In message <e754e90904051454m8a240cbh17a177a069455...@mail.gmail.com>, R Dicair
e writes:
> On Sun, Apr 5, 2009 at 5:40 PM, Mark Andrews <mark_andr...@isc.org> wrote:
> >> Shouldn't the behaviour for DLV lookups be such that if the query
> >> can't be answered by the DLV server, then fall back to a non-dnssec
> >> lookup?
> >
> > =A0 =A0 =A0 =A0No.
>
> May I ask why?
You enable DNSSEC and DLV to prevent the nameserver from
accepting forged answers from secured zones. DLV tells
named which zones are secured or not. This needs to be
secured to prevent named accepting forged answers from
secured zones.
B.T.W. The servers did answer the queries. The resolver
just wasn't able to validate them as a signature was missing.
> I'm sure something was learned from whatever caused the DLV server to
> malfunction, but was that kind of malfunction something we can look
> forward to when . and TLDs are signed?
Signing errors will happen. Hopefully not too often.
> If that kind of breakage in lookups can occur, should there not be a
> contingency to be able to continue to use the Internet when such
> breakage occurs?
Named is still able to return answers if you tell it not to
validate the answers by setting CD=1 in the query. This flag
is usually used when you have a validating resolver using another
validating resolver to get its answers.
When the lookups were failing answers like this were returned.
; <<>> DiG 9.3.6-P1 <<>> dnskey dlv.isc.org +dnssec +cd +multi
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4255
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dlv.isc.org. IN DNSKEY
;; ANSWER SECTION:
dlv.isc.org. 6518 IN DNSKEY 256 3 5 (
BEAAAAOlYGw53D+f01yCL5JsP0SB6EjYrnd0JYRBooAa
GPT+Q0kpiN+7GviFh+nIazoB8e2Yv7mupgqkmIjObdcb
GstYpUltdECdNpNmBvASKB9SBdtGeRvXXpORi3Qyxb9k
HGG7SpzyYbc+KDVKnzYHB94pvqu3ZZpPFPBFtCibp/mk
hw==
) ; key id = 64263
dlv.isc.org. 6518 IN DNSKEY 256 3 5 (
BEAAAAPGBAwVFzuE6r0zjxHMug8if94gouJXT4xnKqOt
BRNJ9KmIvHVh97hn5VN2T9z0SZ3Y2nPxTyksoX+X7L62
QveGvHzHSEuo8iYq6INevwFTX1beCj/dhk9ZfEYkleoB
4NUlHcam7juJWncRi/Vz/BpF2ec9fLqaAaP15AojoIoa
Aw==
) ; key id = 49899
dlv.isc.org. 6518 IN DNSKEY 257 3 5 (
BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn
4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW
58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6B
D4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/o
Q+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte
/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw
/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+
al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh
) ; key id = 19297
dlv.isc.org. 6518 IN RRSIG DNSKEY 5 3 7200 20090504233310 (
20090404233310 64263 dlv.isc.org.
VXvnxUqXwPWDRL0eN3AW5obDm+8h/X+DbvqF/MPaD9NO
1SYO6tcPvs+Ih3+kQQ/7PZxWHJjGpvIz/sSGWPUbqzyr
LJBTq90+jUbIuCX0KYb4PAT1l5zhjC5UvOKY1Va4NoI7
J/jGrE1hb6C/ZOlDuQR7mXTn/KwkkxK+JzpxT+0= )
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Apr 5 15:21:28 2009
;; MSG SIZE rcvd: 786
The trusted key entered into named.conf has key id 19297.
There was not a signature for the DNSKEYs using this key.
The only signature available was generated using key id 6426
(7th field in the RRSIG record).
Mark
> I could see online businesses panicking when something like this happens.
>
> > =A0 =A0 =A0 =A0There was a fault which caused RRSIG of the key signing key
> > =A0 =A0 =A0 =A0to be missing. =A0The key signing key is the one listed in
> > =A0 =A0 =A0 =A0the trusted-keys clause above. =A0This caused a break in t=
> he
> > =A0 =A0 =A0 =A0chain of trust as the DNSKEY RRset could not be validated
> > =A0 =A0 =A0 =A0which meant named could not determine if the answers to the
> > =A0 =A0 =A0 =A0DLV queries were valid or not and in turn the answers to
> > =A0 =A0 =A0 =A0all other queries.
>
> Could you provide more details as to what specifically caused the fault?
> Perhaps then other dns admins may learn something new to look for when
> having to troubleshoot a similar problem. I know it would help me
> further understand.
>
> Thanks
>
> -- =
>
> aRDy Music and Rick Dicaire present:
> http://www.ardynet.com
> http://www.ardynet.com:9000/ardymusic.ogg.m3u
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
