unresolvable pms.psc.gov, but google/cloudflare/unbound work

Matthew Richardson matthew-l at itconsult.co.uk
Sun Aug 22 17:57:44 UTC 2021

It looks slightly more subtle than a straight failure.  There is a DS
record in psc.gov pointing to key 180 in ha.psc.gov:-

>ha.psc.gov.             56      IN      DS      180 7 1 8A631C83457F4BDB3C450A725DFDB267C4BAC1CC

This points correctly to the key.  However digest algorith 1 is now either
prohibited or discouraged.  Worse there is also a DS:-

>ha.psc.gov.             56      IN      DS      39093 7 2 DD956C9568726B6EEED24D9814F0EC0D2BD119CF4B8A6352A4BF6968 0880E8E7

where key 39093 does not exist in ha.psc.gov.

Buried in the mass of errors & warnings, dnsvis says:-

>ha.psc.gov/DS (alg 7, id 180): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset.

With both Bind & Unbound, I get SERVFAIL.  However, other resolvers may be
more tolerant of algorithm 1 DS records, in which case they may decide that
the answer is "valid".

In any event, it needs fixing.

However, to answer the OP's question, the solution is to use a "negative
trust anchor":-

># rndc nta -lifetime 1d ha.psc.gov
>Negative trust anchor added: ha.psc.gov/_default, expires 23-Aug-2021 18:55:13.000

which then allowed my Bind to resolve it.

Best wishes,

>From: "John W. Blue via bind-users" <bind-users at lists.isc.org>
>To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
>Date: Sun, 22 Aug 2021 16:24:41 +0000
>Subject: Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

>Your using the wrong tools to troubleshoot or investigate this error.
>Instead of relying upon resolvers to provide situational awareness you need to inspect DNSSEC itself using dnsviz.net:
>psc.gov is giving the world ID 5089 when they need to handing out ID 180.
>Recommend the pms.psc.gov admins give the psc.gov admins the correct hash.
>Sent from Nine<http://www.9folders.com/>
>From: Roger Hammerstein <cheeky.m at gmx.com>
>Sent: Sunday, August 22, 2021 9:45 AM
>To: bind-users at lists.isc.org
>Subject: unresolvable pms.psc.gov, but google/cloudflare/unbound work
>pms.psc.gov appears to be unresolvable against bind9.16.19
>and 9.11.34 because of dnssec issues.
>But it resolves against Cloudflare's, Google's, and an Unbound
>resolver that does dnssec-validation.
>There's a ticket open with nih.gov to look into it, but is there anything that can
>be changed with Bind to make this domain resolve in the meantime?
> (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678
> dig a pms.psc.gov @
>pms.psc.gov.            2852    IN      CNAME   pms.ha.psc.gov.
>pms.ha.psc.gov.         29      IN      A
>dig a pms.psc.gov @ +dnssec
>pms.psc.gov.            2835    IN      CNAME   pms.ha.psc.gov.
>pms.psc.gov.            2835    IN      RRSIG   CNAME 8 3 3600 20210827000144 20210821230144 5089 psc.gov. kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc=
>pms.ha.psc.gov.         29      IN      A
>pms.ha.psc.gov.         29      IN      RRSIG   A 7 4 30 20210827185442 20210820185442 21380 ha.psc.gov. w2XUqBVoBMtLv0qfc5xmccrpv+w2ukwGfaGJvthIKHXr2SdlAk3oQxve xyolEaj2zWn8Uj7lOsaZD8mewBMQ3iEEp8U96aFBslWV/ffEKL+H9oMM sUNU5KwNi7/Nk3KZuNc8R3xxuYTsSVdbu6ai1lQ6fmw2uWAoDP9YIqek jyo/0WFSXM+hxw/5WguijhilSRIywNgG3/6MY3ZmunPPafGTCTXigyex IBACJQJ+meD6vMi0YoRM17mwdD+7Buq2cb6LJyVYaQImh7M2gF8My75n lDns4PWEIx4bSW2uQQEPpB7MA9VI9y5CuVCmqC3wMZ2ow6G8pkaf18wv r/ucSQ==
>I can sometimes get a servfail out of with an any query
>dig any pms.psc.gov @ +dnssec
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36332
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>; EDNS: version: 0, flags: do; udp: 512
>;pms.psc.gov.                   IN      ANY
>;; Query time: 5001 msec

More information about the bind-users mailing list