Hi List,
I'm seeing a dnssec validation error that I can't pin down, for the
domain: newsletter.postbank.de.
Neither of http://dnsviz.net/ and
http://dnssec-debugger.verisignlabs.com/ report finding a problem, but
two (ubuntu packaged) versions of bind report a failure validating the
delegation as intentionally insecure.
I've tried versions:
BIND 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1
(Extended Support Version) <id:d8a6fe8b> built with '--prefix=/usr'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
'--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
using libxml2 version: 2.9.1
and
BIND 9.8.1-P1 built with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads' '--enable-largefile'
'--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
'--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing
-DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro'
'CPPFLAGS=-D_FORTIFY_SOURCE=2'
using OpenSSL version: OpenSSL 1.0.1 14 Mar 2012
using libxml2 version: 2.7.8
Running with -g 2 (on v9.9.3), I see:
==
20-Jan-2014 11:58:43.779 createfetch: newsletter.postbank.de SOA
20-Jan-2014 11:58:43.780 createfetch: . NS
20-Jan-2014 11:58:43.817 decrement_reference: delete from rbt:
0x7ff58b51f010 .
20-Jan-2014 11:58:43.817 decrement_reference: delete from rbt:
0x7ff58b520010 a.root-servers.net
20-Jan-2014 11:58:43.817 decrement_reference: delete from rbt:
0x7ff58b520010 b.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt:
0x7ff58b520010 c.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt:
0x7ff58b520010 d.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt:
0x7ff58b520010 e.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt:
0x7ff58b520010 f.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt:
0x7ff58b520010 g.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt:
0x7ff58b520010 h.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt:
0x7ff58b520010 i.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt:
0x7ff58b520010 j.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt:
0x7ff58b520010 k.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt:
0x7ff58b520010 l.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt:
0x7ff58b520010 m.root-servers.net
20-Jan-2014 11:58:43.819 createfetch: . DNSKEY
20-Jan-2014 11:58:43.881 createfetch: ns1.ecircle.de A
20-Jan-2014 11:58:43.882 createfetch: ns1.ecircle.de AAAA
20-Jan-2014 11:58:43.882 createfetch: ns2.ecircle.de A
20-Jan-2014 11:58:43.882 createfetch: ns2.ecircle.de AAAA
20-Jan-2014 11:58:43.905 createfetch: ns3.ecircle.com A
20-Jan-2014 11:58:43.905 createfetch: ns3.ecircle.com AAAA
20-Jan-2014 11:58:43.938 decrement_reference: delete from rbt:
0x7ff58b52c010 ns3.ecircle.com
20-Jan-2014 11:58:43.939 decrement_reference: delete from rbt:
0x7ff58b52c010 ns3.ecircle.com
20-Jan-2014 11:58:43.943 decrement_reference: delete from rbt:
0x7ff58b52c010 ns3.ecircle.com
20-Jan-2014 11:58:43.974 decrement_reference: delete from rbt:
0x7ff58b52c010 ns3.ecircle.com
20-Jan-2014 11:58:43.974 createfetch: de DS
20-Jan-2014 11:58:44.120 createfetch: postbank.de DS
20-Jan-2014 11:58:44.244 createfetch: de DNSKEY
20-Jan-2014 11:58:44.270 createfetch: newsletter.postbank.de DS
20-Jan-2014 11:58:44.307 createfetch: postbank.de DNSKEY
20-Jan-2014 11:58:44.341 error (insecurity proof failed) resolving
'newsletter.postbank.de/SOA/IN': 2a01:4f8:140:3482::3#53
20-Jan-2014 11:58:44.373 validating @0x7ff57c017bf0:
newsletter.postbank.de SOA: got insecure response; parent indicates it
should be secure
20-Jan-2014 11:58:44.373 error (insecurity proof failed) resolving
'newsletter.postbank.de/SOA/IN': 195.140.184.21#53
20-Jan-2014 11:58:44.409 validating @0x7ff57c007f00:
newsletter.postbank.de SOA: got insecure response; parent indicates it
should be secure
20-Jan-2014 11:58:44.409 error (insecurity proof failed) resolving
'newsletter.postbank.de/SOA/IN': 46.4.73.157#53
20-Jan-2014 11:58:44.410 client ::1#55009 (newsletter.postbank.de):
query failed (SERVFAIL) for newsletter.postbank.de/IN/SOA at query.c:7406
20-Jan-2014 11:58:44.410 fetch completed at resolver.c:3044 for
newsletter.postbank.de/SOA in 0.629817: failure/insecurity proof failed
[domain:newsletter.postbank.de,referral:3,restart:3,qrysent:3,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:3]
==
But why has the insecurity proof failed (and am I misreading dnsviz &
co.'s output?)
(I'm not related to the domain in question)
thanks,
Graham
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users