Re: DNSSEC troubleshooting on a recursive server.
On 08/07/2013 06:17 PM, Mark Andrews wrote: >>> In any event, as Mark has suggested, you don't want to dig the RRSIG >>> yourself. Rather, use: >>> >>> dig +dnssec zygo.com a >>> >>> ...and if you get a SERVFAIL: >>> >>> dig +dnssec +cd zygo.com a >> dig +dnssec +cd zygo.com a resolved the domain. > "RESOLVED THE DOMAIN" is not !@#$#!$!@#!$@#$%@#! enough for anyone > to help you. WE NEED TO SEE WHAT YOU ARE SEEING. > > Mark # dig +dnssec +cd zygo.com a ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> +dnssec +cd zygo.com a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45711 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;zygo.com.INA ;; ANSWER SECTION: zygo.com.86400INA50.28.48.60 ;; AUTHORITY SECTION: zygo.com.93100INNSpdns02.domaincontrol.com. zygo.com.93100INNSpdns01.domaincontrol.com. ;; ADDITIONAL SECTION: pdns01.domaincontrol.com. 33591INA216.69.185.50 pdns01.domaincontrol.com. 57182IN2607:f208:207::32 pdns02.domaincontrol.com. 80032INA208.109.255.50 pdns02.domaincontrol.com. 28807IN2607:f208:303::32 ;; Query time: 23 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 8 08:57:51 2013 ;; MSG SIZE rcvd: 197 > >> I have started to get other reports of domains with the same problem. >> The same nameservers are having validation issues with these, and all >> the domains use pdns01.domaincontrol.com and pdns02.domaincontrol.com. >> as auth name servers. I guess this points to a problem somewhere in the >> trust chain, butI can't figure out where. >> >> # dig a zygo.com +sigchase +trusted-key=root.keys +multiline +qr >> >> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> a zygo.com +sigchase >> +trusted-key=root.keys +multiline +qr >> ;; global options: +cmd >> ;; Sending: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21316 >> ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 4096 >> ;; QUESTION SECTION: >> ;zygo.com.IN A >> >> ;; NO ANSWERS: no more >> We want to prove the non-existence of a type of rdata 1 or of the zone: >> ;; nothing in authority section : impossible to validate the >> non-existence : FAILED >> >> ;; Impossible to verify the Non-existence, the NSEC RRset can't be >> validated: FAILED >> >> >> If I add +topdown then it succeeds. >> >> -- >> Grant Keller >> Sonic.net System Operations >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users -- Grant Keller Sonic.net System Operations ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC troubleshooting on a recursive server.
On Aug 8, 2013, at 11:58 AM, Grant Keller wrote: > # dig +dnssec +cd zygo.com a > > ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> +dnssec +cd zygo.com a > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45711 > ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;zygo.com.INA > > ;; ANSWER SECTION: > zygo.com.86400INA50.28.48.60 > > ;; AUTHORITY SECTION: > zygo.com.93100INNSpdns02.domaincontrol.com. > zygo.com.93100INNSpdns01.domaincontrol.com. Somebody is stripping off DNSSEC records... aclegg@redwood:~/Src/bind-9.9.3-P2$ dig zygo.com +dnssec ; <<>> DiG 9.9.3-P2 <<>> zygo.com +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38336 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;zygo.com. IN A ;; ANSWER SECTION: zygo.com. 85958 IN A 50.28.48.60 zygo.com. 85958 IN RRSIG A 7 2 86400 20130812183056 20130728183056 19712 zygo.com. FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK 8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3 O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU= ;; AUTHORITY SECTION: zygo.com. 3158IN NS pdns01.domaincontrol.com. zygo.com. 3158IN NS pdns02.domaincontrol.com. zygo.com. 3158IN RRSIG NS 7 2 3600 20130812183056 20130728183056 19712 zygo.com. YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01 7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3 qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhWj si4= -- Alan Clegg | +1-919-355-8851 | a...@clegg.com signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC troubleshooting on a recursive server.
On 08/08/2013 09:09 AM, Alan Clegg wrote: > On Aug 8, 2013, at 11:58 AM, Grant Keller wrote: > >> # dig +dnssec +cd zygo.com a >> >> ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> +dnssec +cd zygo.com a >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45711 >> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 4096 >> ;; QUESTION SECTION: >> ;zygo.com.INA >> >> ;; ANSWER SECTION: >> zygo.com.86400INA50.28.48.60 >> >> ;; AUTHORITY SECTION: >> zygo.com.93100INNSpdns02.domaincontrol.com. >> zygo.com.93100INNSpdns01.domaincontrol.com. > Somebody is stripping off DNSSEC records... > > aclegg@redwood:~/Src/bind-9.9.3-P2$ dig zygo.com +dnssec > > ; <<>> DiG 9.9.3-P2 <<>> zygo.com +dnssec > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38336 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;zygo.com.IN A > > ;; ANSWER SECTION: > zygo.com. 85958 IN A 50.28.48.60 > zygo.com. 85958 IN RRSIG A 7 2 86400 20130812183056 > 20130728183056 19712 zygo.com. > FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK > 8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3 > O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU= > > ;; AUTHORITY SECTION: > zygo.com. 3158IN NS pdns01.domaincontrol.com. > zygo.com. 3158IN NS pdns02.domaincontrol.com. > zygo.com. 3158IN RRSIG NS 7 2 3600 20130812183056 > 20130728183056 19712 zygo.com. > YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01 > 7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3 > qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhWj si4= > Its strange, I get the records when querying one of my other DNS servers: ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> +dnssec +cd zygo.com a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8807 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;zygo.com.INA ;; ANSWER SECTION: zygo.com.85276INA50.28.48.60 zygo.com.85276INRRSIGA 7 2 86400 20130812183056 20130728183056 19712 zygo.com. FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK 8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3 O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU= ;; AUTHORITY SECTION: zygo.com.2476INNSpdns02.domaincontrol.com. zygo.com.2476INNSpdns01.domaincontrol.com. zygo.com.2476INRRSIGNS 7 2 3600 20130812183056 20130728183056 19712 zygo.com. YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01 7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3 qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhWj si4= ;; ADDITIONAL SECTION: pdns01.domaincontrol.com. 19183INA216.69.185.50 pdns02.domaincontrol.com. 113756 INA208.109.255.50 pdns02.domaincontrol.com. 25440IN2607:f208:303::32 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 8 09:17:01 2013 ;; MSG SIZE rcvd: 505 -- Grant Keller Sonic.net System Operations ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC troubleshooting on a recursive server.
On 08/08/13 17:22, Grant Keller wrote: Its strange, I get the records when querying one of my other DNS servers: As per my original email - firewall? middlebox? crazy ISP transparent caching DNS server? I would break out tcpdump; clear the cache on the affected server, re-do the dig, then trawl through the tcpdump looking for the relevant queries and replies. Prove to yourself whether the RRSIGs are arriving at the "broken" DNS server. If so, go on from there. If not, harass your network/security team or upstream ;o) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC troubleshooting on a recursive server.
On 08/08/2013 09:34 AM, Phil Mayers wrote: > On 08/08/13 17:22, Grant Keller wrote: > >> Its strange, I get the records when querying one of my other DNS >> servers: > > As per my original email - firewall? middlebox? crazy ISP transparent > caching DNS server? > > I would break out tcpdump; clear the cache on the affected server, > re-do the dig, then trawl through the tcpdump looking for the relevant > queries and replies. Prove to yourself whether the RRSIGs are arriving > at the "broken" DNS server. If so, go on from there. If not, harass > your network/security team or upstream ;o) > I don't think it is anything upstream. As a test, I flushed the cache on one of the affected servers, and now it is validating successfully: ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> +dnssec zygo.com a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58342 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;zygo.com.INA ;; ANSWER SECTION: zygo.com.86400INA50.28.48.60 zygo.com.86400INRRSIGA 7 2 86400 20130812183056 20130728183056 19712 zygo.com. FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK 8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3 O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU= ;; AUTHORITY SECTION: zygo.com.3600INNSpdns02.domaincontrol.com. zygo.com.3600INNSpdns01.domaincontrol.com. zygo.com.3600INRRSIGNS 7 2 3600 20130812183056 20130728183056 19712 zygo.com. YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01 7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3 qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhWj si4= ;; ADDITIONAL SECTION: pdns01.domaincontrol.com. 172786 INA216.69.185.50 pdns02.domaincontrol.com. 172786 INA208.109.255.50 ;; Query time: 23 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 8 09:38:24 2013 ;; MSG SIZE rcvd: 477 I still have a few more servers that are affected, and I would prefer to not flush the cache on all of them. -- Grant Keller Sonic.net System Operations ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Network Solutions and DNSSEC
Anyone know when Network Solutions plans to support DNSSEC? Eric Davis ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC troubleshooting on a recursive server.
In message <5203ca6c.9000...@corp.sonic.net>, Grant Keller writes: > On 08/08/2013 09:34 AM, Phil Mayers wrote: > > On 08/08/13 17:22, Grant Keller wrote: > > > >> Its strange, I get the records when querying one of my other DNS > >> servers: > > > > As per my original email - firewall? middlebox? crazy ISP transparent > > caching DNS server? > > > > I would break out tcpdump; clear the cache on the affected server, > > re-do the dig, then trawl through the tcpdump looking for the relevant > > queries and replies. Prove to yourself whether the RRSIGs are arriving > > at the "broken" DNS server. If so, go on from there. If not, harass > > your network/security team or upstream ;o) > > > > I don't think it is anything upstream. As a test, I flushed the cache on > one of the affected servers, and now it is validating successfully: Upgrade: BIND 9.9.2 -> BIND 9.9.3-P2. There is a bug in another vendor's DNSSEC implementation that tickles this bug. The other vendor has shipped a fix for that bug. 3376. [bug] Lack of EDNS support was being recorded without a successful response. [RT #30811] > ; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> +dnssec zygo.com a > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58342 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;zygo.com.INA > > ;; ANSWER SECTION: > zygo.com.86400INA50.28.48.60 > zygo.com.86400INRRSIGA 7 2 86400 20130812183056 > 20130728183056 19712 zygo.com. > FbuZDfcptJtbOCxsCV+U3uQA+ETkrvhKAJrpVhlVMAGrYhgFBHWTvsgK > 8ZY9DP7Chr8rXF8BXjr0zh06Fi62RJQiRuytFLN117kqJjXe4g/5q4l3 > O9XsuF2WeDj3TudMeqcb6hxGstly34gfec/RZdktlogmJTSu5+t3BdwP myU= > > ;; AUTHORITY SECTION: > zygo.com.3600INNSpdns02.domaincontrol.com. > zygo.com.3600INNSpdns01.domaincontrol.com. > zygo.com.3600INRRSIGNS 7 2 3600 20130812183056 > 20130728183056 19712 zygo.com. > YTqpH1q+wSZCUGhjw0qKWRBGSARInipMqUEOg0IaM49rgSSynYPDDt01 > 7XOCpOnlZXSuiGv42yac/b3Se4gGHOfdyOHRncjiSmwL5vYlVhCBqUS3 > qgPSnqYonqC7uxaVg7tQm0ErZpWFJiMMdHfs/HpLTKq5tnZfHflCkhWj si4= > > ;; ADDITIONAL SECTION: > pdns01.domaincontrol.com. 172786 INA216.69.185.50 > pdns02.domaincontrol.com. 172786 INA208.109.255.50 > > ;; Query time: 23 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Thu Aug 8 09:38:24 2013 > ;; MSG SIZE rcvd: 477 > > > I still have a few more servers that are affected, and I would prefer to > not flush the cache on all of them. > > -- > Grant Keller > Sonic.net System Operations > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Network Solutions and DNSSEC
Eric, The message I got from them as of 9/30/2012, they do not plan on supporting DNSSEC. Dirck On Thu, Aug 8, 2013 at 2:22 PM, Eric Davis wrote: > Anyone know when Network Solutions plans to support DNSSEC? > > Eric Davis > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Dirck Copeland Idaho National Laboratory Communications Infrastructure Work: 208-526-8942 dirck.copel...@inl.gov ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
