DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Alexandra Yang 
Hi Group,


I wonder if anyone can shed some light on this, our nameserver(BIND 9.16.37
 )keeps giving error on resolving gpo.gov and ns3.gpo.gov, here are the
errors:


Mar 14 10:23:32 ipam-dns-in-1 named[3713]:   validating gpo.gov/SOA: got
insecure response; parent indicates it should be secure

Mar 14 10:23:32 ipam-dns-in-1 named[3713]: no valid RRSIG resolving '
ns3.gpo.gov/DS/IN': 162.140.254.200#53

Mar 14 10:23:32 ipam-dns-in-1 named[3713]: broken trust chain resolving '
ns3.gpo.gov/A/IN': 162.140.15.100#53


While I checked the DNSSEC of this domain I can't seem to find any problem
could cause above error, anyone else see issue with resolving gpo.gov ?


Thanks!!


Sandra
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Stephane Bortzmeyer 
On Tue, Mar 14, 2023 at 11:08:28AM -0400,
 Alexandra Yang  wrote 
 a message of 154 lines which said:

> I wonder if anyone can shed some light on this, our nameserver(BIND
> 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov,
> here are the
> errors:

"DS record for zone gpo.gov with keytag 18496 was created by digest
algorithm 1 (SHA-1) which is deprecated."
https://zonemaster.fr/en/result/9161c8485223705c

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread John W. Blue via bind-users 
Keep in mind that SHA1 may not have been included by choice.

If gpo.gov is using Infoblox there is a, what I like to call, Infoblox-ism in 
play regarding DNSSEC where even if you choose RSA256 or RSA512 or whatever it 
will create a SHA1.

John

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
Stephane Bortzmeyer
Sent: Tuesday, March 14, 2023 10:17 AM
To: Alexandra Yang
Cc: bind-users@lists.isc.org
Subject: Re: DNSSEC error resolving gpo.gov ?

On Tue, Mar 14, 2023 at 11:08:28AM -0400,  Alexandra Yang  
wrote  a message of 154 lines which said:

> I wonder if anyone can shed some light on this, our nameserver(BIND
> 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov, here 
> are the
> errors:

"DS record for zone gpo.gov with keytag 18496 was created by digest algorithm 1 
(SHA-1) which is deprecated."
https://zonemaster.fr/en/result/9161c8485223705c

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Alexandra Yang 
I wonder if any of your nameserver resolve it just fine, like 8.8.8.8
works, and the verification through verisign site gives no error,
https://dnssec-analyzer.verisignlabs.com/gpo.gov

Also this one only warning instead of hard fail, or maybe these web check
are not up-to-date:
https://dnsviz.net/d/gpo.gov/dnssec/


On Tue, Mar 14, 2023 at 11:24 AM John W. Blue via bind-users <
bind-users@lists.isc.org> wrote:

> Keep in mind that SHA1 may not have been included by choice.
>
> If gpo.gov is using Infoblox there is a, what I like to call,
> Infoblox-ism in play regarding DNSSEC where even if you choose RSA256 or
> RSA512 or whatever it will create a SHA1.
>
> John
>
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
> Stephane Bortzmeyer
> Sent: Tuesday, March 14, 2023 10:17 AM
> To: Alexandra Yang
> Cc: bind-users@lists.isc.org
> Subject: Re: DNSSEC error resolving gpo.gov ?
>
> On Tue, Mar 14, 2023 at 11:08:28AM -0400,  Alexandra Yang <
> draya...@gmail.com> wrote  a message of 154 lines which said:
>
> > I wonder if anyone can shed some light on this, our nameserver(BIND
> > 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov, here
> > are the
> > errors:
>
> "DS record for zone gpo.gov with keytag 18496 was created by digest
> algorithm 1 (SHA-1) which is deprecated."
> https://zonemaster.fr/en/result/9161c8485223705c
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Stephane Bortzmeyer 
On Tue, Mar 14, 2023 at 11:35:38AM -0400,
 Alexandra Yang  wrote 
 a message of 183 lines which said:

> I wonder if any of your nameserver resolve it just fine, like 8.8.8.8
> works

Among RIPE Atlas probes, most succeed:

% blaeu-resolve --displayvalidation -r 100  --type A gpo.gov
[ (Authentic Data flag)  162.140.14.82] : 46 occurrences 
[162.140.14.82] : 52 occurrences 
[ERROR: SERVFAIL] : 2 occurrences 
Test #50935448 done at 2023-03-14T15:46:50Z

The two whose resolvers servfail may have stricter/paranoid resolvers.


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How to use update-policy type "external"

2023-03-14 Thread Vladimir Brik 

Hello

I am trying to set up an "external" dynamic DNS update 
policy but I can't figure out the syntax.


The documentation [1] says that the "identity" field needs 
to be in the form local:PATH, but using something like the 
following results in an error: "expected unquoted string 
near '/'", and I don't know how to fix it.


update-policy {
grant local:/tmp/sock external NAME txt;
};

Also, the documentation doesn't say how NAME is interpreted. 
Is it ignored?



Thanks very much

Vlad


[1] 
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-update-policy

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Tim Maestas 
I've been having problems resolving www.federalregister.gov which is served
by ns3.gpo.gov and ns4.gpo.gov, using BIND 9.16.27.  Haven't been able to
quite figure out why so I've stuck an NTA in for the time being.

On Tue, Mar 14, 2023 at 8:52 AM Stephane Bortzmeyer 
wrote:

> On Tue, Mar 14, 2023 at 11:35:38AM -0400,
>  Alexandra Yang  wrote
>  a message of 183 lines which said:
>
> > I wonder if any of your nameserver resolve it just fine, like 8.8.8.8
> > works
>
> Among RIPE Atlas probes, most succeed:
>
> % blaeu-resolve --displayvalidation -r 100  --type A gpo.gov
> [ (Authentic Data flag)  162.140.14.82] : 46 occurrences
> [162.140.14.82] : 52 occurrences
> [ERROR: SERVFAIL] : 2 occurrences
> Test #50935448 done at 2023-03-14T15:46:50Z
>
> The two whose resolvers servfail may have stricter/paranoid resolvers.
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to use update-policy type "external"

2023-03-14 Thread Ondřej Surý 
I haven't used this personally, but in the system tests, this works:

update-policy {
grant administra...@example.nil wildcard * A  SRV CNAME;
grant testden...@example.nil wildcard * TXT;
grant "local:/tmp/auth.sock" external * CNAME;
};

e.g. you need to quote the path.

The documentation is silent on NAME field, but I would suggest using either * 
or . as placeholder.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.



> On 14. 3. 2023, at 16:56, Vladimir Brik  
> wrote:
> 
> Hello
> 
> I am trying to set up an "external" dynamic DNS update policy but I can't 
> figure out the syntax.
> 
> The documentation [1] says that the "identity" field needs to be in the form 
> local:PATH, but using something like the following results in an error: 
> "expected unquoted string near '/'", and I don't know how to fix it.
> 
> update-policy {
>grant local:/tmp/sock external NAME txt;
> };
> 
> Also, the documentation doesn't say how NAME is interpreted. Is it ignored?
> 
> 
> Thanks very much
> 
> Vlad
> 
> 
> [1] 
> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-update-policy
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to use update-policy type "external"

2023-03-14 Thread Vladimir Brik 

Thanks, quoting worked!

Does anybody know if the socket of an "external" 
update-policy supposed to receive data for every dynamic DNS 
update?


I `strace`ed the `named` process and pushed some updates 
using nsupdate, but I saw no attempts to do anything with 
the socket file (no opens, no writes) and nothing related to 
the socket in the logs either.


I am not sure how to start debugging this. Can anyone help?


Vlad


On 3/14/23 11:06, Ondřej Surý wrote:

I haven't used this personally, but in the system tests, this works:

update-policy {
grant administra...@example.nil wildcard * A  SRV CNAME;
grant testden...@example.nil wildcard * TXT;
grant "local:/tmp/auth.sock" external * CNAME;
};

e.g. you need to quote the path.

The documentation is silent on NAME field, but I would suggest using either * 
or . as placeholder.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.




On 14. 3. 2023, at 16:56, Vladimir Brik  wrote:

Hello

I am trying to set up an "external" dynamic DNS update policy but I can't 
figure out the syntax.

The documentation [1] says that the "identity" field needs to be in the form local:PATH, 
but using something like the following results in an error: "expected unquoted string near 
'/'", and I don't know how to fix it.

update-policy {
grant local:/tmp/sock external NAME txt;
};

Also, the documentation doesn't say how NAME is interpreted. Is it ignored?


Thanks very much

Vlad


[1] 
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-update-policy
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Darren Ankney 
This is failing for me regularly:

$ dig ns3.gpo.gov +dnssec +norecurse @162.140.15.200
;; communications error to 162.140.15.200#53: timed out
;; communications error to 162.140.15.200#53: timed out
;; communications error to 162.140.15.200#53: timed out

; <<>> DiG 9.18.11 <<>> ns3.gpo.gov +dnssec +norecurse @162.140.15.200
;; global options: +cmd
;; no servers could be reached

but all other combos of ns3.gpo.gov or ns4.gpo.gov and 162.140.15.100
and 162.140.15.200 work fine.

On Tue, Mar 14, 2023 at 12:03 PM Tim Maestas  wrote:
>
> I've been having problems resolving www.federalregister.gov which is served 
> by ns3.gpo.gov and ns4.gpo.gov, using BIND 9.16.27.  Haven't been able to 
> quite figure out why so I've stuck an NTA in for the time being.
>
> On Tue, Mar 14, 2023 at 8:52 AM Stephane Bortzmeyer  wrote:
>>
>> On Tue, Mar 14, 2023 at 11:35:38AM -0400,
>>  Alexandra Yang  wrote
>>  a message of 183 lines which said:
>>
>> > I wonder if any of your nameserver resolve it just fine, like 8.8.8.8
>> > works
>>
>> Among RIPE Atlas probes, most succeed:
>>
>> % blaeu-resolve --displayvalidation -r 100  --type A gpo.gov
>> [ (Authentic Data flag)  162.140.14.82] : 46 occurrences
>> [162.140.14.82] : 52 occurrences
>> [ERROR: SERVFAIL] : 2 occurrences
>> Test #50935448 done at 2023-03-14T15:46:50Z
>>
>> The two whose resolvers servfail may have stricter/paranoid resolvers.
>>
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
>> this list
>>
>> ISC funds the development of this software with paid support subscriptions. 
>> Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
>
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to use update-policy type "external"

2023-03-14 Thread Darren Ankney 
Hi Vlad,

Did you specify the socket filename (/tmp/sock from your update-policy
example) when running it?  According to the man page:
https://bind9.readthedocs.io/en/v9_18_11/manpages.html#nsupdate-dynamic-dns-update-utility
the final argument for the command line is an optional filename.  If
not specified, I think that nsupdate just does lookups to find the SOA
and attempts updates via the IP addresses associated with the records
you are trying to update.

something like `nsupdate /tmp/sock` I think maybe?  I don't know...
I've never tried it.

On Tue, Mar 14, 2023 at 2:01 PM Vladimir Brik
 wrote:
>
> Thanks, quoting worked!
>
> Does anybody know if the socket of an "external"
> update-policy supposed to receive data for every dynamic DNS
> update?
>
> I `strace`ed the `named` process and pushed some updates
> using nsupdate, but I saw no attempts to do anything with
> the socket file (no opens, no writes) and nothing related to
> the socket in the logs either.
>
> I am not sure how to start debugging this. Can anyone help?
>
>
> Vlad
>
>
> On 3/14/23 11:06, Ondřej Surý wrote:
> > I haven't used this personally, but in the system tests, this works:
> >
> >   update-policy {
> >   grant administra...@example.nil wildcard * A  SRV CNAME;
> >   grant testden...@example.nil wildcard * TXT;
> >   grant "local:/tmp/auth.sock" external * CNAME;
> >   };
> >
> > e.g. you need to quote the path.
> >
> > The documentation is silent on NAME field, but I would suggest using either 
> > * or . as placeholder.
> >
> > Ondrej
> > --
> > Ondřej Surý (He/Him)
> > ond...@isc.org
> >
> > My working hours and your working hours may be different. Please do not 
> > feel obligated to reply outside your normal working hours.
> >
> >
> >
> >> On 14. 3. 2023, at 16:56, Vladimir Brik  
> >> wrote:
> >>
> >> Hello
> >>
> >> I am trying to set up an "external" dynamic DNS update policy but I can't 
> >> figure out the syntax.
> >>
> >> The documentation [1] says that the "identity" field needs to be in the 
> >> form local:PATH, but using something like the following results in an 
> >> error: "expected unquoted string near '/'", and I don't know how to fix it.
> >>
> >> update-policy {
> >> grant local:/tmp/sock external NAME txt;
> >> };
> >>
> >> Also, the documentation doesn't say how NAME is interpreted. Is it ignored?
> >>
> >>
> >> Thanks very much
> >>
> >> Vlad
> >>
> >>
> >> [1] 
> >> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-update-policy
> >> --
> >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> >> from this list
> >>
> >> ISC funds the development of this software with paid support 
> >> subscriptions. Contact us at https://www.isc.org/contact/ for more 
> >> information.
> >>
> >>
> >> bind-users mailing list
> >> bind-users@lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> >
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
>
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to use update-policy type "external"

2023-03-14 Thread Ondřej Surý 
> I am not sure how to start debugging this. Can anyone help?

Well, start with sharing as much details as you can. It’s hard to tell what you 
are doing from a single configuration line.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 14. 3. 2023, at 19:00, Vladimir Brik  
> wrote:
> 
> Thanks, quoting worked!
> 
> Does anybody know if the socket of an "external" update-policy supposed to 
> receive data for every dynamic DNS update?
> 
> I `strace`ed the `named` process and pushed some updates using nsupdate, but 
> I saw no attempts to do anything with the socket file (no opens, no writes) 
> and nothing related to the socket in the logs either.
> 
> I am not sure how to start debugging this. Can anyone help?
> 
> 
> Vlad
> 
> 
>> On 3/14/23 11:06, Ondřej Surý wrote:
>> I haven't used this personally, but in the system tests, this works:
>>update-policy {
>>grant administra...@example.nil wildcard * A  SRV CNAME;
>>grant testden...@example.nil wildcard * TXT;
>>grant "local:/tmp/auth.sock" external * CNAME;
>>};
>> e.g. you need to quote the path.
>> The documentation is silent on NAME field, but I would suggest using either 
>> * or . as placeholder.
>> Ondrej
>> --
>> Ondřej Surý (He/Him)
>> ond...@isc.org
>> My working hours and your working hours may be different. Please do not feel 
>> obligated to reply outside your normal working hours.
 On 14. 3. 2023, at 16:56, Vladimir Brik  
 wrote:
>>> 
>>> Hello
>>> 
>>> I am trying to set up an "external" dynamic DNS update policy but I can't 
>>> figure out the syntax.
>>> 
>>> The documentation [1] says that the "identity" field needs to be in the 
>>> form local:PATH, but using something like the following results in an 
>>> error: "expected unquoted string near '/'", and I don't know how to fix it.
>>> 
>>> update-policy {
>>>grant local:/tmp/sock external NAME txt;
>>> };
>>> 
>>> Also, the documentation doesn't say how NAME is interpreted. Is it ignored?
>>> 
>>> 
>>> Thanks very much
>>> 
>>> Vlad
>>> 
>>> 
>>> [1] 
>>> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-update-policy
>>> -- 
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
>>> this list
>>> 
>>> ISC funds the development of this software with paid support subscriptions. 
>>> Contact us at https://www.isc.org/contact/ for more information.
>>> 
>>> 
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Mark Andrews 
Why are you trying to query this address?  The IPv4 servers are 162.140.15.100
and 162.140.254.200.

> On 15 Mar 2023, at 07:53, Darren Ankney  wrote:
> 
> This is failing for me regularly:
> 
> $ dig ns3.gpo.gov +dnssec +norecurse @162.140.15.200
> ;; communications error to 162.140.15.200#53: timed out
> ;; communications error to 162.140.15.200#53: timed out
> ;; communications error to 162.140.15.200#53: timed out
> 
> ; <<>> DiG 9.18.11 <<>> ns3.gpo.gov +dnssec +norecurse @162.140.15.200
> ;; global options: +cmd
> ;; no servers could be reached
> 
> but all other combos of ns3.gpo.gov or ns4.gpo.gov and 162.140.15.100
> and 162.140.15.200 work fine.
> 
> On Tue, Mar 14, 2023 at 12:03 PM Tim Maestas  wrote:
>> 
>> I've been having problems resolving www.federalregister.gov which is served 
>> by ns3.gpo.gov and ns4.gpo.gov, using BIND 9.16.27.  Haven't been able to 
>> quite figure out why so I've stuck an NTA in for the time being.
>> 
>> On Tue, Mar 14, 2023 at 8:52 AM Stephane Bortzmeyer  
>> wrote:
>>> 
>>> On Tue, Mar 14, 2023 at 11:35:38AM -0400,
>>> Alexandra Yang  wrote
>>> a message of 183 lines which said:
>>> 
 I wonder if any of your nameserver resolve it just fine, like 8.8.8.8
 works
>>> 
>>> Among RIPE Atlas probes, most succeed:
>>> 
>>> % blaeu-resolve --displayvalidation -r 100  --type A gpo.gov
>>> [ (Authentic Data flag)  162.140.14.82] : 46 occurrences
>>> [162.140.14.82] : 52 occurrences
>>> [ERROR: SERVFAIL] : 2 occurrences
>>> Test #50935448 done at 2023-03-14T15:46:50Z
>>> 
>>> The two whose resolvers servfail may have stricter/paranoid resolvers.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Mark Andrews 



> On 15 Mar 2023, at 02:08, Alexandra Yang  wrote:
> 
> Hi Group,
> 
> I wonder if anyone can shed some light on this, our nameserver(BIND 9.16.37 
> )keeps giving error on resolving gpo.gov and ns3.gpo.gov, here are the errors:
> 
> Mar 14 10:23:32 ipam-dns-in-1 named[3713]:   validating gpo.gov/SOA: got 
> insecure response; parent indicates it should be secure

For some reason you are not getting signed responses.  Are you using a 
forwarder?

> Mar 14 10:23:32 ipam-dns-in-1 named[3713]: no valid RRSIG resolving 
> 'ns3.gpo.gov/DS/IN': 162.140.254.200#53
> Mar 14 10:23:32 ipam-dns-in-1 named[3713]: broken trust chain resolving 
> 'ns3.gpo.gov/A/IN': 162.140.15.100#53
> 
> While I checked the DNSSEC of this domain I can't seem to find any problem 
> could cause above error, anyone else see issue with resolving gpo.gov ?
> 
> Thanks!!
> 
> Sandra 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Tim Maestas 
On Tue, Mar 14, 2023 at 4:34 PM Mark Andrews  wrote:

>
>
> > On 15 Mar 2023, at 02:08, Alexandra Yang  wrote:
> >
> > Hi Group,
> >
> > I wonder if anyone can shed some light on this, our nameserver(BIND
> 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov, here
> are the errors:
> >
> > Mar 14 10:23:32 ipam-dns-in-1 named[3713]:   validating gpo.gov/SOA:
> got insecure response; parent indicates it should be secure
>
> For some reason you are not getting signed responses.  Are you using a
> forwarder?
>
> For what it's worth, I keep getting:

Mar 14 23:59:56 cl-dns1 named[19640]: view Caching:   validating
federalregister.gov/SOA: got insecure response; parent indicates it should
be secure
Mar 14 23:59:56 cl-dns1 named[19640]: no valid RRSIG resolving '
www.federalregister.gov/DS/IN': 162.140.254.200#53
Mar 14 23:59:56 cl-dns1 named[19640]: view Caching:   validating
federalregister.gov/SOA: got insecure response; parent indicates it should
be secure
Mar 14 23:59:56 cl-dns1 named[19640]: no valid RRSIG resolving '
www.federalregister.gov/DS/IN': 162.140.15.100#53
Mar 14 23:59:56 cl-dns1 named[19640]: broken trust chain resolving '
www.federalregister.gov/A/IN': 162.140.15.100#53

..no forwarders in use.  At some point the domain starts to validate as my
NTAs drop out unless I use -force, but then it starts to fail again.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Alexandra Yang 
Hi Mark,

We noticed the problem because client can't resolve www.federalregister.gov,
hosted by ns3.gpo.gov and ns4.gpo.gov. Our error is similar to the previous
post, plus some errors with the gpo.gov nameserver.I just wonder if it's
the config problem with our BIND 9.16.37 or problem with the gpo.gov
nameserver ?

We have dnssec-validation yes, not sure what to do if there is problem with
our config.


Mar 13 18:02:18 ipam-dns-bl-5 named[2881]: client @0xaf1cb158
10.10.99.155#55940 (ns3.gpo.gov): query failed (broken trust chain) for
ns3.gpo.gov/IN/A at
/mnt/proj/package-7-3/nessy/bind-9.16/lib/ns/query.c:7449


Mar 14 10:23:32 ipam-dns-in-1 named[3713]: broken trust chain
resolving 'ns3.gpo.gov/A/IN': 162.140.15.100#53


Mar 13 16:18:46 ipam-dns-bl-4 named[2928]: broken trust chain resolving '
www.federalregister.gov//IN': 162.140.15.100#53



Thanks!



On Tue, Mar 14, 2023 at 7:30 PM Mark Andrews  wrote:

> Why are you trying to query this address?  The IPv4 servers are
> 162.140.15.100
> and 162.140.254.200.
>
> > On 15 Mar 2023, at 07:53, Darren Ankney  wrote:
> >
> > This is failing for me regularly:
> >
> > $ dig ns3.gpo.gov +dnssec +norecurse @162.140.15.200
> > ;; communications error to 162.140.15.200#53: timed out
> > ;; communications error to 162.140.15.200#53: timed out
> > ;; communications error to 162.140.15.200#53: timed out
> >
> > ; <<>> DiG 9.18.11 <<>> ns3.gpo.gov +dnssec +norecurse @162.140.15.200
> > ;; global options: +cmd
> > ;; no servers could be reached
> >
> > but all other combos of ns3.gpo.gov or ns4.gpo.gov and 162.140.15.100
> > and 162.140.15.200 work fine.
> >
> > On Tue, Mar 14, 2023 at 12:03 PM Tim Maestas 
> wrote:
> >>
> >> I've been having problems resolving www.federalregister.gov which is
> served by ns3.gpo.gov and ns4.gpo.gov, using BIND 9.16.27.  Haven't been
> able to quite figure out why so I've stuck an NTA in for the time being.
> >>
> >> On Tue, Mar 14, 2023 at 8:52 AM Stephane Bortzmeyer 
> wrote:
> >>>
> >>> On Tue, Mar 14, 2023 at 11:35:38AM -0400,
> >>> Alexandra Yang  wrote
> >>> a message of 183 lines which said:
> >>>
>  I wonder if any of your nameserver resolve it just fine, like 8.8.8.8
>  works
> >>>
> >>> Among RIPE Atlas probes, most succeed:
> >>>
> >>> % blaeu-resolve --displayvalidation -r 100  --type A gpo.gov
> >>> [ (Authentic Data flag)  162.140.14.82] : 46 occurrences
> >>> [162.140.14.82] : 52 occurrences
> >>> [ERROR: SERVFAIL] : 2 occurrences
> >>> Test #50935448 done at 2023-03-14T15:46:50Z
> >>>
> >>> The two whose resolvers servfail may have stricter/paranoid resolvers.
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Crist Clark 
rndc dumpdb
rndc flushtree gov

Did that help? Going back to the dumped cache, what do the relevant names
have in there?


On Tue, Mar 14, 2023 at 5:46 PM Alexandra Yang  wrote:

> Hi Mark,
>
> We noticed the problem because client can't resolve
> www.federalregister.gov, hosted by ns3.gpo.gov and ns4.gpo.gov. Our error
> is similar to the previous post, plus some errors with the gpo.gov
> nameserver.I just wonder if it's the config problem with our BIND 9.16.37
> or problem with the gpo.gov nameserver ?
>
> We have dnssec-validation yes, not sure what to do if there is problem
> with our config.
>
>
> Mar 13 18:02:18 ipam-dns-bl-5 named[2881]: client @0xaf1cb158
> 10.10.99.155#55940 (ns3.gpo.gov): query failed (broken trust chain) for
> ns3.gpo.gov/IN/A at
> /mnt/proj/package-7-3/nessy/bind-9.16/lib/ns/query.c:7449
>
>
> Mar 14 10:23:32 ipam-dns-in-1 named[3713]: broken trust chain resolving 
> 'ns3.gpo.gov/A/IN': 162.140.15.100#53
>
>
> Mar 13 16:18:46 ipam-dns-bl-4 named[2928]: broken trust chain resolving '
> www.federalregister.gov//IN': 162.140.15.100#53
>
>
>
> Thanks!
>
>
>
> On Tue, Mar 14, 2023 at 7:30 PM Mark Andrews  wrote:
>
>> Why are you trying to query this address?  The IPv4 servers are
>> 162.140.15.100
>> and 162.140.254.200.
>>
>> > On 15 Mar 2023, at 07:53, Darren Ankney 
>> wrote:
>> >
>> > This is failing for me regularly:
>> >
>> > $ dig ns3.gpo.gov +dnssec +norecurse @162.140.15.200
>> > ;; communications error to 162.140.15.200#53: timed out
>> > ;; communications error to 162.140.15.200#53: timed out
>> > ;; communications error to 162.140.15.200#53: timed out
>> >
>> > ; <<>> DiG 9.18.11 <<>> ns3.gpo.gov +dnssec +norecurse @162.140.15.200
>> > ;; global options: +cmd
>> > ;; no servers could be reached
>> >
>> > but all other combos of ns3.gpo.gov or ns4.gpo.gov and 162.140.15.100
>> > and 162.140.15.200 work fine.
>> >
>> > On Tue, Mar 14, 2023 at 12:03 PM Tim Maestas 
>> wrote:
>> >>
>> >> I've been having problems resolving www.federalregister.gov which is
>> served by ns3.gpo.gov and ns4.gpo.gov, using BIND 9.16.27.  Haven't been
>> able to quite figure out why so I've stuck an NTA in for the time being.
>> >>
>> >> On Tue, Mar 14, 2023 at 8:52 AM Stephane Bortzmeyer 
>> wrote:
>> >>>
>> >>> On Tue, Mar 14, 2023 at 11:35:38AM -0400,
>> >>> Alexandra Yang  wrote
>> >>> a message of 183 lines which said:
>> >>>
>>  I wonder if any of your nameserver resolve it just fine, like 8.8.8.8
>>  works
>> >>>
>> >>> Among RIPE Atlas probes, most succeed:
>> >>>
>> >>> % blaeu-resolve --displayvalidation -r 100  --type A gpo.gov
>> >>> [ (Authentic Data flag)  162.140.14.82] : 46 occurrences
>> >>> [162.140.14.82] : 52 occurrences
>> >>> [ERROR: SERVFAIL] : 2 occurrences
>> >>> Test #50935448 done at 2023-03-14T15:46:50Z
>> >>>
>> >>> The two whose resolvers servfail may have stricter/paranoid resolvers.
>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW
>> 
>> 2117, Australia
>> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Mark Andrews 


> On 15 Mar 2023, at 11:14, Tim Maestas  wrote:
> 
> 
> 
> On Tue, Mar 14, 2023 at 4:34 PM Mark Andrews  wrote:
> 
> 
> > On 15 Mar 2023, at 02:08, Alexandra Yang  wrote:
> > 
> > Hi Group,
> > 
> > I wonder if anyone can shed some light on this, our nameserver(BIND 9.16.37 
> > )keeps giving error on resolving gpo.gov and ns3.gpo.gov, here are the 
> > errors:
> > 
> > Mar 14 10:23:32 ipam-dns-in-1 named[3713]:   validating gpo.gov/SOA: got 
> > insecure response; parent indicates it should be secure
> 
> For some reason you are not getting signed responses.  Are you using a 
> forwarder?
> 
> For what it's worth, I keep getting:
>  Mar 14 23:59:56 cl-dns1 named[19640]: view Caching:   validating 
> federalregister.gov/SOA: got insecure response; parent indicates it should be 
> secure
> Mar 14 23:59:56 cl-dns1 named[19640]: no valid RRSIG resolving 
> 'www.federalregister.gov/DS/IN': 162.140.254.200#53
> Mar 14 23:59:56 cl-dns1 named[19640]: view Caching:   validating 
> federalregister.gov/SOA: got insecure response; parent indicates it should be 
> secure
> Mar 14 23:59:56 cl-dns1 named[19640]: no valid RRSIG resolving 
> 'www.federalregister.gov/DS/IN': 162.140.15.100#53
> Mar 14 23:59:56 cl-dns1 named[19640]: broken trust chain resolving 
> 'www.federalregister.gov/A/IN': 162.140.15.100#53
> 
> ..no forwarders in use.  At some point the domain starts to validate as my 
> NTAs drop out unless I use -force, but then it starts to fail again.

Named should be sending queries with DO=1 and it should be getting back signed 
responses.  I suspect that you will need to run packet captures of the traffic 
to and from 162.140.15.100 and 162.140.254.200 port 53 from the nameserver.  
Either signed responses will cease or DNSSEC requests will cease.  In either  
case having the traffic around the transition should help to determine what is 
happening.

e.g. tcpdump -G 100 -w %Y%m%d%H%M%S.pcap port 53 and \( host 162.140.15.100 or 
host 162.140.254.200 \)

% tcpdump -r 20230315150938.pcap -n -vv
reading from file 20230315150938.pcap, link-type EN10MB (Ethernet), snapshot 
length 262144
15:10:12.496870 IP (tos 0x0, ttl 64, id 17293, offset 0, flags [none], proto 
UDP (17), length 88)
172.30.42.109.55290 > 162.140.254.200.53: [udp sum ok] 1494% [1au] A? 
federalregister.gov. ar: . OPT UDPsize=1232 DO [COOKIE 1a42be4f8b283640] (60)
15:10:12.845984 IP (tos 0x0, ttl 229, id 53065, offset 0, flags [DF], proto UDP 
(17), length 506)
162.140.254.200.53 > 172.30.42.109.55290: [udp sum ok] 1494*- q: A? 
federalregister.gov. 3/3/1 federalregister.gov. A 75.2.36.59, 
federalregister.gov. A 99.83.174.136, federalregister.gov. RRSIG ns: 
federalregister.gov. NS ns4.gpo.gov., federalregister.gov. NS ns3.gpo.gov., 
federalregister.gov. RRSIG ar: . OPT UDPsize=4096 DO (478)
15:10:12.851518 IP (tos 0x0, ttl 64, id 27024, offset 0, flags [none], proto 
UDP (17), length 88)
172.30.42.109.58808 > 162.140.15.100.53: [udp sum ok] 32328% [1au] DNSKEY? 
federalregister.gov. ar: . OPT UDPsize=1232 DO [COOKIE a8086401dd8eae30] (60)
15:10:13.107025 IP (tos 0x0, ttl 230, id 37446, offset 0, flags [DF], proto UDP 
(17), length 1134)
162.140.15.100.53 > 172.30.42.109.58808: [udp sum ok] 32328*- q: DNSKEY? 
federalregister.gov. 5/0/1 federalregister.gov. DNSKEY, federalregister.gov. 
DNSKEY, federalregister.gov. DNSKEY, federalregister.gov. RRSIG, 
federalregister.gov. RRSIG ar: . OPT UDPsize=4096 DO (1106)
%

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Tim Maestas 
>
>
> Named should be sending queries with DO=1 and it should be getting back
> signed responses.  I suspect that you will need to run packet captures of
> the traffic to and from 162.140.15.100 and 162.140.254.200 port 53 from the
> nameserver.  Either signed responses will cease or DNSSEC requests will
> cease.  In either  case having the traffic around the transition should
> help to determine what is happening.
>
> I've found that, after a fresh restart of named, if I query for "
federalregister.gov A" I get a good AD response, and then subsequent
queries for "www.federalregister.gov" are successful as well.  If however
after a restart of named I begin with a query for www.federalregister.gov A
then I get servfail, and subsequent queries for federealregister.gov
servfail as well.  Here is the tcpdump from the 2nd (failed) case of an
initial query for www.federalregister.gov:


reading from file dns.cap, link-type EN10MB (Ethernet), snapshot length
262144
04:30:01.114458 IP (tos 0x0, ttl 64, id 35832, offset 0, flags [none],
proto UDP (17), length 92)
10.0.0.159.43263 > 162.140.254.200.53: [udp sum ok] 15013 [1au] A?
www.federalregister.gov. ar: . OPT UDPsize=512 DO [COOKIE 352538a87bde87a5]
(64)
04:30:01.204863 IP (tos 0x0, ttl 229, id 4936, offset 0, flags [DF], proto
UDP (17), length 80)
162.140.254.200.53 > 10.0.0.159.43263: [udp sum ok] 15013*-| q: A?
www.federalregister.gov. 3/0/1 . OPT UDPsize=4096 DO [|domain]
04:30:01.205350 IP (tos 0x0, ttl 64, id 43065, offset 0, flags [none],
proto UDP (17), length 69)
10.0.0.159.59699 > 162.140.254.200.53: [udp sum ok] 50396 A?
www.federalregister.gov. (41)
04:30:01.325033 IP (tos 0x0, ttl 229, id 61678, offset 0, flags [DF], proto
UDP (17), length 141)
162.140.254.200.53 > 10.0.0.159.59699: [udp sum ok] 50396*- q: A?
www.federalregister.gov. 2/2/0 www.federalregister.gov. A 99.83.174.136,
www.federalregister.gov. A 75.2.36.59 ns: federalregister.gov. NS
ns3.gpo.gov., federalregister.gov. NS ns4.gpo.gov. (113)
04:30:01.706532 IP (tos 0x0, ttl 64, id 13071, offset 0, flags [none],
proto UDP (17), length 92)
10.0.0.159.40399 > 162.140.15.100.53: [udp sum ok] 59408 [1au] DS?
www.federalregister.gov. ar: . OPT UDPsize=512 DO [COOKIE bcd54232244c075a]
(64)
04:30:01.823027 IP (tos 0x0, ttl 230, id 41740, offset 0, flags [DF], proto
UDP (17), length 80)
162.140.15.100.53 > 10.0.0.159.40399: [udp sum ok] 59408*-| q: DS?
www.federalregister.gov. 0/2/1 ns: . OPT UDPsize=4096 DO [|domain]
04:30:01.826975 IP (tos 0x0, ttl 64, id 29142, offset 0, flags [none],
proto UDP (17), length 69)
10.0.0.159.41463 > 162.140.15.100.53: [udp sum ok] 53452 DS?
www.federalregister.gov. (41)
04:30:01.958188 IP (tos 0x0, ttl 230, id 41744, offset 0, flags [DF], proto
UDP (17), length 149)
162.140.15.100.53 > 10.0.0.159.41463: [udp sum ok] 53452*- q: DS?
www.federalregister.gov. 0/1/0 ns: federalregister.gov. SOA ins1.gpo.gov.
please_set_email.absolutely.nowhere. 2542629 10800 1080 2592000 900 (121)
04:30:01.960633 IP (tos 0x0, ttl 64, id 61049, offset 0, flags [none],
proto UDP (17), length 69)
10.0.0.159.47806 > 162.140.254.200.53: [udp sum ok] 3265 DS?
www.federalregister.gov. (41)
04:30:02.093679 IP (tos 0x0, ttl 229, id 61713, offset 0, flags [DF], proto
UDP (17), length 149)
162.140.254.200.53 > 10.0.0.159.47806: [udp sum ok] 3265*- q: DS?
www.federalregister.gov. 0/1/0 ns: federalregister.gov. SOA ins1.gpo.gov.
please_set_email.absolutely.nowhere. 2542629 10800 1080 2592000 900 (121)
04:30:02.095216 IP (tos 0x0, ttl 64, id 53735, offset 0, flags [none],
proto UDP (17), length 57)
10.0.0.159.44320 > 162.140.15.100.53: [udp sum ok] 27093 ?
ns4.gpo.gov. (29)
04:30:02.099567 IP (tos 0x0, ttl 64, id 23890, offset 0, flags [none],
proto UDP (17), length 57)
10.0.0.159.49556 > 162.140.15.100.53: [udp sum ok] 11719 ?
ns3.gpo.gov. (29)
04:30:02.229242 IP (tos 0x0, ttl 230, id 56543, offset 0, flags [DF], proto
UDP (17), length 102)
162.140.15.100.53 > 10.0.0.159.44320: [udp sum ok] 27093*- q: ?
ns4.gpo.gov. 0/1/0 ns: gpo.gov. SOA ins1.gpo.gov. noc.gpo.gov. 2010073218
10800 3600 2592000 900 (74)
04:30:02.229459 IP (tos 0x0, ttl 230, id 56542, offset 0, flags [DF], proto
UDP (17), length 102)
162.140.15.100.53 > 10.0.0.159.49556: [udp sum ok] 11719*- q: ?
ns3.gpo.gov. 0/1/0 ns: gpo.gov. SOA ins1.gpo.gov. noc.gpo.gov. 2010073218
10800 3600 2592000 900 (74)

Here is the tcpdump from the 1st successful case of an initial query for
federalregister.gov:

04:39:02.838690 IP (tos 0x0, ttl 64, id 27981, offset 0, flags [none],
proto UDP (17), length 88)
10.0.0.159.41336 > 162.140.15.100.53: [udp sum ok] 45611 [1au] A?
federalregister.gov. ar: . OPT UDPsize=512 DO [COOKIE 09372246c1a6d91c] (60)
04:39:02.924319 IP (tos 0x0, ttl 230, id 28551, offset 0, flags [DF], proto
UDP (17), length 506)
162.140.15.100.53 > 10.0.0.159.41336: [udp sum ok] 45611*- q: A?
federalregister.gov. 3/3/1 federalregister.gov. A 75.2.36.59,
federa

Re: DNSSEC error resolving gpo.gov ?

2023-03-14 Thread Mark Andrews 



> On 15 Mar 2023, at 15:42, Tim Maestas  wrote:
> 
> Named should be sending queries with DO=1 and it should be getting back 
> signed responses.  I suspect that you will need to run packet captures of the 
> traffic to and from 162.140.15.100 and 162.140.254.200 port 53 from the 
> nameserver.  Either signed responses will cease or DNSSEC requests will 
> cease.  In either  case having the traffic around the transition should help 
> to determine what is happening.
> 
> I've found that, after a fresh restart of named, if I query for 
> "federalregister.gov A" I get a good AD response, and then subsequent queries 
> for "www.federalregister.gov" are successful as well.  If however after a 
> restart of named I begin with a query for www.federalregister.gov A then I 
> get servfail, and subsequent queries for federealregister.gov servfail as 
> well.  Here is the tcpdump from the 2nd (failed) case of an initial query for 
> www.federalregister.gov:
> 
> 
> reading from file dns.cap, link-type EN10MB (Ethernet), snapshot length 262144
> 04:30:01.114458 IP (tos 0x0, ttl 64, id 35832, offset 0, flags [none], proto 
> UDP (17), length 92)
> 10.0.0.159.43263 > 162.140.254.200.53: [udp sum ok] 15013 [1au] A? 
> www.federalregister.gov. ar: . OPT UDPsize=512 DO [COOKIE 352538a87bde87a5] 
> (64)
> 04:30:01.204863 IP (tos 0x0, ttl 229, id 4936, offset 0, flags [DF], proto 
> UDP (17), length 80)
> 162.140.254.200.53 > 10.0.0.159.43263: [udp sum ok] 15013*-| q: A? 
> www.federalregister.gov. 3/0/1 . OPT UDPsize=4096 DO [|domain]

This is a malformed DNS response.  It looks like the server tried to send a 
truncated response with an OPT record but failed to correctly update the answer 
count field to zero.  

% dig www.federalregister.gov @162.140.15.100 +dnssec +bufsize=512 +ignore +qr 
+norec

; <<>> DiG 9.19.11-dev <<>> www. @162.140.15.100 +dnssec +bufsize=512 +ignore 
+qr +norec
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919
;; flags: ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
; COOKIE: 4a67cc813cfe03eb
;; QUESTION SECTION:
;www.federalregister.gov. IN A

;; QUERY SIZE: 64

;; Warning: Message parser reports malformed message packet.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57919
;; flags: qr aa tc; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;www.federalregister.gov. IN A

;; ANSWER SECTION:
. 32768 CLASS4096 OPT 
;; Query time: 271 msec
;; SERVER: 162.140.15.100#53(162.140.15.100) (UDP)
;; WHEN: Wed Mar 15 16:30:22 AEDT 2023
;; MSG SIZE  rcvd: 52

 -- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users