Re: dnssec-delegation seems to be broken from .gov to bls.gov

Wed, 06 Dec 2023 12:06:14 -0800 

On 7/12/2023 1:53 am, Bhangui, Sandeep - BLS CTR via bind-users wrote:


Hi


It seems the DNSSEC delegation is broken from “.gov” to bls.gov domain 
and due to which the records for bls.gov are considered as bogus and 
we are having issues at our site.



It looks like we were in the process of KSK rollover and that may have 
caused the issue as things were fine till yesterday.



As we troubleshoot this issue was wondering whether from our master 
DNS server can we use some option in named.conf so that dnssec 
verification is NOT done for any bls.gov DNS lookups from outside to 
get a quick fix to this problem.



Currently DNS lookups from outside are flaky and I believe the reason 
behind that being that the DNSSEC delegation is broken.



From the output at dnsviz.net analyzing for bls.gov it seems that KSK 
rollover for bls.gov is the issue.



Basically, trying to see if I can get a quick interim fix till we 
resolve the issue correctly.


Please advise.

Thanks

Sandeep


Hi Sandeep.


Probably the simplest workaround for broken chain of trust would be to 
remove your zone's DS records from the parent zone.


   $ dig -t ds bls.gov

   ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> -t ds bls.gov
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27975
   ;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
   ;; WARNING: recursion requested but not available

   ;; QUESTION SECTION:
   ;bls.gov.                       IN      DS

   ;; ANSWER SECTION:
   bls.gov.                0       IN      DS      50951 8 2 
E6B0A294066904F20A2B8EBA3FA9920F9A1822802977F59D706B30A1 77F7DC0C

   ;; Query time: 0 msec
   ;; SERVER: 172.20.192.1#53(172.20.192.1) (UDP)
   ;; WHEN: Thu Dec 07 09:01:33 NZDT 2023
   ;; MSG SIZE  rcvd: 80


I could be wrong, but based on the output above it looks like the 
current TTL is 0, which means that doing this should provide immediate 
relief.


Add a new DS record once you've fixed your KSK issues.

Nick.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to