Hi All I am running a bind 9.9.4-50 resolver on CentOS 7 (kernel 3.10.0-514.26.2.el7.x86_64). I have enabled dnssec and made it into a validating resolver but I am facing issues with some sites that use CNAME and getting SERVFAIL. Configs are pretty simple as given below:
**configs options { listen-on port 53 { 127.0.0.1; x.x.x.x; }; listen-on-v6 port 53 { ::1; aaaa:bbbb:cccc::d; }; directory "/var/named"; pid-file "/var/run/named/named.pid"; dump-file "data/cache_dump.db"; empty-zones-enable yes; zone-statistics yes; querylog yes; recursion yes; allow-recursion {localhost; my-net; }; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; allow-query {localhost; my-net; }; allow-query-cache {localhost; my-net; }; flush-zones-on-shutdown yes; version "UNNECESSARY"; dnssec-enable yes; dnssec-validation auto; ## tried with yes but no difference random-device "/dev/urandom"; managed-keys-directory "/var/named/dynamic”; }; // named.conf // include "/etc/named/acl.conf"; include "/etc/named/options.conf"; include "//etc/named/named-log.conf"; //include "/etc/named/named.rfc1912.zones"; include "/etc/rndc.key"; include "/etc/named.root.key"; zone "." IN { type hint; file "/var/named/data/named.root"; }; // zone "0.0.127.in-addr.arpa" { type master; file "data/db.loopback.master"; notify no; }; **end of configs // **dig results for A record of www.icann.org <http://www.icann.org/> # dig @localhost www.icann.org <http://www.icann.org/>. A +dnssec ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org <http://www.icann.org/>. A +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25178 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.icann.org <http://www.icann.org/>. IN A *** Dig for CNAME works fine # dig @localhost www.icann.org <http://www.icann.org/>. cname +dnssec ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org <http://www.icann.org/>. cname +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62144 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11 ;www.icann.org <http://www.icann.org/>. IN CNAME ;; ANSWER SECTION: www.icann.org <http://www.icann.org/>. 1747 IN CNAME www.vip.icann.org <http://www.vip.icann.org/>. www.icann.org <http://www.icann.org/>. 1747 IN RRSIG CNAME 7 3 3600 20170830102924 20170809041125 56445 icann.org <http://icann.org/>. VB1PWieuP3nZX9rpJ8WyA2G0DoV86NxkrgT6HNDsTHmDI0xLYdGvLPCj H4m3lRg1YVxmpwFEJPDHG9TRcqo39T4TDFe+SIyMI/2ERFRhgorggaok zATAs35lDiLpoO7S1LLSWl/L+QmT/bK/XXq1VP/ZUjX3t6belB/GBnZW ZsL/NAU= ;; AUTHORITY SECTION: icann.org <http://icann.org/>. 84541 IN NS b.iana-servers.net <http://b.iana-servers.net/>. icann.org <http://icann.org/>. 84541 IN NS c.iana-servers.net <http://c.iana-servers.net/>. icann.org <http://icann.org/>. 84541 IN NS ns.icann.org <http://ns.icann.org/>. icann.org <http://icann.org/>. 84541 IN NS a.iana-servers.net <http://a.iana-servers.net/>. icann.org <http://icann.org/>. 84541 IN RRSIG NS 7 2 86400 20170831033936 20170810001125 56445 icann.org <http://icann.org/>. jylCSOpN18PNZcDYghGrYky8NsR1Pt7Rpm+c564QQobdd6u8Q1cQtVZZ a+m8wDQtgb0LQCQ9FEXT7Sm9+/p+hGottj4YUuv1TDnLSztSkUqV5DOV ptqG7TCFqsF482AMEmqW8OKNMiapAX6NAbO1hl5gDm+BX0ro2XrCaqzU 8RrdHNE= ;; ADDITIONAL SECTION: a.iana-servers.net <http://a.iana-servers.net/>. 170941 IN A 199.43.135.53 a.iana-servers.net <http://a.iana-servers.net/>. 170941 IN AAAA 2001:500:8f::53 b.iana-servers.net <http://b.iana-servers.net/>. 170941 IN A 199.43.133.53 …. ... ns.icann.org <http://ns.icann.org/>. 84541 IN A 199.4.138.53 ns.icann.org <http://ns.icann.org/>. 84541 IN AAAA 2001:500:89::53 ns.icann.org <http://ns.icann.org/>. 1741 IN RRSIG A 7 3 3600 20170830005731 20170808155836 56445 icann.org <http://icann.org/>. vcUjGAOoJj2nomVKLuigIJAYIOaauYWFN++wqcAYfwO6ayOXPxXMq4j6 jvc8W5r+aLl4jQlHHTZ5L2TghdrH2ngFl5YlXKJSCjcAwifcvASrr5rv +5nmC41L66ueEafDLCBV1vUD2KlaHro1Om1vxZkl9zLCPQc3ESRkHE74 5Nr+nY8= ns.icann.org <http://ns.icann.org/>. 1741 IN RRSIG AAAA 7 3 3600 20170830012209 20170809081125 56445 icann.org <http://icann.org/>. rPURe+sfaBHZccMmpr1sqTzKgxnehYE5D4jt+ndGLKS0yq91EvX/Ktmk EVdyrkSR74Ic+ZY2UjjMopqZO42StePHItX1X0UHXHwpZvS3DqYQwX7o g607QoXPDrotsw0HiG/LVWiT4nZDyGLxRgnp7sQLzAwja9UQO8U/XO6N LdWZ2+c= **debug log 23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: starting 23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: attempting insecurity proof 23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: checking existence of DS at 'org' 23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: checking existence of DS at 'icann.org <http://icann.org/>' 23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: checking existence of DS at 'vip.icann.org <http://vip.icann.org/>' 23-Aug-2017 16:17:57.567 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: checking existence of DS at 'www.vip.icann.org <http://www.vip.icann.org/>' 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: starting 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: attempting negative response validation 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: vip.icann.org <http://vip.icann.org/> SOA: starting 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: vip.icann.org <http://vip.icann.org/> SOA: attempting positive response validation 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: vip.icann.org <http://vip.icann.org/> SOA: keyset with trust secure 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: vip.icann.org <http://vip.icann.org/> SOA: verify rdataset (keyid=47600): success 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: vip.icann.org <http://vip.icann.org/> SOA: marking as secure, noqname proof not needed 23-Aug-2017 16:17:57.872 dnssec: debug 3: validator @0x7f3ffc96fdf0: dns_validator_destroy 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: in authvalidated 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: resuming nsecvalidate 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org <http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: starting 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org <http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: attempting positive response valid ation 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org <http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: keyset with trust secure 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org <http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: verify rdataset (keyid=47600): suc cess 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96fdf0: j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org <http://j3dfsmtecn50eduoe8imh2o47cpe3o7b.vip.icann.org/> NSEC3: marking as secure, noqname proof n ot needed 23-Aug-2017 16:17:57.872 dnssec: debug 3: validator @0x7f3ffc96fdf0: dns_validator_destroy 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: in authvalidated 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: resuming nsecvalidate 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: looking for relevant NSEC3 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: looking for relevant NSEC3 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: NSEC3 proves name exists (owner) data=0 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96f160: www.vip.icann.org <http://www.vip.icann.org/> DS: nonexistence proof(s) found 23-Aug-2017 16:17:57.872 dnssec: debug 3: validator @0x7f3ffc96f160: dns_validator_destroy 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: in dsfetched2: ncache nxrrset 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: resuming proveunsecure 23-Aug-2017 16:17:57.872 dnssec: debug 3: validating @0x7f3ffc96e4d0: www.vip.icann.org <http://www.vip.icann.org/> A: insecurity proof failed With dnssec-validation turned on, resolving sites like www.icann.org <http://www.icann.org/> fails. The alternative is to remove validation which of course is not the desired solution. Any help would be appreciated. Thanks. — Dhungyel
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users