<slightly-pointless-comment-in-defence-of-us-zone>

If you look closer, you’ll see that ‘us.’ is RSASHA256. ‘state.ma.us.’ however, 
is delegated to the state officials of the Commonwealth of Massachusetts and is 
indeed RSASHA1NSEC3.

Stuart
... one of the guy’s that does the DNSSEC for US TLD.

From: bind-users <bind-users-boun...@lists.isc.org> on behalf of "John W. Blue 
via bind-users" <bind-users@lists.isc.org>
Reply to: "John W. Blue" <john.b...@rrcic.com>
Date: Thursday, 11 February 2021 at 9:21 am
To: bind-users <bind-users@lists.isc.org>
Subject: RE: Bind 9.11 serving up false answers for a single domain.

Notice: This email is from an external sender. 
 
Three words:  tcpdump and wireshark
 
It is like peanut and jelly .. hall and oates .. salt and pepper .. ebb and 
flow .. pen and paper .. I could go on but … 
 
Know them.  Love them.  They are your newest best friends.
 
<grin>
 
Using tcpdump IMHO should be the first tool anyone uses when troubleshooting 
seemly unexplainable DNS weirdness.
 
Knowing what is being put on the wire (or lack thereof) is critical since it 
provides key factual data points that decisions can be made on.  When running 
tcpdump on the DNS server I personally prefer this command:
 
tcpdump -n -i <interface eg eth0> -s 65535 -w <filename.pcap>
 
dash n is telling tcpdump that you do not want it to resolve hostnames.  This 
is an important option when doing DNS troubleshooting because you do not want 
extra resolutions taking place.
dash s is saying gimme the full packet.
dash w is the name of the file you want the output saved in.
 
After starting the command, run several queries from a host and ctrl+c to exit.
 
Once you get your file into wireshark now you can start slicing n dicing on the 
data!
 
Here is handy wireshark filter:  dns.qry.name == internet-dns1.state.ma.us
 
By using a filter of dns.flags.rcode == (number here) you can drive off into 
the weeds and get super granular with sorting the data.  For example 
“dns.flags.rcode == 2” will show you all of the server failures for queries.
 
It is hard to provide further guidance on what to do since what you find in the 
pcap is only a starting point.
 
Good hunting!
 
As an aside I would like to mention that you do not need to travel home to get 
situational awareness when the diggui.com website can be used instead.
 
Also.  For the people running .us tld .. SHA1 for DNSSEC .. really?
 
https://dnsviz.net/d/state.ma.us/dnssec/
 
John
 
 
 
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of sami's 
strat
Sent: Wednesday, February 10, 2021 11:54 AM
To: Mark Andrews
Cc: bind-users
Subject: Re: Bind 9.11 serving up false answers for a single domain.
 
Thank you all for responding.  One final query about this. I'm seeing this 
issue on my production servers at work.  Yet, when I run the same queries at 
home, I don't see those failed queries.  I actually flushed DNS cache, cleared 
Linux O/S cache, and even bounced my personal DNS server trying to reproduce 
the issue.  But I could not.
 
TIA
 
On Wed, Feb 10, 2021 at 12:09 AM Mark Andrews <mailto:ma...@isc.org> wrote:
Run ‘dig +trace +all http://internet-dns1.state.ma.us’ which will show you the 
glue
records then try ‘dig +dnssec +norec http://internet-dns1.state.ma.us 
@<address>’ for
all the addresses in the glue records.

e.g.
        dig +dnssec +norec http://internet-dns1.state.ma.us 
@http://146.243.122.17

Mark

> On 10 Feb 2021, at 14:50, sami's strat <mailto:sami.st...@gmail.com> wrote:
> 
> Thanks Mark.
> 
> However, the traceroute to the hostnamed failed for the same reason.  Please 
> note:
> 
> [root@myhost data]# dig http://internet-dns1.state.ma.us
>  
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> 
> http://internet-dns1.state.ma.us
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61641
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>  
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;http://internet-dns1.state.ma.us.     IN      A
>  
> ;; Query time: 1263 msec
> ;; SERVER: 192.168.33.12#53(192.168.33.12)
> ;; WHEN: Tue Feb 09 22:34:15 EST 2021
> ;; MSG SIZE  rcvd: 54
>  
> [root@myhost data]# dig http://internet-dns1.state.ma.us +trace
>  
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> 
> http://internet-dns1.state.ma.us +trace
> ;; global options: +cmd
> .                       516485  IN      NS      http://c.root-servers.net.
> .                       516485  IN      NS      http://e.root-servers.net.
> .                       516485  IN      NS      http://f.root-servers.net.
> .                       516485  IN      NS      http://l.root-servers.net.
> .                       516485  IN      NS      http://m.root-servers.net.
> .                       516485  IN      NS      http://d.root-servers.net.
> .                       516485  IN      NS      http://g.root-servers.net.
> .                       516485  IN      NS      http://k.root-servers.net.
> .                       516485  IN      NS      http://b.root-servers.net.
> .                       516485  IN      NS      http://h.root-servers.net.
> .                       516485  IN      NS      http://a.root-servers.net.
> .                       516485  IN      NS      http://i.root-servers.net.
> .                       516485  IN      NS      http://j.root-servers.net.
> .                       516485  IN      RRSIG   NS 8 0 518400 20210222230000 
> 20210209220000 42351 . 
> QCzDH8eHlHVbx4SxIIwk8xnk6ky/q+zRh8KAUfI98lqHcIP4NLxzCe6f 
> mC2sNX1VcthEy6Lwnobm8OyJCRpNEHedYrS01aMhAVzUfM+/PJ9MWn0w 
> SkmXxyZMJZXF/kl4GDNX0x/GW3+DkeTeZI9+B540Yvj47qJv2bD9nIQG 
> NtE7bDze7bgMJkIuBlEzPfwp7YW5ud8qdC6HdUoEMqygwZcWAiQu8gpb 
> q21z8W5hcdci1OouDFytNWrXAvfSsuR635+GzSj+RZjYo+447uP7lKsK 
> N5aeVQ/BPh5jM32xVO+zwyp7v9Nky1vSP/BchMQ/3cqg3Ee7zobl8OQd CSd/SA==
> ;; Received 1097 bytes from 192.168.33.12#53(192.168.33.12) in 0 ms
>  
> us.                     172800  IN      NS      http://a.cctld.us.
> us.                     172800  IN      NS      http://b.cctld.us.
> us.                     172800  IN      NS      http://c.cctld.us.
> us.                     172800  IN      NS      http://e.cctld.us.
> us.                     172800  IN      NS      http://f.cctld.us.
> us.                     172800  IN      NS      http://k.cctld.us.
> us.                     86400   IN      DS      21364 8 1 
> 260D0461242BCF8F05473A08B05ED01E6FA59B9C
> us.                     86400   IN      DS      21364 8 2 
> B499CFA7B54D25FDE1E6FE93076FB013DAA664DA1F26585324740A1E 6EBDAB26
> us.                     86400   IN      RRSIG   DS 8 1 86400 20210222230000 
> 20210209220000 42351 . 
> rujvGB0s2bsqzBuzRliH6QK9vH84ETZV7gZMEhJyzMFofWhj9ZZaNWE/ 
> VvdA9rC16IOEocvARv2rOqk7G3KTzdkHHZcwcZSQyVqsOIaIywGFuEgd 
> viSXF6+M5MocUgEMp5dtt6SBLHG+lE/FV/3HylKSHsxdO/F6PeWKgcBZ 
> D4lZQ6w5asmlbdKJKMhlWPp6UaxBE7ACaxndBQixoNqXQuPrXpXi1Fnj 
> ntFtTfn57hMyrdTojIJ8X7/HKjCrbm3CL/WJ+VZR051OGCdZVjpUaDXR 
> x7G9lDhu3K5clar9PGYyUJM7+RBKzrQJep7HrjL2nZdoTyfY4i33S+EZ sTlTOA==
> ;; Received 707 bytes from 199.7.91.13#53(http://d.root-servers.net) in 4 ms
>  
> http://state.ma.us.            7200    IN      NS      
> http://internet-dns3.state.ma.us.
> http://state.ma.us.            7200    IN      NS      
> http://internet-dns1.state.ma.us.
> http://state.ma.us.            7200    IN      NS      
> http://internet-dns2.state.ma.us.
> http://state.ma.us.            3600    IN      DS      47628 7 2 
> 5379F9F747214E5A63416775396BCFF98FA4867AE66E09BCBEBE0DCC 1682C369
> http://state.ma.us.            3600    IN      DS      41388 7 1 
> 36D899932AF794EADD671161515E48FE829BB7FE
> http://state.ma.us.            3600    IN      DS      41388 7 2 
> BBAB433D3853571F42516E70659AF1F85FA4FBA0FDFCEAD4D092592A 00C78769
> http://state.ma.us.            3600    IN      DS      47628 7 1 
> 485E0EE2F7C08FCE51D1E284321242930274833A
> http://state.ma.us.            3600    IN      RRSIG   DS 8 3 3600 
> 20210307200856 20210205191212 53985 us. 
> O8KqBHzlZsDqrZi0NQO4JEiN0b8j04/Lb8W2uVz5PyrAat1VgZKQ3Ws6 
> 6PNtbZDMv6YX6QA8fWFLxNmeJ1/4L3wLu8EKYXaThA9Zxll7mKFj1iPf 
> nqiVq5hOo8Ul3inmfM/tjCQ21IHc/v0JZygZNd/h0SxXWlQXi+W3G9LN 
> +4z/qxtl9dGD1ka54Ln3MAVxB1Tp4pt0ri4qPLmfGKf/HA==
> couldn't get address for 'http://internet-dns3.state.ma.us': not found
> couldn't get address for 'http://internet-dns1.state.ma.us': not found
> couldn't get address for 'http://internet-dns2.state.ma.us': not found
> dig: couldn't get address for 'http://internet-dns3.state.ma.us': no more
> [root@myhost data]#
> 
> On Tue, Feb 9, 2021 at 10:10 PM Mark Andrews <mailto:ma...@isc.org> wrote:
> Well you could try tracing the addresses of the nameservers for which
> there where errors reported.  It could be as simple as a routing issue
> between you and these servers.
> 
> > On 10 Feb 2021, at 13:25, sami's strat <mailto:sami.st...@gmail.com> wrote:
> > 
> > couldn't get address for 'http://internet-dns1.state.ma.us': not found
> > couldn't get address for 'http://internet-dns3.state.ma.us': not found
> > couldn't get address for 'http://internet-dns2.state.ma.us': not found
> > dig: couldn't get address for 'http://internet-dns1.state.ma.us': no more
> 
> Yet, I do this on my personal computer at home, and it works without an issue.
> 
> Any other thoughts?  TIA 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: mailto:ma...@isc.org

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to