Re: DNSSEC not populating parent zone files with DS records

Fri, 30 Sep 2011 18:24:21 -0700 

On 01.10.2011 02:48, Jeff Reasoner wrote:
> Hmm, I see an A record using the same query:
> [foo@dns1 ~]$ dig +dnssec extended.nau.edu a

I get a SERVFAIL response for the first query and NXDOMAIN for
subsequent request:

named: client 127.0.0.1#54707: query: extended.nau.edu IN A +ED (127.0.0.1)
named: createfetch: extended.nau.edu A
named: createfetch: extended.nau.edu DNSKEY
named: createfetch: extended.nau.edu DS
named: createfetch: nau.edu DNSKEY
named: createfetch: nau.edu DS
named: createfetch: edu DNSKEY
named: createfetch: nau.edu.dlv.isc.org DLV
named:   validating @0x7f36f7f17680: nau.edu SOA: no valid signature found
named:   validating @0x7f36f7eed410: nau.edu NSEC: no valid signature found
named:   validating @0x7f36f7eed410: ewb.nau.edu NSEC: no valid
signature found
named: error (broken trust chain) resolving
'extended.nau.edu/DNSKEY/IN': 134.114.138.3#53
named: error (broken trust chain) resolving 'extended.nau.edu/A/IN':
134.114.96.4#53
named: client 127.0.0.1#54707: query failed (SERVFAIL) for
extended.nau.edu/IN/A at query.c:6302
named: client 127.0.0.1#55872: query: extended.nau.edu IN A +ED (127.0.0.1)

Unbound resolves the record on the first try.

Aside from the missing DS, I don't see why BIND complains about the
NXDOMAIN response at first and then returns that cached record set in
response to later queries for the same name. dig +sigchase validates it,
if provided with the nau.edu DNSKEY:

> nau.edu.              86400   IN      SOA     ns3.nau.edu. 
> DNS-Contact.nau.edu. 4779 1800 900 604800 86400
> nau.edu.              86400   IN      RRSIG   SOA 5 2 86400 20111030191258 
> 20110930181258 7485 nau.edu. 
> xoY5c8d+UnJfXA0ZZDv2Zz5tht4ZspTOeGvEGcQr+XIOMH39krpWR6T9 
> fUy5O/XnURz5nDGWR4QIKQMgAu+qfyGzA9Yzb5S5CkAWd4IDjKmznrXI 
> G3beth9Dcr/fJxusMxGuhZWZftQBrHBn14Wqx8YKOOIwQZx/PSm8XONA tHc=
> nau.edu.              86400   IN      NSEC    _tcp.nau.edu. A NS SOA MX TXT 
> RRSIG NSEC DNSKEY TYPE65534
> nau.edu.              86400   IN      RRSIG   NSEC 5 2 86400 20111020001752 
> 20110919233312 7485 nau.edu. 
> GizWBgmH1B7n0TuBjRgUEiu0XOCvrncyKR1iSSWJIrWKn4aZ9djBazdP 
> /JEWGY73IIZ4j/i3yO6MSw1gJRe0ane3lZjpHFnFdaPPEcYHVWy3h7Zk 
> UccnBd0ggkkLrHoG/CbRoVrF+90CDJymeAnYcWDycKQW84cNibj/tXxb CRk=
> ewb.nau.edu.          86400   IN      NSEC    facdevnet.nau.edu. CNAME RRSIG 
> NSEC
> ewb.nau.edu.          86400   IN      RRSIG   NSEC 5 3 86400 20111019222812 
> 20110919220129 7485 nau.edu. 
> SfCIx42kzjbTV5sDH/OwIKGRRxfJaM8EgaX74/RbD+BJjJhP7o28dR1U 
> VHRuO6arK8FXF0vCIZ5lpqaWFRkaCwEftrjX3ktdWUNfhRlD9qqHF+cV 
> 00icFXkasql9f8Yk9XgTeZ63CkH/8H9acjTuVlunqZDL1CVtaKTJfKKq uMs=
> ;; Received 710 bytes from 134.114.96.4#53(134.114.96.4) in 189 ms



Hauke.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to