[DNSSEC] SERVFAIL when resolving ".gov" through DLV

Tue, 05 May 2009 11:36:00 -0700 

I get a SERVFAIL when trying to resolve ".gov":

% dig +dnssec @127.0.0.1 SOA gov.

; <<>> DiG 9.5.1-P1 <<>> +dnssec @127.0.0.1 SOA gov.
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54920
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gov.                           IN      SOA

;; Query time: 784 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May  5 20:31:54 2009
;; MSG SIZE  rcvd: 32

This is a BIND 9.5.1-P1, Debian package. It is configured to use ISC's
DLV:

        dnssec-enable yes;
        dnssec-lookaside . trust-anchor dlv.isc.org.; 

Other signed TLD such as ".cz" or ".pr" creates no problems.

With Unbound, which also uses the same DLV, things seem to work so I
suspect a BIND bug. Restarting the name server does not seem to help.

Here is the log:

05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: 
starting
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: 
looking for DLV
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: 
plain DNSSEC returns unsecure (.): looking for DLV
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: 
looking for DLV gov.dlv.isc.org
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: 
DLV gov found
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: 
dlv_validator_start
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: 
restarting using DLV
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: 
attempting positive response validation
05-May-2009 20:29:50.425 dnssec: info: validating @0x7ff090d763d0: gov SOA: no 
valid signature found
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: 
falling back to insecurity proof
05-May-2009 20:29:50.425 dnssec: debug 3: validating @0x7ff090d763d0: gov SOA: 
insecurity proof failed
05-May-2009 20:29:50.425 dnssec: debug 3: validator @0x7ff090d763d0: 
dns_validator_destroy
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to