<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 7/12/2023 1:53 am, Bhangui, Sandeep
- BLS CTR via bind-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BY3PR09MB8658F32610DCC4043308651DEF84A@BY3PR09MB8658.namprd09.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It seems the DNSSEC delegation is broken
from “.gov” to <span
style="background:yellow;mso-highlight:yellow">
bls.gov</span> domain and due to which the records for
bls.gov are considered as bogus and we are having issues at
our site.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It looks like we were in the process of KSK
rollover and that may have caused the issue as things were
fine till yesterday.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As we troubleshoot this issue was wondering
whether from our master DNS server can we use some option in
named.conf so that dnssec verification is NOT done for any
bls.gov DNS lookups from outside to get a quick fix to this
problem.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Currently DNS lookups from outside are
flaky and I believe the reason behind that being that the
DNSSEC delegation is broken.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">From the output at dnsviz.net analyzing for
bls.gov it seems that KSK rollover for bls.gov is the issue.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Basically, trying to see if I can get a
quick interim fix till we resolve the issue correctly.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please advise.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks<o:p></o:p></p>
<p class="MsoNormal">Sandeep</p>
</div>
</blockquote>
<p>Hi Sandeep.</p>
<p>Probably the simplest workaround for broken chain of trust would
be to remove your zone's DS records from the parent zone.</p>
<blockquote>
<pre>$ dig -t ds bls.gov
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> -t ds bls.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27975
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;bls.gov. IN DS
;; ANSWER SECTION:
bls.gov. 0 IN DS 50951 8 2 E6B0A294066904F20A2B8EBA3FA9920F9A1822802977F59D706B30A1 77F7DC0C
;; Query time: 0 msec
;; SERVER: 172.20.192.1#53(172.20.192.1) (UDP)
;; WHEN: Thu Dec 07 09:01:33 NZDT 2023
;; MSG SIZE rcvd: 80
</pre>
</blockquote>
<p>I could be wrong, but based on the output above it looks like the
current TTL is 0, which means that doing this should provide
immediate relief.</p>
<p>Add a new DS record once you've fixed your KSK issues.<br>
</p>
<p>Nick.<br>
</p>
</body>
</html>