I've run into an odd problem. On the same host with nearly identical configurations. Bind 9.10.6 can resolve and DNSSEC validate sss.gov but Bind 9.11.2 cannot. If I turn off DNSSEC validation 9.11.2 resolves it just fine. According to http://dnsviz.net/d/sss.gov/dnssec/ it looks like the the domain is properly signed and valid. I get the following in the log when validation fails.
Jan 19 09:26:20 stout named[11872]: dnssec: debug 3: validating sss.gov/A: starting Jan 19 09:26:20 stout named[11872]: dnssec: debug 3: validating sss.gov/A: attempting insecurity proof Jan 19 09:26:20 stout named[11872]: dnssec: debug 3: validating sss.gov/A: checking existence of DS at 'gov' Jan 19 09:26:20 stout named[11872]: dnssec: debug 3: validating sss.gov/A: checking existence of DS at 'sss.gov' Jan 19 09:26:20 stout named[11872]: dnssec: debug 3: validating sss.gov/A: insecurity proof failed Jan 19 09:26:20 stout named[11872]: validating sss.gov/A: got insecure response; parent indicates it should be secure Jan 19 09:26:20 stout named[11872]: dnssec: info: validating sss.gov/A: got insecure response; parent indicates it should be secure Jan 19 09:26:20 stout named[11872]: insecurity proof failed resolving 'sss.gov/A/IN': 2001:428::7#53 Jan 19 09:26:20 stout named[11872]: client @0x7fa6ec5ef6d0 10.9.2.18#39295 (sss.gov): view internal: query: sss.gov IN A +E(0) (10.1.1.5) Jan 19 09:26:21 stout named[11872]: dnssec: debug 3: validating sss.gov/A: starting Jan 19 09:26:21 stout named[11872]: dnssec: debug 3: validating sss.gov/A: attempting insecurity proof Jan 19 09:26:21 stout named[11872]: dnssec: debug 3: validating sss.gov/A: checking existence of DS at 'gov' Jan 19 09:26:21 stout named[11872]: dnssec: debug 3: validating sss.gov/A: checking existence of DS at 'sss.gov' Jan 19 09:26:21 stout named[11872]: dnssec: debug 3: validating sss.gov/A: insecurity proof failed Jan 19 09:26:21 stout named[11872]: validating sss.gov/A: got insecure response; parent indicates it should be secure Jan 19 09:26:21 stout named[11872]: dnssec: info: validating sss.gov/A: got insecure response; parent indicates it should be secure Jan 19 09:26:21 stout named[11872]: insecurity proof failed resolving 'sss.gov/A/IN': 63.150.72.5#53 Jan 19 09:26:23 stout named[11872]: client @0x7fa725012090 2606:1c00:2802:9::6#40869 (sss.gov): view internal: query failed (SERVFAIL) for sss.gov/IN/A at query.c:8302 Jan 19 09:26:23 stout named[11872]: client @0x7fa728a30e50 10.9.2.18#39295 (sss.gov): view internal: query failed (SERVFAIL) for sss.gov/IN/A at query.c:8302 Oddly enough other signed domains seem to validate correctly. What might have changed between 9.10 and 9.11? I'm guessing that 9.11 is probably more closely requiring some kind of standard conformance and sss.gov is maybe not conforming completely. Any thoughts? It is kind of important for us. As a University we are required to verify that our students are properly registered with the selective service(sss.gov). -- Timothy A. Holtzen Campus Network Administrator Nebraska Wesleyan University Public PGP key CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
