> On 15 Mar 2023, at 15:42, Tim Maestas <tmaesta...@gmail.com> wrote:
>
> Named should be sending queries with DO=1 and it should be getting back
> signed responses. I suspect that you will need to run packet captures of the
> traffic to and from 162.140.15.100 and 162.140.254.200 port 53 from the
> nameserver. Either signed responses will cease or DNSSEC requests will
> cease. In either case having the traffic around the transition should help
> to determine what is happening.
>
> I've found that, after a fresh restart of named, if I query for
> "federalregister.gov A" I get a good AD response, and then subsequent queries
> for "www.federalregister.gov" are successful as well. If however after a
> restart of named I begin with a query for www.federalregister.gov A then I
> get servfail, and subsequent queries for federealregister.gov servfail as
> well. Here is the tcpdump from the 2nd (failed) case of an initial query for
> www.federalregister.gov:
>
>
> reading from file dns.cap, link-type EN10MB (Ethernet), snapshot length 262144
> 04:30:01.114458 IP (tos 0x0, ttl 64, id 35832, offset 0, flags [none], proto
> UDP (17), length 92)
> 10.0.0.159.43263 > 162.140.254.200.53: [udp sum ok] 15013 [1au] A?
> www.federalregister.gov. ar: . OPT UDPsize=512 DO [COOKIE 352538a87bde87a5]
> (64)
> 04:30:01.204863 IP (tos 0x0, ttl 229, id 4936, offset 0, flags [DF], proto
> UDP (17), length 80)
> 162.140.254.200.53 > 10.0.0.159.43263: [udp sum ok] 15013*-| q: A?
> www.federalregister.gov. 3/0/1 . OPT UDPsize=4096 DO [|domain]
This is a malformed DNS response. It looks like the server tried to send a
truncated response with an OPT record but failed to correctly update the answer
count field to zero.
% dig www.federalregister.gov @162.140.15.100 +dnssec +bufsize=512 +ignore +qr
+norec
; <<>> DiG 9.19.11-dev <<>> www. @162.140.15.100 +dnssec +bufsize=512 +ignore
+qr +norec
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
; COOKIE: 4a67cc813cfe03eb
;; QUESTION SECTION:
;www.federalregister.gov. IN A
;; QUERY SIZE: 64
;; Warning: Message parser reports malformed message packet.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919
;; flags: qr aa tc; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;www.federalregister.gov. IN A
;; ANSWER SECTION:
. 32768 CLASS4096 OPT
;; Query time: 271 msec
;; SERVER: 162.140.15.100#53(162.140.15.100) (UDP)
;; WHEN: Wed Mar 15 16:30:22 AEDT 2023
;; MSG SIZE rcvd: 52
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
