On 08/08/2013 09:34 AM, Phil Mayers wrote: > On 08/08/13 17:22, Grant Keller wrote: > >> Its strange, I get the records when querying one of my other DNS >> servers: > > As per my original email - firewall? middlebox? crazy ISP transparent > caching DNS server? > > I would break out tcpdump; clear the cache on the affected server, > re-do the dig, then trawl through the tcpdump looking for the relevant > queries and replies. Prove to yourself whether the RRSIGs are arriving > at the "broken" DNS server. If so, go on from there. If not, harass > your network/security team or upstream ;o) >
I don't think it is anything upstream. As a test, I flushed the cache on one of the affected servers, and now it is validating successfully: ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> +dnssec zygo.com a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58342 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;zygo.com. IN A ;; ANSWER SECTION: zygo.com. 86400 IN A 50.28.48.60 zygo.com. 86400 IN RRSIG A 7 2 86400 20130812183056 20130728183056 19712 zygo.com. FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK 8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3 O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU= ;; AUTHORITY SECTION: zygo.com. 3600 IN NS pdns02.domaincontrol.com. zygo.com. 3600 IN NS pdns01.domaincontrol.com. zygo.com. 3600 IN RRSIG NS 7 2 3600 20130812183056 20130728183056 19712 zygo.com. YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01 7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3 qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhWj si4= ;; ADDITIONAL SECTION: pdns01.domaincontrol.com. 172786 IN A 216.69.185.50 pdns02.domaincontrol.com. 172786 IN A 208.109.255.50 ;; Query time: 23 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 8 09:38:24 2013 ;; MSG SIZE rcvd: 477 I still have a few more servers that are affected, and I would prefer to not flush the cache on all of them. -- Grant Keller Sonic.net System Operations _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
