unresolvable pms.psc.gov, but google/cloudflare/unbound work
Matthew Richardson
matthew-l at itconsult.co.uk
Sun Aug 22 17:57:44 UTC 2021
It looks slightly more subtle than a straight failure. There is a DS
record in psc.gov pointing to key 180 in ha.psc.gov:-
>ha.psc.gov. 56 IN DS 180 7 1 8A631C83457F4BDB3C450A725DFDB267C4BAC1CC
This points correctly to the key. However digest algorith 1 is now either
prohibited or discouraged. Worse there is also a DS:-
>ha.psc.gov. 56 IN DS 39093 7 2 DD956C9568726B6EEED24D9814F0EC0D2BD119CF4B8A6352A4BF6968 0880E8E7
where key 39093 does not exist in ha.psc.gov.
Buried in the mass of errors & warnings, dnsvis says:-
>ha.psc.gov/DS (alg 7, id 180): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset.
With both Bind & Unbound, I get SERVFAIL. However, other resolvers may be
more tolerant of algorithm 1 DS records, in which case they may decide that
the answer is "valid".
In any event, it needs fixing.
However, to answer the OP's question, the solution is to use a "negative
trust anchor":-
># rndc nta -lifetime 1d ha.psc.gov
>Negative trust anchor added: ha.psc.gov/_default, expires 23-Aug-2021 18:55:13.000
which then allowed my Bind to resolve it.
Best wishes,
Matthew
------
>From: "John W. Blue via bind-users" <bind-users at lists.isc.org>
>To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
>Cc:
>Date: Sun, 22 Aug 2021 16:24:41 +0000
>Subject: Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work
>Your using the wrong tools to troubleshoot or investigate this error.
>
>Instead of relying upon resolvers to provide situational awareness you need to inspect DNSSEC itself using dnsviz.net:
>
>https://dnsviz.net/d/pms.psc.gov/dnssec/
>
>psc.gov is giving the world ID 5089 when they need to handing out ID 180.
>
>Recommend the pms.psc.gov admins give the psc.gov admins the correct hash.
>
>Sent from Nine<http://www.9folders.com/>
>________________________________
>From: Roger Hammerstein <cheeky.m at gmx.com>
>Sent: Sunday, August 22, 2021 9:45 AM
>To: bind-users at lists.isc.org
>Subject: unresolvable pms.psc.gov, but google/cloudflare/unbound work
>
>
>pms.psc.gov appears to be unresolvable against bind9.16.19
>and 9.11.34 because of dnssec issues.
>But it resolves against Cloudflare's 1.1.1.1, Google's 8.8.8.8, and an Unbound
>resolver that does dnssec-validation.
>
>There's a ticket open with nih.gov to look into it, but is there anything that can
>be changed with Bind to make this domain resolve in the meantime?
>
> (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678
>
>https://dnsviz.net/d/pms.psc.gov/dnssec/
>https://dnssec-analyzer.verisignlabs.com/pms.psc.gov
>
> dig a pms.psc.gov @8.8.8.8
>pms.psc.gov. 2852 IN CNAME pms.ha.psc.gov.
>pms.ha.psc.gov. 29 IN A 156.40.178.24
>
>
>
>dig a pms.psc.gov @8.8.8.8 +dnssec
>
>;; ANSWER SECTION:
>pms.psc.gov. 2835 IN CNAME pms.ha.psc.gov.
>pms.psc.gov. 2835 IN RRSIG CNAME 8 3 3600 20210827000144 20210821230144 5089 psc.gov. kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc=
>pms.ha.psc.gov. 29 IN A 156.40.178.24
>pms.ha.psc.gov. 29 IN RRSIG A 7 4 30 20210827185442 20210820185442 21380 ha.psc.gov. w2XUqBVoBMtLv0qfc5xmccrpv+w2ukwGfaGJvthIKHXr2SdlAk3oQxve xyolEaj2zWn8Uj7lOsaZD8mewBMQ3iEEp8U96aFBslWV/ffEKL+H9oMM sUNU5KwNi7/Nk3KZuNc8R3xxuYTsSVdbu6ai1lQ6fmw2uWAoDP9YIqek jyo/0WFSXM+hxw/5WguijhilSRIywNgG3/6MY3ZmunPPafGTCTXigyex IBACJQJ+meD6vMi0YoRM17mwdD+7Buq2cb6LJyVYaQImh7M2gF8My75n lDns4PWEIx4bSW2uQQEPpB7MA9VI9y5CuVCmqC3wMZ2ow6G8pkaf18wv r/ucSQ==
>
>
>
>
>I can sometimes get a servfail out of 8.8.8.8 with an any query
>dig any pms.psc.gov @8.8.8.8 +dnssec
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36332
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>;; OPT PSEUDOSECTION:
>; EDNS: version: 0, flags: do; udp: 512
>;; QUESTION SECTION:
>;pms.psc.gov. IN ANY
>;; Query time: 5001 msec
More information about the bind-users
mailing list