Re: Tracking down validation failures

Mark Andrews Sun, 14 Jun 2009 16:34:36 -0700

In message <prayer.1.3.1.0906132001200.29...@hermes-2.csi.cam.ac.uk>, Chris Tho
mpson writes:
> On Jun 12 20009, I wrote:
> 
> [...]
> >The debug level 2 messages, which correspond to SERVFAILs, are all
> >associated with "8.84.in-addr.arpa", and it does seem that something
> >is wrong with the (signed) delegation of that from "84.in-addr.arpa".
> >I can reproduce the SERVFAIL effect on other validating nameservers.
> 
> Just to expand on that a bit: the DS record in the parent zone correctly
> describes the KSK in the child zone, and the RRSIGs in 8.84.in-addr.arpa
> appear to be correct ... except that they all expired over 15 months ago!
> 
> -- 
> Chris Thompson
> Email: c...@cam.ac.uk


Which you can see if you add "+cd" to the query.

; <<>> DiG 9.3.6-P1 <<>> +dnssec 8.84.in-addr.arpa soa +cd
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22303
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;8.84.in-addr.arpa.             IN      SOA

;; ANSWER SECTION:
8.84.in-addr.arpa.      10750   IN      SOA     aons2.alwaysonvpn.net. 
techsupport.alwaysongroup.com. 2008020803 86400 7200 3600000 172800
8.84.in-addr.arpa.      10750   IN      RRSIG   SOA 5 4 10800 20080309140727 
20080208140727 5526 8.84.in-addr.arpa. 
Lto5pkqGRLMB02ROqhR1gtxJa2MT6DD94S0umcFg7NqI/o1XuX9bSvtj 
9XrG2Xoaz1bn3cLhWElj3QzfqUgZ2Fr/sD9r6STr5nf0BA6z7i3PKyZ/ 
I5oQX7pagEs6FF0fnx+vOD3TTjki2zwEPCylvH4Ije3u3w/+HT69WxvH HDE=

;; AUTHORITY SECTION:
8.84.in-addr.arpa.      172735  IN      NS      aons1.alwaysonvpn.net.
8.84.in-addr.arpa.      172735  IN      NS      aons2.alwaysonvpn.net.
8.84.in-addr.arpa.      172735  IN      NS      ns.ripe.net.
8.84.in-addr.arpa.      10750   IN      RRSIG   NS 5 4 10800 20080309140727 
20080208140727 5526 8.84.in-addr.arpa. 
KWR7lDQ6RhdzapN92rRBTxTS+sgV79s6d4eedDs3qzT7bzIitNVW/9hq 
cfaGPtOj4u6+nl5RWFCV+pbsGivljikyt4mkCWsDI1m6V9sdLZY8Zwrb 
hfa9c2/bm2kjl5HnMMS9dqYlv0xYgoAuV50MJCc8J88TSEgegszF/V7B qM8=

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 15 09:25:44 2009
;; MSG SIZE  rcvd: 542

Or run "dig +trace +dnssec 130.40.8.84.in-addr.arpa ptr" as it talks to the
authoritative servers directly.

; <<>> DiG 9.3.6-P1 <<>> +trace +dnssec 130.40.8.84.in-addr.arpa ptr
;; global options:  printcmd
.                       174475  IN      NS      b.root-servers.net.
.                       174475  IN      NS      i.root-servers.net.
.                       174475  IN      NS      e.root-servers.net.
.                       174475  IN      NS      l.root-servers.net.
.                       174475  IN      NS      h.root-servers.net.
.                       174475  IN      NS      f.root-servers.net.
.                       174475  IN      NS      k.root-servers.net.
.                       174475  IN      NS      d.root-servers.net.
.                       174475  IN      NS      g.root-servers.net.
.                       174475  IN      NS      a.root-servers.net.
.                       174475  IN      NS      j.root-servers.net.
.                       174475  IN      NS      c.root-servers.net.
.                       174475  IN      NS      m.root-servers.net.
;; Received 599 bytes from 127.0.0.1#53(127.0.0.1) in 3 ms

84.in-addr.arpa.        86400   IN      NS      SEC1.APNIC.NET.
84.in-addr.arpa.        86400   IN      NS      SEC3.APNIC.NET.
84.in-addr.arpa.        86400   IN      NS      SUNIC.SUNET.SE.
84.in-addr.arpa.        86400   IN      NS      NS-PRI.RIPE.NET.
84.in-addr.arpa.        86400   IN      NS      TINNIE.ARIN.NET.
84.in-addr.arpa.        86400   IN      NS      NS3.NIC.FR.
;; Received 204 bytes from 192.228.79.201#53(b.root-servers.net) in 166 ms

8.84.in-addr.arpa.      172800  IN      NS      ns.ripe.net.
8.84.in-addr.arpa.      172800  IN      NS      aons1.alwaysonvpn.net.
8.84.in-addr.arpa.      172800  IN      NS      aons2.alwaysonvpn.net.
8.84.in-addr.arpa.      172800  IN      DS      38131 5 1 
CD1F73DC774814A06F96F8483524BFF696EC3573
8.84.in-addr.arpa.      172800  IN      RRSIG   DS 5 4 172800 20090714213622 
20090614213622 14538 84.in-addr.arpa. 
g0Qt2S26GxtLbGW8XmtpxrGcZZg4uIyE/re0vVg6A5oa1fDb7xH8uI5t 
nL/u9YMtzDmk9bC8lQOKSlzAF5j9TsSDw9fzLXiKzXRKZRHVW977SLXm 
udHmFjsEu3qujc3I2BLxM/+o/EZtZkzRCkUq2mpxKA0nfPIt9SFMPi5w 
OW3cz6doNvFR7nxrkVcnN/54sREaKRNG
;; Received 363 bytes from 2001:dc0:2001:a:4608::59#53(SEC1.APNIC.NET) in 363 ms

40.8.84.in-addr.arpa.   10800   IN      NS      aons2.alwaysonvpn.net.
40.8.84.in-addr.arpa.   10800   IN      NS      aons1.alwaysonvpn.net.
40.8.84.in-addr.arpa.   172800  IN      NSEC    8.8.84.in-addr.arpa. NS RRSIG 
NSEC
40.8.84.in-addr.arpa.   172800  IN      RRSIG   NSEC 5 5 172800 20080309140727 
20080208140727 5526 8.84.in-addr.arpa. 
HiktSvg8yLJfEhRSGIKSuFwU2GdjDbcOBobwXGv+3UPMsYj1YgLxg89t 
aUDtdGgH3TrV1yXun6HQSApirTQ4Fa7XY+yBQI14jQokW34+IjqDj2Tf 
fCJt0q3K/AjIeDMJfLoXh0r9pjJJWbx+eTwPOmb1bVnprNM3K/fIotdE Ivk=
;; Received 326 bytes from 2001:610:240:0:53::193#53(ns.ripe.net) in 325 ms

130.40.8.84.in-addr.arpa. 10800 IN      PTR     realinsurance.net.
40.8.84.in-addr.arpa.   10800   IN      NS      aons1.alwaysonvpn.net.
40.8.84.in-addr.arpa.   10800   IN      NS      aons2.alwaysonvpn.net.
;; Received 168 bytes from 84.8.2.11#53(aons2.alwaysonvpn.net) in 309 ms

> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Tracking down validation failures

Reply via email to