.icann.org.		3600	IN	A	199.4.138.53
ns.icann.org.		3600	IN	RRSIG	A 7 3 3600 20170914022301 20170824010741 56445
icann.org. DFfGY0h65bDzMHNSkf9cmM8vHbIeOyupdw5HeagBiWzQMAbzvtc4w5et
N+1P2zeOPvCvYiBcUsHi+JGqyB0q6gpyZMcXFbMGRPnp931B+F6MUnZL
H2+2PDhkBrZ1EtyVaS8s8IyZ9XOuzJKNwOQBt4mNdFhpvrpWmXMc1zTQ OYX1Kqg=

;; AUTHORITY SECTION:
icann.org.		86393	IN	NS	a.iana-servers.net.
icann.org.		86393	IN	NS	ns.icann.org.
icann.org.		86393	IN	NS	c.iana-servers.net.
icann.org.		86393	IN	NS	b.iana-servers.net.
icann.org.		86393	IN	RRSIG	NS 7 2 86400 20170915091737 20170825024031 56445
icann.org. P7offNJTV/zX8mZVC7x6uwvhZrdLzLNM/r1tsp4g7yaprD6LY//TLbNc
tIdbFjZdml7CYYZxZSecmb5Uzo8O7sHS+1xdandh6KxPfo47mO+Ge6JI
JmspnEaOxOlK7Vp3RGCqdeUasxIpwjHlNa+4rZ30ImmKxsAGC9oq01ey d/JE8j8=

;; ADDITIONAL SECTION:
a.iana-servers.net.	172793	IN	A	199.43.135.53
a.iana-servers.net.	172793	IN	AAAA	2001:500:8f::53
b.iana-servers.net.	172793	IN	A	199.43.133.53
b.iana-servers.net.	172793	IN	AAAA	2001:500:8d::53
c.iana-servers.net.	172793	IN	A	199.43.134.53
c.iana-servers.net.	172793	IN	AAAA	2001:500:8e::53
ns.icann.org.		86393	IN	AAAA	2001:500:89::53
ns.icann.org.		3600	IN	RRSIG	AAAA 7 3 3600 20170913162548 20170824010741
56445 icann.org. cSpl1KEIPeFTzXBhjn9CMA+Y4iVG92++kdzxoTzRhgEMsH2Xud/s8Mg1
DBEc07xMgou5OqyGvlbOxP1F2c/dOFrQBMBuojBmG4ltIj663GYshyFy
3sxqNJGATHDDJ7Sk8eiYFazct09Z2wQ73UdwKGXuzM4bD9LrXUYP0rnJ l0xEen8=

However, when I try the same thing for www.icann.org, I get SERVFAIL like
below:

# dig @localhost www.icann.org A +dnssec

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org A
+dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30814
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.icann.org.			IN	A

;; Query time: 4237 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Aug 31 10:06:23 +06 2017
;; MSG SIZE  rcvd: 42

So, I am beginning to wonder if there is issue between dissed and CNAME in
9.9.4-50 version of bind. With checking disabled (as suggested by Tony), it
resolves correctly:

# dig @localhost www.icann.org A +cd

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org A +cd
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53618
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.icann.org.			IN	A

;; ANSWER SECTION:
www.icann.org.		3386	IN	CNAME	www.vip.icann.org.
www.vip.icann.org.	30	IN	A	192.0.32.7

;; AUTHORITY SECTION:
vip.icann.org.		3382	IN	NS	gtm1.dc.icann.org.
vip.icann.org.		3382	IN	NS	gtm1.mdr.icann.org.
vip.icann.org.		3382	IN	NS	gtm1.lax.icann.org.

with +cd and +sigchase, the resolver is able to find the RRSIG data fine but
once checking is enabled, it just fails:


/# dig @localhost www.icann.org A +cd +sigchase
;; RRset to chase:
www.icann.org.		3039	IN	CNAME	www.vip.icann.org.


;; RRSIG of the RRset to chase:
www.icann.org.		3039	IN	RRSIG	CNAME 7 3 3600 20170914195717 20170824110741
56445 icann.org. GoSDthX9s2BsyaT/AYyfNKixR8UMVF/fx3zz5U9XPIVJUkpp3g9xyuZy
wxO7aTVgiPaESUOttGGn4xs9KMzZ4BcI6bmOAehYubS6AaAb6YdbweR4
S6O3qiNMT5Sai4BrfmvITGjigyNXSb3vc8fsSeUPJVdR8gmObfzbJbdn VW+NoRo=



Launch a query to find a RRset of type DNSKEY for zone: icann.org.

;; DNSKEYset that signs the RRset to chase:
icann.org.		2900	IN	DNSKEY	256 3 7
AwEAAebfIXOw6kz9YDpBWe6s9xjc8F6ZDo+/LdyOfel/9ghIhnsxDU3W
fmmevVXWHQm5J+SMFhRk8nidYuR9dT0D7NgloPb3LJmu8Anm1cDIokN2
+1gknvY2eAuK9t/cadh+rZpZRzTKr2DnvQoarQOzvTFurpkZhsXvl8NM UsTIIdUWP0hP
 ....
....

--
Ganga




--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/

More information about the bind-users mailing list