Bind/PowerDNS interoperatiblity issue

Aki Tuomi Wed, 19 Feb 2014 02:17:32 -0800

Hi!

We are investigating an interoperatibility issue with bind and powerdns.


Scenario:

We have DNSSEC secured domain using NSEC, pasilehto.fi. 

This domain has two insecure delegations
 0.0.0.0.pasilehto.fi
and
 1.0.0.0.pasilehto.fi

We have A records
 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi
and
 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.pasilehto.fi


Now. If I ask DNSSEC validating BIND version 9.9.3-P2 or 9.9.4-P2 to 
resolve either of those A records, I get errors, while While google's 
8.8.8.8 and unbound accept these as valid. 

You can go ahead and test this live, these domains are publicly available for
now. 

There is also open issue in github for PowerDNS.

https://github.com/PowerDNS/pdns/issues/1289

The errors are here:

Feb 19 10:45:52 cmouse-virtual-machine named[15177]: client 80.64.8.203#57968 
(5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi): query: 
5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi IN A +E 
(80.64.8.203)
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) 
resolving '0.pasilehto.fi/DS/IN': 194.100.90.53#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) 
resolving '0.pasilehto.fi/DS/IN': 80.64.12.65#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) 
resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::4:2#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) 
resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::3:2#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) 
resolving '0.pasilehto.fi/DS/IN': 2001:6e8:0:1::5:2#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid RRSIG) 
resolving '0.pasilehto.fi/DS/IN': 62.236.49.41#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (no valid DS) 
resolving '5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/A/IN': 
62.236.49.41#53
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: validating 
@0x7fa3406146e0: 5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi 
A: bad cache hit (0.pasilehto.fi/DS)
Feb 19 10:45:53 cmouse-virtual-machine named[15177]: error (broken trust chain) 
resolving '5.2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.1.0.0.0.1.0.0.0.pasilehto.fi/A/IN': 
194.100.90.53#53

Kind regards,
Aki Tuomi

signature.asc
Description: Digital signature

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind/PowerDNS interoperatiblity issue

Reply via email to