Ding-ding-ding -- issuing "rndc flushname ." did the trick, Mark.
I'd encourage this troubleshooting tip to be documented in one of those how-to guides. I don't think waiting for a TTL is a good idea if most queries are failing with "bad cache hit". Frank -----Original Message----- From: Mark Andrews [mailto:ma...@isc.org] Sent: Tuesday, June 23, 2015 11:03 PM To: Frank Bulk Cc: bind-us...@isc.org Subject: Re: DNSSEC validation on 9.7.4 not working I suspect that the DNSKEY record for the root will be marked as a 'answer' rather than 'secure' (rndc dumpdb) and flushing the cache will fix the issue as will waiting ~30703 seconds. 'rndc flushname .' should also work though I forget where we added flushname. Mark In message <005701d0ae2f$ef2798f0$cd76cad0$@iname.com>, "Frank Bulk" writes: > Here you go: > > root@nagios:/etc/bind# dig @127.0.0.1 +dnssec +cd ds com; dig @127.0.0.1 > +dnssec +cd dnskey . > > ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +dnssec +cd ds com > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38536 > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;com. IN DS > > ;; ANSWER SECTION: > com. 86400 IN DS 30909 8 2 > E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 > com. 86400 IN RRSIG DS 8 1 86400 20150703170000 > 20150623160000 48613 . > ioJ6KyZ9ig0PsFBdo5jfM/9hLEX9qn06QaitkJubhcH3m/DPBi2o9xTu > Cs9Aabwm/tSlGc+JVc3oBVSwv6LakHUY9v7aJn77pD244tnnlgNeR+z4 > kkZSn1Kp5tHmhKx8sNYe8Fe9rTA/9hC+3IokE949ppf+3CEyjJ4uhJhm lN0= > > ;; Query time: 54 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Tue Jun 23 22:41:31 2015 > ;; MSG SIZE rcvd: 239 > > > ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +dnssec +cd dnskey . > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11727 > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;. IN DNSKEY > > ;; ANSWER SECTION: > . 30703 IN DNSKEY 256 3 8 > AwEAAZyIkCwEYeG29NV+4cOdKE4DPng/4BqJeoOhKqzJbl+LR33TPWsr > wBRfmAi9wvR/Qc6IV4MFMXjmkclXns+atIQZ9uQV3YAvKv/cVuO7Mneu > MssIQixaMw+jp73R7zIUNMbLBgJRQXI57Rl+pvXBAkgHndVwv+aJkf7y GEuE9Dtj > . 30703 IN DNSKEY 256 3 8 > AwEAAa67bQck1JjopOOFc+iMISFcp/osWrEst2wbKbuQSUWu77QC9UHL > ipiHgWN7JlqVAEjKITZz49hhkLmOpmLK55pTq+RD2kwoyNWk9cvpc+tS > nIxT7i93O+3oVeLYjMWrkDAz7K45rObbHDuSBwYZKrcSIUCZnCpNMUtn PFl/04cb > . 30703 IN DNSKEY 257 3 8 > AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= > . 30703 IN RRSIG DNSKEY 8 0 172800 > 20150705235959 20150620000000 19036 . > W6ZIOh5tJ1ph3C0c9Fqot+55jCewbk/cWRquGOeRnWkag7rx/XgsEfvd > HLr1HsSIlag+lt1OvTlsLgvVk/yUcOAZA/NvMRPbFfbyrEi82YpZ70Z2 > B995qkT7dCf/3uBynAzubAPshUfEi7LuBy9bzyYPMvtRZptEnBz3xsAf > 4gmrRTX0BW66ve2xqvitZrPVH2WaYR70iJbJWbKKDCPl9rwEcit95gyi > CNQLOIPFq2XgHDmo01Pr4evPbSowny6kNXzuDHgKQn1+BWX5zhbr74OE > 3FZXo2DUXm8BA5OhMY0bMg32kjzQLu+lxBWpaXabjFoALNFG4WRRdx1s 4+Wuhg== > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Tue Jun 23 22:41:31 2015 > ;; MSG SIZE rcvd: 883 > > root@nagios:/etc/bind# date -u > Wed Jun 24 03:41:52 UTC 2015 > root@nagios:/etc/bind# > > Frank > > -----Original Message----- > From: Mark Andrews [mailto:ma...@isc.org] > Sent: Tuesday, June 23, 2015 10:31 PM > To: Frank Bulk <frnk...@iname.com> > Cc: bind-us...@isc.org > Subject: Re: DNSSEC validation on 9.7.4 not working > > > Should have asked for +dnssec on those queries. Also "date -u". > > > In message <005601d0ae2c$b698b6c0$23ca2440$@iname.com>, "Frank Bulk" writes: > > Mark, > > > > Sorry for top-posting -- my email client makes it difficult to do > otherwise. > > > > Yes, I'm absolutely sure there's no software or physical firewall (we're > an > > ISP), and there's also no load-balancer in front of this box. I've also > > used the EDNS tests and I can get a 4000+ byte response. There's also no > > forwarder configured. > > > > Here's the requested output: > > > > > > root@nagios:/etc/bind# dig @127.0.0.1 +cd ds com; dig @127.0.0.1 +cd > dnskey > > . > > > > ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd ds com > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55498 > > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > > > ;; QUESTION SECTION: > > ;com. IN DS > > > > ;; ANSWER SECTION: > > com. 86400 IN DS 30909 8 2 > > E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 > > > > ;; Query time: 17 msec > > ;; SERVER: 127.0.0.1#53(127.0.0.1) > > ;; WHEN: Tue Jun 23 22:17:58 2015 > > ;; MSG SIZE rcvd: 69 > > > > ;; Truncated, retrying in TCP mode. > > > > ; <<>> DiG 9.7.3 <<>> @127.0.0.1 +cd dnskey . > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25167 > > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 > > > > ;; QUESTION SECTION: > > ;. IN DNSKEY > > > > ;; ANSWER SECTION: > > . 32115 IN DNSKEY 256 3 8 > > AwEAAa67bQck1JjopOOFc+iMISFcp/osWrEst2wbKbuQSUWu77QC9UHL > > ipiHgWN7JlqVAEjKITZz49hhkLmOpmLK55pTq+RD2kwoyNWk9cvpc+tS > > nIxT7i93O+3oVeLYjMWrkDAz7K45rObbHDuSBwYZKrcSIUCZnCpNMUtn PFl/04cb > > . 32115 IN DNSKEY 257 3 8 > > AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF > > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX > > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD > > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz > > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS > > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= > > . 32115 IN DNSKEY 256 3 8 > > AwEAAZyIkCwEYeG29NV+4cOdKE4DPng/4BqJeoOhKqzJbl+LR33TPWsr > > wBRfmAi9wvR/Qc6IV4MFMXjmkclXns+atIQZ9uQV3YAvKv/cVuO7Mneu > > MssIQixaMw+jp73R7zIUNMbLBgJRQXI57Rl+pvXBAkgHndVwv+aJkf7y GEuE9Dtj > > > > ;; Query time: 0 msec > > ;; SERVER: 127.0.0.1#53(127.0.0.1) > > ;; WHEN: Tue Jun 23 22:17:59 2015 > > ;; MSG SIZE rcvd: 586 > > > > > > Frank > > > > > > -----Original Message----- > > From: Mark Andrews [mailto:ma...@isc.org] > > Sent: Tuesday, June 23, 2015 10:11 PM > > To: Frank Bulk <frnk...@iname.com> > > Cc: bind-us...@isc.org > > Subject: Re: DNSSEC validation on 9.7.4 not working > > > > > > In message <003d01d0ae24$682fc080$388f4180$@iname.com>, "Frank Bulk" > writes: > > > I'm running BIND 9.7.3 on Debian and having trouble configuring DNSSEC > > > validation. > > > > > > I'm using the excellent guides at > > > > > > http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html#easy-start-guide- > > > for-recursive-servers and > > > > > > https://www.surf.nl/binaries/content/assets/surf/en/knowledgebase/2012/rappo > > > rt_Deploying_DNSSEC_v20.pdf and http://dnssec.vs.uni-due.de/ which > provide > > > 9.7.x configuration instructions and so I'm feeling a bit slow that I > > can't > > > make this work. > > > > > > I'm have a copy of bind.keys from > > > https://www.isc.org/downloads/bind/bind-keys/ in /etc/bind/ > > > > > > This statement in /etc/bind/bind.conf: > > > > > > managed-keys { > > > "." initial-key 257 3 8 > > > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF > > > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX > > > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD > > > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz > > > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS > > > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; > > > }; > > > > > > and the following in /etc/bind/bind.conf.options: > > > > > > options { > > > <snip> > > > dnssec-enable yes; > > > dnssec-validation yes; > > > <snip> > > > } > > > > > > But when I issue "rdnc reconifg" I immediately get repeated log lines > > about > > > the following and then similar statements for each domains: > > > > > > 23-Jun-2015 20:43:47.402 dnssec: info: validating @0x7fcec948ce40: com > > DS: > > > no valid signature found > > > 23-Jun-2015 20:43:47.402 dnssec: info: validating @0x7fcec8c41bf0: com > > DS: > > > no valid signature found > > > 23-Jun-2015 20:43:47.438 dnssec: info: validating @0x7fcec8c39b80: . NS: > > no > > > valid signature found > > > <snip> > > > 23-Jun-2015 20:43:48.750 dnssec: info: validating @0x7fced04fd9e0: . NS: > > no > > > valid signature found > > > 23-Jun-2015 20:43:48.754 dnssec: info: validating @0x7fcee55996a0: > > > a1075.dscg.akamai.net AAAA: bad cache hit (net/DS) > > > 23-Jun-2015 20:43:48.757 dnssec: info: validating @0x7fceca621970: > > > wwwp.wip.rackspace.com AAAA: bad cache hit (com/DS) > > > 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fceca621970: > > > a1526.dscg.akamai.net AAAA: bad cache hit (net/DS) > > > 23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fced04fd9e0: > > > a1784.dscg.akamai.net AAAA: bad cache hit (net/DS) > > > 23-Jun-2015 20:43:48.761 dnssec: info: validating @0x7fced04fd9e0: > > > e1181.dscb.akamaiedge.net AAAA: bad cache hit (net/DS) > > > > > > Of course, once the TLDs aren't considered valid everything goes south. > > > > > > > What am I doing wrong? > > > > > > Regards, > > > > > > Frank Bulk > > > > Are you sure that there isn't a firewall that is block RRSIGs getting > > through or that you aren't using a forwarder that isn't also > > validating. These sorts of messages come when named is forced back > > to plain DNS to get a response. > > > > What do "dig +cd ds com" and "dig +cd dnskey ." return. > > > > Mark > > > > > _______________________________________________ > > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from > > > this list > > > > > > bind-users mailing list > > > bind-users@lists.isc.org > > > https://lists.isc.org/mailman/listinfo/bind-users > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > > > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
