Hi All I am running a bind 9.9.4-50 resolver on CentOS 7 (kernel 3.10.0-514.26.2.el7.x86_64). I have enabled dnssec and made it into a validating resolver but I am facing issues with some sites that use CNAME and getting SERVFAIL. Configs are pretty simple as given below:
**configs
options {
listen-on port 53 { 127.0.0.1; x.x.x.x; };
listen-on-v6 port 53 { ::1; aaaa:bbbb:cccc::d; };
directory "/var/named";
pid-file "/var/run/named/named.pid";
dump-file "data/cache_dump.db";
empty-zones-enable yes;
zone-statistics yes;
querylog yes;
recursion yes;
allow-recursion {localhost; my-net; };
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
allow-query {localhost; my-net; };
allow-query-cache {localhost; my-net; };
flush-zones-on-shutdown yes;
version "UNNECESSARY";
dnssec-enable yes;
dnssec-validation auto; ## tried with yes but no difference
random-device "/dev/urandom";
managed-keys-directory "/var/named/dynamic”;
};
// named.conf
//
include "/etc/named/acl.conf";
include "/etc/named/options.conf";
include "//etc/named/named-log.conf";
//include "/etc/named/named.rfc1912.zones";
include "/etc/rndc.key";
include "/etc/named.root.key";
zone "." IN {
type hint;
file "/var/named/data/named.root";
};
//
zone "0.0.127.in-addr.arpa" {
type master;
file "data/db.loopback.master";
notify no;
};
**end of configs
//
**dig results for A record of www.icann.org <http://www.icann.org/>
# dig @localhost www.icann.org <http://www.icann.org/>. A +dnssec
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org
<http://www.icann.org/>. A +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25178
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.icann.org <http://www.icann.org/>. IN A
*** Dig for CNAME works fine
# dig @localhost www.icann.org <http://www.icann.org/>. cname +dnssec
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org
<http://www.icann.org/>. cname +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62144
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11
;www.icann.org <http://www.icann.org/>. IN CNAME
;; ANSWER SECTION:
www.icann.org <http://www.icann.org/>. 1747 IN CNAME
www.vip.icann.org <http://www.vip.icann.org/>.
www.icann.org <http://www.icann.org/>. 1747 IN RRSIG CNAME 7
3 3600 20170830102924 20170809041125 56445 icann.org <http://icann.org/>.
VB1PWieuP3nZX9rpJ8WyA2G0DoV86NxkrgT6HNDsTHmDI0xLYdGvLPCj
H4m3lRg1YVxmpwFEJPDHG9TRcqo39T4TDFe+SIyMI/2ERFRhgorggaok
zATAs35lDiLpoO7S1LLSWl/L+QmT/bK/XXq1VP/ZUjX3t6belB/GBnZW ZsL/NAU=
;; AUTHORITY SECTION:
icann.org <http://icann.org/>. 84541 IN NS
b.iana-servers.net <http://b.iana-servers.net/>.
icann.org <http://icann.org/>. 84541 IN NS
c.iana-servers.net <http://c.iana-servers.net/>.
icann.org <http://icann.org/>. 84541 IN NS ns.icann.org
<http://ns.icann.org/>.
icann.org <http://icann.org/>. 84541 IN NS
a.iana-servers.net <http://a.iana-servers.net/>.
icann.org <http://icann.org/>. 84541 IN RRSIG NS 7 2 86400
20170831033936 20170810001125 56445 icann.org <http://icann.org/>.
jylCSOpN18PNZcDYghGrYky8NsR1Pt7Rpm+c564QQobdd6u8Q1cQtVZZ
a+m8wDQtgb0LQCQ9FEXT7Sm9+/p+hGottj4YUuv1TDnLSztSkUqV5DOV
ptqG7TCFqsF482AMEmqW8OKNMiapAX6NAbO1hl5gDm+BX0ro2XrCaqzU 8RrdHNE=
;; ADDITIONAL SECTION:
a.iana-servers.net <http://a.iana-servers.net/>. 170941 IN A
199.43.135.53
a.iana-servers.net <http://a.iana-servers.net/>. 170941 IN AAAA
2001:500:8f::53
b.iana-servers.net <http://b.iana-servers.net/>. 170941 IN A
199.43.133.53
….
...
ns.icann.org <http://ns.icann.org/>. 84541 IN A
199.4.138.53
ns.icann.org <http://ns.icann.org/>. 84541 IN AAAA
2001:500:89::53
ns.icann.org <http://ns.icann.org/>. 1741 IN RRSIG A 7 3
3600 20170830005731 20170808155836 56445 icann.org <http://icann.org/>.
vcUjGAOoJj2nomVKLuigIJAYIOaauYWFN++wqcAYfwO6ayOXPxXMq4j6
jvc8W5r+aLl4jQlHHTZ5L2TghdrH2ngFl5YlXKJSCjcAwifcvASrr5rv
+5nmC41L66ueEafDLCBV1vUD2KlaHro1Om1vxZkl9zLCPQc3ESRkHE74 5Nr+nY8=
ns.icann.org <http://ns.icann.org/>. 1741 IN RRSIG AAAA 7
3 3600 20170830012209 20170809081125 56445 icann.org <http://icann.org/>.
rPURe+sfaBHZccMmpr1sqTzKgxnehYE5D4jt+ndGLKS0yq91EvX/Ktmk
EVdyrkSR74Ic+ZY2UjjMopqZO42StePHItX1X0UHXHwpZvS3DqYQwX7o
g607QoXPDrotsw0HiG/LVWiT4nZDyGLxRgnp7sQLzAwja9UQO8U/XO6N LdWZ2+c=
**debug log
23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0:
www.vip.icann.org <http://www.vip.icann.org/> A: starting
23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0:
www.vip.icann.org <http://www.vip.icann.org/> A: attempting insecurity proof
23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0:
www.vip.icann.org <http://www.vip.icann.org/> A: checking existence of DS at
'org'
23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0:
www.vip.icann.org <http://www.vip.icann.org/> A: checking existence of DS at
'icann.org <http://icann.org/>'
23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0:
www.vip.icann.org <http://www.vip.icann.org/> A: checking existence of DS at
'vip.icann.org <http://vip.icann.org/>'
23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0:
www.vip.icann.org <http://www.vip.icann.org/> A: checking existence of DS at
'www.vip.icann.org <http://www.vip.icann.org/>'
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160:
www.vip.icann.org <http://www.vip.icann.org/> DS: starting
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160:
www.vip.icann.org <http://www.vip.icann.org/> DS: attempting negative response
validation
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0:
vip.icann.org <http://vip.icann.org/> SOA: starting
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0:
vip.icann.org <http://vip.icann.org/> SOA: attempting positive response
validation
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0:
vip.icann.org <http://vip.icann.org/> SOA: keyset with trust secure
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0:
vip.icann.org <http://vip.icann.org/> SOA: verify rdataset (keyid=47600):
success
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0:
vip.icann.org <http://vip.icann.org/> SOA: marking as secure, noqname proof not
needed
23-Aug-2017 16:17:57.872 dnssec: debug 3: validator @0x7f3ffc96fdf0:
dns_validator_destroy
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160:
www.vip.icann.org <http://www.vip.icann.org/> DS: in authvalidated
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160:
www.vip.icann.org <http://www.vip.icann.org/> DS: resuming nsecvalidate
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0:
j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org
<http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: starting
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0:
j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org
<http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: attempting
positive response valid
ation
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0:
j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org
<http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: keyset with
trust secure
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0:
j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org
<http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: verify rdataset
(keyid=47600): suc
cess
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0:
j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org
<http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: marking as
secure, noqname proof n
ot needed
23-Aug-2017 16:17:57.872 dnssec: debug 3: validator @0x7f3ffc96fdf0:
dns_validator_destroy
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160:
www.vip.icann.org <http://www.vip.icann.org/> DS: in authvalidated
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160:
www.vip.icann.org <http://www.vip.icann.org/> DS: resuming nsecvalidate
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160:
www.vip.icann.org <http://www.vip.icann.org/> DS: looking for relevant NSEC3
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160:
www.vip.icann.org <http://www.vip.icann.org/> DS: looking for relevant NSEC3
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160:
www.vip.icann.org <http://www.vip.icann.org/> DS: NSEC3 proves name exists
(owner) data=0
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160:
www.vip.icann.org <http://www.vip.icann.org/> DS: nonexistence proof(s) found
23-Aug-2017 16:17:57.872 dnssec: debug 3: validator @0x7f3ffc96f160:
dns_validator_destroy
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0:
www.vip.icann.org <http://www.vip.icann.org/> A: in dsfetched2: ncache nxrrset
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0:
www.vip.icann.org <http://www.vip.icann.org/> A: resuming proveunsecure
23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0:
www.vip.icann.org <http://www.vip.icann.org/> A: insecurity proof failed
With dnssec-validation turned on, resolving sites like www.icann.org
<http://www.icann.org/> fails. The alternative is to remove validation which of
course is not the desired solution.
Any help would be appreciated.
Thanks.
—
Dhungyel
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
