Hi Mukund
> Are you able to reproduce the bug with the latest stock version of BIND
> 9.9? 9.9.4 is very old and that branch has had numerous bugfixes since.
> I'm not able to reproduce such a validation failure with 9.9.11:
At the moment the latest patched version of bind available for CentOS 7 is
9.9.4-50. The policy has been to stick with the patches / versions
distributed by the Distro rather than getting the latest. So, I will have to
try the new version and see if the problem persists.
I have looked around a bit more and this is where it starts getting
interesting. For hosts that are not mapped to CNAME, this works perfectly
fine. See below for host ns.icann.org
# dig @localhost ns.icann.org A +dnssec
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost ns.icann.org A
+dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31866
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns.icann.org. IN A
;; ANSWER SECTION:
ns.icann.org. 3600IN A 199.4.138.53
ns.icann.org. 3600IN RRSIG A 7 3 3600 20170914022301
20170824010741 56445
icann.org. DFfGY0h65bDzMHNSkf9cmM8vHbIeOyupdw5HeagBiWzQMAbzvtc4w5et
N+1P2zeOPvCvYiBcUsHi+JGqyB0q6gpyZMcXFbMGRPnp931B+F6MUnZL
H2+2PDhkBrZ1EtyVaS8s8IyZ9XOuzJKNwOQBt4mNdFhpvrpWmXMc1zTQ OYX1Kqg=
;; AUTHORITY SECTION:
icann.org. 86393 IN NS a.iana-servers.net.
icann.org. 86393 IN NS ns.icann.org.
icann.org. 86393 IN NS c.iana-servers.net.
icann.org. 86393 IN NS b.iana-servers.net.
icann.org. 86393 IN RRSIG NS 7 2 86400 20170915091737
20170825024031 56445
icann.org. P7offNJTV/zX8mZVC7x6uwvhZrdLzLNM/r1tsp4g7yaprD6LY//TLbNc
tIdbFjZdml7CYYZxZSecmb5Uzo8O7sHS+1xdandh6KxPfo47mO+Ge6JI
JmspnEaOxOlK7Vp3RGCqdeUasxIpwjHlNa+4rZ30ImmKxsAGC9oq01ey d/JE8j8=
;; ADDITIONAL SECTION:
a.iana-servers.net. 172793 IN A 199.43.135.53
a.iana-servers.net. 172793 IN 2001:500:8f::53
b.iana-servers.net. 172793 IN A 199.43.133.53
b.iana-servers.net. 172793 IN 2001:500:8d::53
c.iana-servers.net. 172793 IN A 199.43.134.53
c.iana-servers.net. 172793 IN 2001:500:8e::53
ns.icann.org. 86393 IN 2001:500:89::53
ns.icann.org. 3600IN RRSIG 7 3 3600 20170913162548
20170824010741
56445 icann.org. cSpl1KEIPeFTzXBhjn9CMA+Y4iVG92++kdzxoTzRhgEMsH2Xud/s8Mg1
DBEc07xMgou5OqyGvlbOxP1F2c/dOFrQBMBuojBmG4ltIj663GYshyFy
3sxqNJGATHDDJ7Sk8eiYFazct09Z2wQ73UdwKGXuzM4bD9LrXUYP0rnJ l0xEen8=
However, when I try the same thing for www.icann.org, I get SERVFAIL like
below:
# dig @localhost www.icann.org A +dnssec
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org A
+dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30814
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.icann.org. IN A
;; Query time: 4237 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Aug 31 10:06:23 +06 2017
;; MSG SIZE rcvd: 42
So, I am beginning to wonder if there is issue between dissed and CNAME in
9.9.4-50 version of bind. With checking disabled (as suggested by Tony), it
resolves correctly:
# dig @localhost www.icann.org A +cd
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org A +cd
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53618
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 7
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.icann.org. IN A
;; ANSWER SECTION:
www.icann.org. 3386IN CNAME www.vip.icann.org.
www.vip.icann.org. 30 IN A 192.0.32.7
;; AUTHORITY SECTION:
vip.icann.org. 3382IN NS gtm1.dc.icann.org.
vip.icann.org. 3382IN NS gtm1.mdr.icann.org.
vip.icann.org. 3382IN NS gtm1.lax.icann.org.
with +cd and +sigchase, the resolver is able to find the RRSIG data fine but
once checking is enabled, it just fails:
/# dig @localhost www.icann.org A +cd +sigchase
;; RRset to chase:
www.icann.org. 3039IN CNAME www.vip.icann.org.
;; RRSIG of the RRset to chase:
www.icann.org. 3039IN RRSIG CNAME 7 3 3600 20170914195717
20170824110741
56445 icann.org. GoSDthX9s2BsyaT/AYyfNKixR8UMVF/fx3zz5U9XPIVJUkpp3g9xyuZy
wxO7aTVgiPaESUOttGGn4xs9KMzZ4BcI6bmOAehYubS6AaAb6YdbweR4
S6O3qiNMT5Sai4BrfmvITGjigyNXSb3vc8fsSeUPJVdR8gmObfzbJbdn