When diagnosing DNSSEC problems you need to chase the trust chain
from DS record to the DNSKEY RRset to the answer RRset.
; <<>> DiG 9.10.0pre-alpha <<>> ds zygo.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65065
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zygo.com. IN DS
;; ANSWER SECTION:
zygo.com. 76075 IN DS 53991 7 1
21F6C5AD943229BA42DC9CB383F106EFBA8C36C3
zygo.com. 76075 IN DS 54396 7 1
812D183E96200482170DD07989E90FA2DABBE12A
zygo.com. 76075 IN RRSIG DS 8 2 86400 20130811043747
20130804032747 8795 com.
cKYDb9z9EcoVHk4AWohaECz7LwphvX+LGqinfh2H6ZeWz6oWWFMGs8Pc
ZAYwh63e7+czbwhfy1LALwBKVRh9ijyg43NW0Ag7ZamQ56yc5k27UiuR
x9skNeOLe+CDpfYM9LwbEnPKG2bJhAXAZ9lZEPT/seB5ID23HBwy9jfy wig=
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 07 13:32:49 EST 2013
;; MSG SIZE rcvd: 272
This tells me that there are two possible DNSKEY records with keyids
53991 and 54396 that self sign the DNSKEY RRset. You need to find
atleast one of them to have a working secure delegation.
; <<>> DiG 9.10.0pre-alpha <<>> dnskey zygo.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16142
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zygo.com. IN DNSKEY
;; ANSWER SECTION:
zygo.com. 3048 IN DNSKEY 257 3 7 (
AwEAAeGPcXpffVBiKimUNzlzh3V/I9Fz7gDxpPCMAmG8
Ka9E4FDniad0iYiUV1fHSJsqxT8+4ShRWHhB/CR0UH6y
evD8KZ+o8ymD2HjH0P3MWP+KBQ1a26mOt3jo4JfHd20M
nQo1P02s5QtrA1QsouMp1JLm3Iy4rP6dCJT3FFyEpZin
bU7cbHQjm1ST9hOq1cDwXExhHQPyx2MQs1z7xjiay9L6
hDu58PBId0yvRr0WLbrOVlefkyTO4y7AEY3eFGzlZYXq
F4M7W050UG7qqxdgiDWAxtomA0yuR4ZhVO/hUxa6FC9D
xgrwBycqt7fD//QTUI88ZJLtEu0s/NnPN+2sl3E=
) ; KSK; alg = NSEC3RSASHA1; key id = 54396
zygo.com. 3048 IN DNSKEY 256 3 7 (
AwEAAawqGDezEvzgYS1tUtk6fK5Sd/AOocV0MCkYDg77
tmZj8AEArs/STSD0uxKmLP7OFirTCoPrquJDzjDJmFFk
vbdU8FCbG1BxD2B+Rg13+VArhQcxqQNTldnEaeKA813W
zjmVgHpU6X4h7HDLVQM/WgzLVBDKJZqdosQ1DqJuNR0R
) ; ZSK; alg = NSEC3RSASHA1; key id = 19712
zygo.com. 3048 IN DNSKEY 257 3 7 (
AwEAAaDyADHYXBgAY+3dIBrZoa9Yw9ZEh28gJhNbRDtJ
DvDhsgfoHA4bgtfwjxZ6rHymKuXMIsa3GztQ79sMGZpf
lZNBt+KPTYqAlop2C7Ov7jkJ2UjXgdmovQuarPYllhHg
iSUKRvNv/i6MK1kUwbSNrV6o86XjwIdpwgLASs7KJMiA
caeV69ZEx7EmXsajN5l6sEgNVvcccUO+5BS0tC9+RQy1
Zcp9+2WkNsYmJQ5HSptTB2CLIlyhgfTO0ulR3eU3bQrD
vOArGOwIn8gqQyWGz2aN4tbxSKT6v5g1tMqSxLw3SW8b
iEYJBWdezvh9fEpCFbz8ZS9yyzA02BS/QcF8H1E=
) ; KSK; alg = NSEC3RSASHA1; key id = 53991
zygo.com. 3048 IN DNSKEY 256 3 7 (
AwEAAcfweFDqyNSnQqwnWnw4+/hZR4DcuNnL0q9ilUu3
JueJwV7nzoE98TqQSMGjFzxiNQxjiFATxchMS0+gW6ax
LWg6rmje73W8I4f6w4/TylFu6XQjs0to6MNeRAuOBJXi
AysLjl5zvUjmmVysBtCnGWpsO0zKB5829VOk21cuXnxf
) ; ZSK; alg = NSEC3RSASHA1; key id = 2864
zygo.com. 3048 IN RRSIG DNSKEY 7 2 3600 (
20130812183056 20130728183056 54396 zygo.com.
iZ5qg7HIuCb7N/0SCPPj0JRiNWBYLc8DupV2VSfjhv12
fiqMvaLimDb+xYaxFGaHzNySM6rgDfZf1sod5iCwaTUV
XDwru/zgDoDv2PV5xYUZ0U9vubgiACKmJAE+uPe2CI5E
CaLX6fzuKP5hrBIurk33jt0znauogIPyzpOPy9woc4tS
xlmllFWJcO6PUU0ZBrHESepxll+v7St9aMVCiGe8g22O
8NPn3JKazq8OHQPptGAY0TnqU0oZoDIiYY1oEscTGr2h
OWdAh9Kz95rMRtfq4L6aP63MnEIbYPUzzTbMiQqfZJkJ
shwfttnRTxlcZ+7/WDYl2YJVIR+SRtYsYA== )
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 07 13:35:18 EST 2013
;; MSG SIZE rcvd: 1181
The DNSKEY with keyid 54396 self signs the DNSKEY RRset and it has
the same algorithm as that listed in the DS record. The expire and
inception fields (20130812183056 20130728183056) are sane.
; <<>> DiG 9.10.0pre-alpha <<>> a zygo.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50389
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zygo.com. IN A
;; ANSWER SECTION:
zygo.com. 76237 IN A 50.28.48.60
zygo.com. 76237 IN RRSIG A 7 2 86400 20130812183056
20130728183056 19712 zygo.com.
FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK
8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3
O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU=
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 07 13:37:11 EST 2013
;; MSG SIZE rcvd: 221
The A record is signed with keyid 19712 alg 7 which exists in the
DNSKEY RRset. The expire and inception fields are sane (20130812183056
20130728183056).
Now if you can't get a particular answer do the query again with
+cd and look to see what doesn't match up.
To diagnose DNSSEC problems you almost never need to check the
actual crypto. 99.99% of problem are failing to sign/re-sign or
mismatched between DS and DNSKEY records which are usually visible
by looking at the keyid and key algorithm fields.
You also never need to make explicit RRSIG queries.
Mark
In message <52018214.9080...@corp.sonic.net>, Grant Keller writes:
> Hello,
>
> We have 7 recursive DNS servers running Bind 9.9.2, and we are seeing
> some strange behavoir validating DNSSEC. We have seen this happen a few
> times, and in the past the problem has gone away when the server is
> rebooted, so my first guess is that some record is stuck in the cache.
> An example from one of the servers in question:
>
> # dig a zygo.com @pdns02.domaincontrol.com +nocomments
>
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> a zygo.com
> @pdns02.domaincontrol.com +nocomments
> ;; global options: +cmd
> ;zygo.com. IN A
> zygo.com. 86400 IN A 50.28.48.60
> zygo.com. 3600 IN NS pdns01.domaincontrol.com.
> zygo.com. 3600 IN NS pdns02.domaincontrol.com.
> ;; Query time: 83 msec
> ;; SERVER: 208.109.255.50#53(208.109.255.50)
> ;; WHEN: Tue Aug 6 16:04:26 2013
> ;; MSG SIZE rcvd: 98
>
> # dig rrsig zygo.com @pdns02.domaincontrol.com +nocomments
>
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> rrsig zygo.com
> @pdns02.domaincontrol.com +nocomments
> ;; global options: +cmd
> ;zygo.com. IN RRSIG
> zygo.com. 86400 IN RRSIG A 7 2 86400 20130812183056
> 20130728183056 19712 zygo.com.
> FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK
> 8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3
> O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU=
> zygo.com. 3600 IN RRSIG NS 7 2 3600 20130812183056
> 20130728183056 19712 zygo.com.
> YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01
> 7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3
> qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhWj si4=
> zygo.com. 3600 IN RRSIG SOA 7 2 3600 20130812183056
> 20130728183056 19712 zygo.com.
> XDFuwBva0CzYYyXJIWI7HWWrFgK2GrhhOqb/fxtvDA7623WEb5DkROHg
> nx1cfI7w585MU3R0P2ZmrAXKULMFaZ0i24WvWa+hZf/GpBaO9wYGm1oS
> jWnUXpxNT15G/XXB91rVS0kCU4vEdLkVCXgh3k63QB+Drs0gfrPHjeSj Co8=
> zygo.com. 86400 IN RRSIG MX 7 2 86400 20130812183056
> 20130728183056 19712 zygo.com.
> dsRwujkNkm2P/lgBf9CfF5d1qzgaFYrQob5RDEXLYQkA2BkYd26yakQF
> xb8doXp1q3AxxlQ8yZpyUUGZmT13Aw/IBm8hFMdy+PmSxDGqoveUeah9
> dh3abPVrWlP+jbcLXVX9r5Lg5yVxXFAqplfmPj8fuupFJSkOEfMMB6P0 iMw=
> zygo.com. 86400 IN RRSIG TXT 7 2 86400 20130812183056
> 20130728183056 19712 zygo.com.
> LV05eG+KKxv1dLUvKL3xddiEtKuQ+gOM5dPFfAn6Qpzt+xg13E0rLvwR
> wV3w9Ol10r2cbGZr5leQciXHNoJtRKo8gNuMdxOFu/F+vu3zZZDYvR2I
> CrWrO5Acm7oVORllTs0gEIvYzXkmJErFEnwlc6uXENZlVEt08drmq0Lq 8nc=
> zygo.com. 3600 IN RRSIG DNSKEY 7 2 3600 20130812183056
> 20130728183056 54396 zygo.com.
> iZ5qg7HIuCb7N/0SCPPj0JRiNWBYLc8DupV2VSfjhv12fiqMvaLimDb+
> xYaxFGaHzNySM6rgDfZf1sod5iCwaTUVXDwru/zgDoDv2PV5xYUZ0U9v
> ubgiACKmJAE+uPe2CI5ECaLX6fzuKP5hrBIurk33jt0znauogIPyzpOP
> y9woc4tSxlmllFWJcO6PUU0ZBrHESepxll+v7St9aMVCiGe8g22O8NPn
> 3JKazq8OHQPptGAY0TnqU0oZoDIiYY1oEscTGr2hOWdAh9Kz95rMRtfq
> 4L6aP63MnEIbYPUzzTbMiQqfZJkJshwfttnRTxlcZ+7/WDYl2YJVIR+S RtYsYA==
> zygo.com. 3600 IN RRSIG NSEC3PARAM 7 2 3600
> 20130812183056 20130728183056 19712 zygo.com.
> Zt+Bak9VK/apMNCXmPxUdYtIdKJtVo5IwMtnuYv8SgZMOPZIvl2ROD1y
> Ra48JWEeQ3vMErRt0BsJPwl4Y3a6auM6tZMxhG+Ja6ZWoL2IaMcgGpct
> CW9Pl8hUIykRcL4QfzyPlQM6o8ZwSuhAAPw2+7N9dvhSWzPT6IKq9B2T DQQ=
> zygo.com. 3600 IN NS pdns01.domaincontrol.com.
> zygo.com. 3600 IN NS pdns02.domaincontrol.com.
> ;; Query time: 83 msec
> ;; SERVER: 208.109.255.50#53(208.109.255.50)
> ;; WHEN: Tue Aug 6 16:05:13 2013
> ;; MSG SIZE rcvd: 1386
>
> That is the correct answer from the auth name server. When I query the
> local server, I get this:
>
> # dig a zygo.com @127.0.0.1 +nocomments
>
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> a zygo.com
> @127.0.0.1 +nocomments
> ;; global options: +cmd
> ;zygo.com. IN A
> ;; Query time: 162 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Aug 6 16:06:10 2013
> ;; MSG SIZE rcvd: 26
>
> # dig rrsig zygo.com @127.0.0.1 +nocomments
>
> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> rrsig zygo.com
> @127.0.0.1 +nocomments
> ;; global options: +cmd
> ;zygo.com. IN RRSIG
> zygo.com. 5 IN RRSIG DS 8 2 86400 20130811043747
> 20130804032747 8795 com.
> cKYDb9z9EcoVHk4AWohaECz7LwphvX+LGqinfh2H6ZeWz6oWWFMGs8Pc
> ZAYwh63e7+czbwhfy1LALwBKVRh9ijyg43NW0Ag7ZamQ56yc5k27UiuR
> x9skNeOLe+CDpfYM9LwbEnPKG2bJhAXAZ9lZEPT/seB5ID23HBwy9jfy wig=
> zygo.com. 153315 IN NS pdns02.domaincontrol.com.
> zygo.com. 153315 IN NS pdns01.domaincontrol.com.
> pdns01.domaincontrol.com. 4258 IN A 216.69.185.50
> pdns01.domaincontrol.com. 6156 IN AAAA 2607:f208:207::32
> pdns02.domaincontrol.com. 43034 IN A 208.109.255.50
> pdns02.domaincontrol.com. 3041 IN AAAA 2607:f208:303::32
> ;; Query time: 80 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Aug 6 16:06:41 2013
> ;; MSG SIZE rcvd: 333
>
> The thing that really confuses me is that the ttl on the RRSIG DS record
> has been stuck at 5 for about a day now. I tried doing a rndc flushname
> zygo.com, which did not help. What else can I do to troubleshoot this,
> and if it is a cache problem, what can I do to clear the records? Thanks.
>
>
>
> --
> Grant Keller
> Sonic.net System Operations
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
