Re: Question regarding delv and custom local trust anchor

Thu, 08 Jun 2023 12:57:49 -0700 

On Thu, Jun 08, 2023 at 09:54:15AM -0400, Josh Kuo wrote:
> *$ delv -a right.key www.example.com <http://www.example.com>. A*;; broken
> trust chain resolving 'www.example.com/A/IN': 127.0.0.53#53
> ;; resolution failed: broken trust chain

The address 127.0.0.53 was the clue I needed to figure this out: I suspect
you're on linux, and it's using systemd-resolved as the local resolver.

When I tried delv on a system configured that way, it got a NOTIMP response
to its first query:

    $ delv +cd +mtrace @127.0.0.53 www.isc.org
    ;; fetch: www.isc.org/A
    ;; sending packet to 127.0.0.53#53
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   7870
    ;; flags: rd cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1232
    ; COOKIE: 8e31ae172137a02f
    ;; QUESTION SECTION:
    ;www.isc.org.                       IN      A


    ;; received packet from 127.0.0.53#53
    ;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id:   7870
    ;; flags: qr rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 65494
    ; OPT=5: 05 07 08 0a 0d 0e 0f (".......")
    ; OPT=6: 01 02 04 ("...")
    ; OPT=7: 01 (".")
    ;; QUESTION SECTION:
    ;www.isc.org.                       IN      A


    ;; NOTIMP unexpected RCODE resolving 'www.isc.org/A/IN': 127.0.0.53#53
    ;; resolution failed: SERVFAIL

So, I'm guessing systemd-resolved is choking on the EDNS COOKIE option.
This needs to be reported as a bug to the systemd maintainers. And, maybe
delv should have a +nocookie option.

In the meantime, the workaround is the one you found: point delv to a
resolver that implements EDNS correctly. It will validate the data it
receives, but it has to receive some.

The newest version of delv, in the BIND 9.19 development release, has
a 'delv +ns' option to do its own resolution internally, without needing
an external server to look up the data; that would also work.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to