I know this is an old thread but we are having issues resolving pms.psc.gov as well. Disabling DNSSec validation on a test server doesn’t solve the problem. I can add a forwarding zone for ha.psc.gov pointed to their NS servers and things work. I would love to know what is broken here.
> dig pms.psc.gov ; <<>> DiG 9.16.43 <<>> pms.psc.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60669 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 20b2eb2c9840bfbd0100000065084978288fdde1e6f7c2a6 (good) ;; QUESTION SECTION: ;pms.psc.gov. IN A ;; Query time: 2993 msec ;; SERVER: 128.138.240.1#53(128.138.240.1) ;; WHEN: Mon Sep 18 06:58:32 MDT 2023 ;; MSG SIZE rcvd: 68 _________________________________________________________ Nicholas Miller, OIT, University of Colorado at Boulder > On Aug 22, 2021, at 11:57 AM, Matthew Richardson <matthe...@itconsult.co.uk> > wrote: > > It looks slightly more subtle than a straight failure. There is a DS > record in psc.gov pointing to key 180 in ha.psc.gov:- > >> ha.psc.gov. 56 IN DS 180 7 1 >> 8A631C83457F4BDB3C450A725DFDB267C4BAC1CC > > This points correctly to the key. However digest algorith 1 is now either > prohibited or discouraged. Worse there is also a DS:- > >> ha.psc.gov. 56 IN DS 39093 7 2 >> DD956C9568726B6EEED24D9814F0EC0D2BD119CF4B8A6352A4BF6968 0880E8E7 > > where key 39093 does not exist in ha.psc.gov. > > Buried in the mass of errors & warnings, dnsvis says:- > >> ha.psc.gov/DS (alg 7, id 180): DS records with digest type 1 (SHA-1) are >> ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. > > With both Bind & Unbound, I get SERVFAIL. However, other resolvers may be > more tolerant of algorithm 1 DS records, in which case they may decide that > the answer is "valid". > > In any event, it needs fixing. > > However, to answer the OP's question, the solution is to use a "negative > trust anchor":- > >> # rndc nta -lifetime 1d ha.psc.gov >> Negative trust anchor added: ha.psc.gov/_default, expires 23-Aug-2021 >> 18:55:13.000 > > which then allowed my Bind to resolve it. > > Best wishes, > Matthew > > ------ >> From: "John W. Blue via bind-users" <bind-users@lists.isc.org> >> To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> >> Cc: >> Date: Sun, 22 Aug 2021 16:24:41 +0000 >> Subject: Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work > >> Your using the wrong tools to troubleshoot or investigate this error. >> >> Instead of relying upon resolvers to provide situational awareness you need >> to inspect DNSSEC itself using dnsviz.net: >> >> https://dnsviz.net/d/pms.psc.gov/dnssec/ >> >> psc.gov is giving the world ID 5089 when they need to handing out ID 180. >> >> Recommend the pms.psc.gov admins give the psc.gov admins the correct hash. >> >> Sent from Nine<http://www.9folders.com/> >> ________________________________ >> From: Roger Hammerstein <cheek...@gmx.com> >> Sent: Sunday, August 22, 2021 9:45 AM >> To: bind-users@lists.isc.org >> Subject: unresolvable pms.psc.gov, but google/cloudflare/unbound work >> >> >> pms.psc.gov appears to be unresolvable against bind9.16.19 >> and 9.11.34 because of dnssec issues. >> But it resolves against Cloudflare's 1.1.1.1, Google's 8.8.8.8, and an >> Unbound >> resolver that does dnssec-validation. >> >> There's a ticket open with nih.gov to look into it, but is there anything >> that can >> be changed with Bind to make this domain resolve in the meantime? >> >> (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678 >> >> https://dnsviz.net/d/pms.psc.gov/dnssec/ >> https://dnssec-analyzer.verisignlabs.com/pms.psc.gov >> >> dig a pms.psc.gov @8.8.8.8 >> pms.psc.gov. 2852 IN CNAME pms.ha.psc.gov. >> pms.ha.psc.gov. 29 IN A 156.40.178.24 >> >> >> >> dig a pms.psc.gov @8.8.8.8 +dnssec >> >> ;; ANSWER SECTION: >> pms.psc.gov. 2835 IN CNAME pms.ha.psc.gov. >> pms.psc.gov. 2835 IN RRSIG CNAME 8 3 3600 >> 20210827000144 20210821230144 5089 psc.gov. >> kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 >> jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP >> LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc= >> pms.ha.psc.gov. 29 IN A 156.40.178.24 >> pms.ha.psc.gov. 29 IN RRSIG A 7 4 30 20210827185442 >> 20210820185442 21380 ha.psc.gov. >> w2XUqBVoBMtLv0qfc5xmccrpv+w2ukwGfaGJvthIKHXr2SdlAk3oQxve >> xyolEaj2zWn8Uj7lOsaZD8mewBMQ3iEEp8U96aFBslWV/ffEKL+H9oMM >> sUNU5KwNi7/Nk3KZuNc8R3xxuYTsSVdbu6ai1lQ6fmw2uWAoDP9YIqek >> jyo/0WFSXM+hxw/5WguijhilSRIywNgG3/6MY3ZmunPPafGTCTXigyex >> IBACJQJ+meD6vMi0YoRM17mwdD+7Buq2cb6LJyVYaQImh7M2gF8My75n >> lDns4PWEIx4bSW2uQQEPpB7MA9VI9y5CuVCmqC3wMZ2ow6G8pkaf18wv r/ucSQ== >> >> >> >> >> I can sometimes get a servfail out of 8.8.8.8 with an any query >> dig any pms.psc.gov @8.8.8.8 +dnssec >> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36332 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 512 >> ;; QUESTION SECTION: >> ;pms.psc.gov. IN ANY >> ;; Query time: 5001 msec > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
