Issue with DNSSEC (BIND 9.10.3-P4-Raspbian <id:ebd72b3>)
Dirk Gottschalk
dirk.gottschalk1980 at googlemail.com
Sat Sep 30 00:08:05 UTC 2017
Hello,
I'm trying to turn my local DNS-Server into a DNSSREC validating Name-
Server.
The bind.keys file is available and I set dnssec-validation and dnssex-
lookaside to auto.
But every time I try to resolve a Name (denic.de for example) I get a
SERVFAIL with dig. Turning the above options off and usiung dif with
+dnssec option I can see RRSIG for the Domain and for the root server.
The log tells me the Following: (snipped)
30-Sep-2017 01:26:50.508 dnssec: validating www.denic.de/A: starting
30-Sep-2017 01:26:50.508 dnssec: validating www.denic.de/A: attempting
positive response validation
30-Sep-2017 01:26:50.508 dnssec: validating www.denic.de/A: get_key:
creating fetch for denic.de DNSKEY
30-Sep-2017 01:26:50.530 dnssec: validating denic.de/DNSKEY: starting
30-Sep-2017 01:26:50.530 dnssec: validating denic.de/DNSKEY: attempting
positive response validation
30-Sep-2017 01:26:50.531 dnssec: validating denic.de/DNSKEY:
validatezonekey: creating fetch for denic.de DS
30-Sep-2017 01:26:50.534 dnssec: validating ./NS: starting
30-Sep-2017 01:26:50.534 dnssec: validating ./NS: attempting insecurity
proof
30-Sep-2017 01:26:50.534 dnssec: validating ./NS: insecurity proof
failed
30-Sep-2017 01:26:50.534 dnssec: validating ./NS: got insecure
response; parent indicates it should be secure
30-Sep-2017 01:26:50.534 dnssec: validator @0x7164ea70:
dns_validator_destroy
30-Sep-2017 01:26:50.552 dnssec: validating denic.de/DS: starting
30-Sep-2017 01:26:50.552 dnssec: validating denic.de/DS: attempting
positive response validation
30-Sep-2017 01:26:50.552 dnssec: validating denic.de/DS: get_key:
creating fetch for de DNSKEY
30-Sep-2017 01:26:50.577 dnssec: validating ./NS: starting
30-Sep-2017 01:26:50.577 dnssec: validating ./NS: attempting insecurity
proof
30-Sep-2017 01:26:50.578 dnssec: validating ./NS: insecurity proof
failed
30-Sep-2017 01:26:50.578 dnssec: validating ./NS: got insecure
response; parent indicates it should be secure
30-Sep-2017 01:26:50.578 dnssec: validator @0x70623a00:
dns_validator_destroy
30-Sep-2017 01:26:50.595 dnssec: validating de/DNSKEY: starting
30-Sep-2017 01:26:50.595 dnssec: validating de/DNSKEY: attempting
insecurity proof
30-Sep-2017 01:26:50.595 dnssec: validating de/DNSKEY: checking
existence of DS at 'de'
30-Sep-2017 01:26:50.595 dnssec: validating de/DNSKEY: proveunsecure:
creating fetch for de DS
30-Sep-2017 01:26:50.614 dnssec: validating de/DS: starting
30-Sep-2017 01:26:50.614 dnssec: validating de/DS: attempting positive
response validation
30-Sep-2017 01:26:50.614 dnssec: validating de/DS: keyset with trust
secure
30-Sep-2017 01:26:50.615 dnssec: validating de/DS: verify rdataset
(keyid=15768): success
30-Sep-2017 01:26:50.615 dnssec: validating de/DS: marking as secure,
noqname proof not needed
30-Sep-2017 01:26:50.615 dnssec: validator @0x70623a00:
dns_validator_destroy
30-Sep-2017 01:26:50.615 dnssec: validating de/DNSKEY: in dsfetched2:
success
30-Sep-2017 01:26:50.616 dnssec: validating de/DNSKEY: resuming
proveunsecure
30-Sep-2017 01:26:50.616 dnssec: validating de/DNSKEY: insecurity proof
failed
30-Sep-2017 01:26:50.616 dnssec: validator @0x70410b18:
dns_validator_destroy
30-Sep-2017 01:26:50.654 dnssec: validating de/DNSKEY: starting
30-Sep-2017 01:26:50.654 dnssec: validating de/DNSKEY: attempting
insecurity proof
30-Sep-2017 01:26:50.654 dnssec: validating de/DNSKEY: checking
existence of DS at 'de'
30-Sep-2017 01:26:50.654 dnssec: validating de/DNSKEY: insecurity proof
failed
30-Sep-2017 01:26:50.654 dnssec: validating de/DNSKEY: got insecure
response; parent indicates it should be secure
30-Sep-2017 01:26:50.654 dnssec: validator @0x70505c00:
dns_validator_destroy
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DS: in
fetch_callback_validator
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DS:
fetch_callback_validator: got SERVFAIL
30-Sep-2017 01:26:50.751 dnssec: validator @0x706280c8:
dns_validator_destroy
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DNSKEY: in
dsfetched
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DNSKEY: dsfetched:
got broken trust chain
30-Sep-2017 01:26:50.751 dnssec: validator @0x7164da58:
dns_validator_destroy
30-Sep-2017 01:26:50.752 dnssec: validating www.denic.de/A: in
fetch_callback_validator
30-Sep-2017 01:26:50.752 dnssec: validating www.denic.de/A:
fetch_callback_validator: got broken trust chain
30-Sep-2017 01:26:50.752 dnssec: validator @0x70504180:
dns_validator_destroy
30-Sep-2017 01:26:50.654 dnssec: validator @0x70505c00:
dns_validator_destroy
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DS: in
fetch_callback_validator
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DS:
fetch_callback_validator: got SERVFAIL
30-Sep-2017 01:26:50.751 dnssec: validator @0x706280c8:
dns_validator_destroy
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DNSKEY: in
dsfetched
30-Sep-2017 01:26:50.751 dnssec: validating denic.de/DNSKEY: dsfetched:
got broken trust chain
30-Sep-2017 01:26:50.751 dnssec: validator @0x7164da58:
dns_validator_destroy
30-Sep-2017 01:26:50.752 dnssec: validating www.denic.de/A: in
fetch_callback_validator
30-Sep-2017 01:26:50.752 dnssec: validating www.denic.de/A:
fetch_callback_validator: got broken trust chain
30-Sep-2017 01:26:50.752 dnssec: validator @0x70504180:
dns_validator_destroy
The bind.keys file is correct.
Does somebody have a clue?
Thanks,
Dirk
--
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170930/dbc96a53/attachment.bin>
More information about the bind-users
mailing list