Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
On Apr 15 2010, Roy Badami wrote: Actually there *is* DNSSEC involved or the query would not have failed. Yes, sorry. I meant to imply that there is no DNSSEC involved beyond the verification of the covering NSEC that proves the lack of a DLV record. There is a bug in the BIND 9.7.0-P1 fixes that triggers this. The fix below is in review at the moment. Interesting - so it sounds like the problems I was seeing with 9.7.0 were probably unrelated. The patch certainly seems to fix the issue with www.bbc.net.uk. I'll run with it for a few days and see if the .org issue I was having earlier recurs. Incidentally, the same patch appears to cure the problem with 9.7.0-P1 and 9.6.2-P1 that I reported earlier as "dig dnskey int." different responses from recent BIND versions Caveat emptor until ISC make the patch official, of course. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
> Actually there *is* DNSSEC involved or the query would not have > failed. Yes, sorry. I meant to imply that there is no DNSSEC involved beyond the verification of the covering NSEC that proves the lack of a DLV record. > There is a bug in the BIND 9.7.0-P1 fixes that triggers this. The > fix below is in review at the moment. Interesting - so it sounds like the problems I was seeing with 9.7.0 were probably unrelated. The patch certainly seems to fix the issue with www.bbc.net.uk. I'll run with it for a few days and see if the .org issue I was having earlier recurs. Thanks, -roy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
In message <20100414232855.gp1...@giles.gnomon.org.uk>, Roy Badami writes: > > Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and > > I've seen no repeat of the DNSSEC name resolution issues so far; it's > > early days yet (only been running DLV for three days) but certainly > > looking promissing. > > I spoke too soon. I've now found a query that (at least this evening) > is consistently failing for me, even if I restart BIND. > > The following query gives me SERVFAIL > > dig www.bbc.net.uk > > But the following two queries work: > > dig www.bbc.net.uk a > dig www.bbc.net.uk +cd > > This is particularly odd, because there is absolutely no DNSSEC > involved here. Actually there *is* DNSSEC involved or the query would not have failed. There is a bug in the BIND 9.7.0-P1 fixes that triggers this. The fix below is in review at the moment. Mark Index: bind9/lib/dns/validator.c diff -u bind9/lib/dns/validator.c:1.188 bind9/lib/dns/validator.c:1.188.4.4 --- bind9/lib/dns/validator.c:1.188 Fri Mar 26 17:12:48 2010 +++ bind9/lib/dns/validator.c Tue Apr 13 08:31:11 2010 @@ -2990,7 +2990,7 @@ return (ISC_R_SUCCESS); } - if (val->authcount == val->authfail) + if (val->authfail != 0 && val->authcount == val->authfail) return (DNS_R_BROKENCHAIN); validator_log(val, ISC_LOG_DEBUG(3), "nonexistence proof(s) not found"); /*% > No domain above www.bbc.net.uk appears to be in the > DLV registry, and BIND must be able to successfully verify the > covering NSEC record that proves that in order to be willing to > resolve the A query above. So I can't immediately see any way this > situation could arise except due to a BIND bug. > > Anyone else have an IPv6-connected BIND 9.7.0-P1 host with DLV enabled > they can try this query on? > > -roy > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
> > dig www.bbc.net.uk +cd > > How does the last query "work"? What I meant by that, in case it wasn't clear, was that setting the CD flag in the query caused it query to succeed, hence strongly suggesting that the cause of the failure in the original query was related to DNSSEC validation. I'm sure my BIND would have logged something as useful as your BIND did if I had set up logging correctly, but I'm afraid I've always found BIND 9 logging configuration to be rather inscrutible... Thanks for the response, in any case. The oddities you've identified may well be the reason why this is consistently failing, but I've seen superficially similar (though intermittent) failures to resolve domains under freebsd.org and isc.org under 9.7.0 (which was my original post) so I think the underlying bug can manifest even for conformant nameservers. I've received a private mail from someone at ISC asking me to try a suggested patch so there's probably little point in investigating further until I've had to opportunity to see what effect that has. And just for comleteness (although I don't think there would be any real doubt about this), I've now commened out again from my config the line dnssec-lookaside auto; and the query mentioned now resolves correctly. -roy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
On 04/14/10 16:28, Roy Badami wrote: Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and I've seen no repeat of the DNSSEC name resolution issues so far; it's early days yet (only been running DLV for three days) but certainly looking promissing. I spoke too soon. I've now found a query that (at least this evening) is consistently failing for me, even if I restart BIND. The following query gives me SERVFAIL dig www.bbc.net.uk But the following two queries work: dig www.bbc.net.uk a dig www.bbc.net.uk +cd How does the last query "work"? I consistently get a NOERROR using unbound as a validating resolver, and that's also what I get when querying the authoritative nameservers for bbc.net.uk. I am easily able to replicate your results on my set-up. I also get the following log from BIND: 14-Apr-2010 16:33:14.953 error (broken trust chain) resolving 'www.bbc.net.uk//IN': 212.58.224.20#53 This is particularly odd, because there is absolutely no DNSSEC involved here. No domain above www.bbc.net.uk appears to be in the DLV registry, and BIND must be able to successfully verify the covering NSEC record that proves that in order to be willing to resolve the A query above. So I can't immediately see any way this situation could arise except due to a BIND bug. Anyone else have an IPv6-connected BIND 9.7.0-P1 host with DLV enabled they can try this query on? The authoritative DNS servers for bbc.net.uk appear to be kind of broken, in that they don't return authoritative NS records for bbc.net.uk, even when queried. They do return an SOA record. I think some of the goofiness may be due to that lack of authority records. Note that an authoritative BIND server will generally refuse to load a zone without NS records. Also: > dig any bbc.net.uk @ns0.rbsov.bbc.co.uk ; <<>> DiG 9.7.0-P1 <<>> any bbc.net.uk @ns0.rbsov.bbc.co.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32624 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;bbc.net.uk.IN ANY ;; ANSWER SECTION: bbc.net.uk. 3600IN TXT "BBC Intelligent Load Balancing Domain" bbc.net.uk. 3600IN SOA ns0e.rbsov.bbc.co.uk. bofh.bbc.co.uk. 1271235700 86400 86400 86400 300 ;; Query time: 141 msec ;; SERVER: 212.58.227.47#53(212.58.227.47) ;; WHEN: Wed Apr 14 16:45:09 2010 ;; MSG SIZE rcvd: 148 Obviously, in addition to the lack of NS records, there are serious errors in the TXT record above, since the word "Intelligent" clearly does not belong there. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
> Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and > I've seen no repeat of the DNSSEC name resolution issues so far; it's > early days yet (only been running DLV for three days) but certainly > looking promissing. I spoke too soon. I've now found a query that (at least this evening) is consistently failing for me, even if I restart BIND. The following query gives me SERVFAIL dig www.bbc.net.uk But the following two queries work: dig www.bbc.net.uk a dig www.bbc.net.uk +cd This is particularly odd, because there is absolutely no DNSSEC involved here. No domain above www.bbc.net.uk appears to be in the DLV registry, and BIND must be able to successfully verify the covering NSEC record that proves that in order to be willing to resolve the A query above. So I can't immediately see any way this situation could arise except due to a BIND bug. Anyone else have an IPv6-connected BIND 9.7.0-P1 host with DLV enabled they can try this query on? -roy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
On Sun, Mar 28, 2010 at 11:48:37PM +0100, I wrote: > A couple of weeks ago I upgraded my BINDs to 9.7.0 and enabled DLV. > > This is my first time attemting to validate DNSSEC; however, I've been > seeing intermittent failures to resolve domains under .org which have > been frequent enough to force me to disable DLV again (hence > effectively disabling DNSSEC since I have no other trust anchors > configured). Well, FWIW I upgraded to 9.7.0-P1 and tried enabling DLV again and I've seen no repeat of the DNSSEC name resolution issues so far; it's early days yet (only been running DLV for three days) but certainly looking promissing. -roy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
In article , Roy Badami wrote: > > I have seen this happen when bind for some reason (eg mtu issues with > > vpn) cannot query for the DLV key at dlv.isc.org. I have not figured > > out the exact failure mode there. Check the logs to see errors for DNSKEY > > queries for dlv.isc.org to see if this is happening here too. However in > > that case, no queries at all make it. > > Hmm, I wonder whether it could be related to my tunnelled IPv6 > connectivity. I still don't see why, though. > > Resolution definitely works sometimes. When it starts failing > 'rndc flush' has fixed it for me. ... thus removing a cached and broken resolution chain and starting again from fresh? Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
> > I have seen this happen when bind for some reason (eg mtu issues with > > vpn) cannot query for the DLV key at dlv.isc.org. I have not figured > > out the exact failure mode there. Check the logs to see errors for DNSKEY > > queries for dlv.isc.org to see if this is happening here too. However in > > that case, no queries at all make it. On 29.03.10 18:35, Roy Badami wrote: > Hmm, I wonder whether it could be related to my tunnelled IPv6 > connectivity. I still don't see why, though. MTU problem? > Resolution definitely works sometimes. When it starts failing > 'rndc flush' has fixed it for me. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
> I have seen this happen when bind for some reason (eg mtu issues with > vpn) cannot query for the DLV key at dlv.isc.org. I have not figured > out the exact failure mode there. Check the logs to see errors for DNSKEY > queries for dlv.isc.org to see if this is happening here too. However in > that case, no queries at all make it. Hmm, I wonder whether it could be related to my tunnelled IPv6 connectivity. I still don't see why, though. Resolution definitely works sometimes. When it starts failing 'rndc flush' has fixed it for me. -roy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
> > Yes, I agree freebsd.org is insecure, but I still want to be able to
> > resolve it :-)
>
> The point was, you should not be getting DNSSEC-related errors from
> a domain that is not secured.
I disagree. In order for a validating resolver to resolve freebsd.org
(or any other insecure domain under .org) BIND still needs to verify
the RRSIG on the covering NSEC for freebsd.org.dlv.isc.org to prove
that freebsd.org doesn't have a DLV record. It has to verify the
RRSIG on the DLV record for org.dlv.isc.org, and check that the hash
in the DLV record matches the DNSKEY record of the KSK at .org. It
has to check that the RRSIG on the DNSKEY RRset is correctly signed
with the KSK, and then it has to check that the RRSIG on the NSEC3
opt-out record that covers freebsd.org is correctly signed with the
ZSK. Only after doing all this does it know that freebsd.org is
really, legitimately, an insecure zone.
If any of these steps fail, the resolver should give an error, unless
the CD bit is set on the query.
> As requested, please supply configuration information... without
> that, it's unlikely anyone is going to be able to help you. Matt
It's pretty basic. Here's the substantive config - I've omited some
TSIG keys and a bunch of zones the server is authoritative for:
logging {
channel dnssec_log {
file "logs/dnssec.log" versions 2 size 2m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 9;
};
category dnssec { dnssec_log; };
};
options {
directory "/etc/namedb";
pid-file"/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
listen-on { any; };
listen-on port 5353 { any; };
listen-on-v6{ any; };
allow-recursion { any; };
dnssec-lookaside auto;
};
include "/etc/namedb/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};
// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"
{
type master;
file "master/localhost-v6.rev";
};
zone "google.com" {
type forward;
forwarders {
74.82.42.42;
};
};
zone "google.co.uk" {
type forward;
forwarders {
74.82.42.42;
};
};
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
On Mon, 29 Mar 2010, Matthew Pounsett wrote: On 2010/03/28, at 18:48, Roy Badami wrote: configured). The queries are resulting in SERVFAIL, and I'm pretty sure the failures are DNSSEC-related, as when I've seen problems as they occur (dig failing from the command line) then repeating the query with the CD bit allowed it to succeed. It looks to me like your example, freebsd.org, is insecure. I have seen this happen when bind for some reason (eg mtu issues with vpn) cannot query for the DLV key at dlv.isc.org. I have not figured out the exact failure mode there. Check the logs to see errors for DNSKEY queries for dlv.isc.org to see if this is happening here too. However in that case, no queries at all make it. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
On 2010/03/29, at 06:04, Roy Badami wrote: > >> It looks to me like your example, freebsd.org, is insecure. > > Yes, I agree freebsd.org is insecure, but I still want to be able to > resolve it :-) The point was, you should not be getting DNSSEC-related errors from a domain that is not secured. As requested, please supply configuration information... without that, it's unlikely anyone is going to be able to help you. Matt ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
> It looks to me like your example, freebsd.org, is insecure. Yes, I agree freebsd.org is insecure, but I still want to be able to resolve it :-) .org is signed with NSEC3 and (I think, but could be misremembering) is using opt-out. org is registered in DLV, so BIND still has to do some work to verify that nothing is amiss with the (insecure) delegation. If it can't verify that it is correct for freebsd.org to be insecure then it would be correct for it to fail resolution. As I say the failures are intermittent - sometimes freebsd.org resolves fine - sometimes it fails. I don't think this is specific to freebsd.org, and problably not even to .org - .org is just one of the higher-profile DNSSEC-signed TLDs. -roy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
On 2010/03/28, at 18:48, Roy Badami wrote: > configured). The queries are resulting in SERVFAIL, and I'm pretty > sure the failures are DNSSEC-related, as when I've seen problems as > they occur (dig failing from the command line) then repeating the > query with the CD bit allowed it to succeed. It looks to me like your example, freebsd.org, is insecure. There are no DS records for freebsd.org in the org zone, so BIND can't follow the trust chain from the org.dlv.isc.org DLV record. ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec +dnssec IN DS freebsd.org @a0.org.afilias-nst.info ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52863 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 [...] There also appears to be no DLV record for freebsd.org: ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec +dnssec IN DLV freebsd.org.dlv.isc.org @ns.isc.afilias-nst.info ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23858 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;freebsd.org.dlv.isc.org. IN DLV ;; AUTHORITY SECTION: dlv.isc.org.3600IN SOA ns-int.isc.org. hostmaster.isc.org. 2010032802 7200 3600 2419200 3600 dlv.isc.org.3600IN RRSIG SOA 5 3 3600 20100427130003 20100328130003 64263 dlv.isc.org. IbRdfwxFInY6FuHtsfVatqrNvMIoifQTrohzEZF1UsTx9XAowU1Zz57L YcHPu3ReAdYOL+IwkG8syNQ/LSLnpZY3K3Av/HSmPV524KWbm39J+k+G BMmIIsnvC4I40UUr7f/AXF14JgdAu9eokvvLvqR0CcAY0dq9HGHjdXC1 HbI= flame.org.dlv.isc.org. 3600IN NSEC863.freenum.org.dlv.isc.org. RRSIG NSEC DLV flame.org.dlv.isc.org. 3600IN RRSIG NSEC 5 5 3600 20100427130003 20100328130003 64263 dlv.isc.org. KZRZadIqTS8p6V3fRz7bsOrP3A/gTqJzeVtWTOqhrRbChLt0jVbhY4fR 1pBogkhc84xcv7i0odHMzWCIpmQdv4Q/ODnophPdgrfPcxB93s3dMQ/D j0o2KTYsx1qJo0O1RWqhicUdwGoVYm5rZFLxy/uBV0dJe0KGrSmY21Gw U/c= org.dlv.isc.org.3600IN NSEC1mg.org.dlv.isc.org. RRSIG NSEC DLV org.dlv.isc.org.3600IN RRSIG NSEC 5 4 3600 20100427130003 20100328130003 64263 dlv.isc.org. YCe9L3iuJ5YD5hj7s1Z9wGsDkhLhqchNki+bSffHGxoYZVaQnMZXgWpS fYJZsFyJA3h1uEs5FvuLeLv1Poej2EhDyXucMHAgTJy4fbDjaw3Q8/MP et17Ki0TSNvMFdusCJl93aSZBnKponKR67ofvb8wwt5SDCYrR41EgvzE WZs= ;; Query time: 58 msec ;; SERVER: 199.254.63.254#53(199.254.63.254) ;; WHEN: Mon Mar 29 04:22:48 2010 ;; MSG SIZE rcvd: 721 Note both the NXDOMAIN status and the NSEC record covering flame.org.dlv.isc.org through 863.freenum.org.dlv.isc.org. The NSEC record is used to prove that no domains which sort between those two names exist in the dlv.isc.org zone. Just to make sure, I looked for RRSIGs in the freebsd.org zone, wondering if maybe the DLV record has simply disappeared from the dlv.isc.org zone somehow.. but it doesn't look like freebsd.org has been signed at all: ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec +dnssec IN mx2.freebsd.org @ns2.isc-sns.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17599 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 11 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;mx2.freebsd.org. IN ;; ANSWER SECTION: mx2.freebsd.org.3600IN 2001:4f8:fff6::35 Note the absence of an RRSIG in the ANSWER section. If freebsd.org were signed, you'd expect to see an answer similar to this: ; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec +dnssec IN ns1.isc-sns.net @ns1.isc-sns.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52801 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ns1.isc-sns.net. IN ;; ANSWER SECTION: ns1.isc-sns.net.3600IN 2001:470:1a::1 ns1.isc-sns.net.3600IN RRSIG 5 3 3600 2010042620 2010032720 10377 isc-sns.net. qk8txlEYx6d8Mor155Rz0Te2vdQSPDoaJZM5FaXLfyNpruv7z3gdwtAI BrmDCKhzmyYni4GQmqZPYmceVjp1rcD17B5O+2/NET+obm3pcHKuzRZs e0PyP1LITahboUZzBoIyd7/jqs2+EwFKJgUs7v41UNp5oIz2vs0YuBo6 1Hc= Have you checked the other domains you're having problems with to see that they're actually secured? If you supply some info from your resolver configuration, someone here might be able to help debug the problem. Matt ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Intermittent failures resolving .org domains in BIND 9.7.0 with DLV enabled
A couple of weeks ago I upgraded my BINDs to 9.7.0 and enabled DLV. This is my first time attemting to validate DNSSEC; however, I've been seeing intermittent failures to resolve domains under .org which have been frequent enough to force me to disable DLV again (hence effectively disabling DNSSEC since I have no other trust anchors configured). The queries are resulting in SERVFAIL, and I'm pretty sure the failures are DNSSEC-related, as when I've seen problems as they occur (dig failing from the command line) then repeating the query with the CD bit allowed it to succeed. Has anyone else seen similar problems? Could anyone give me any hints as to what I can do to help debug this? I started collecting dnssec debug logs after the fist time it happened, but am open to suggestions as to what else I should be logging. I attach a fragment of dnssec debug logs relating to freebsd.org from around the time that I was having problems receiving mail from that domain. Thanks in advance for any help, -roy 28-Mar-2010 18:35:58.811 dnssec: debug 3: validating @0x8307000: mx2.freebsd.org : starting 28-Mar-2010 18:35:58.811 dnssec: debug 3: validating @0x8307000: mx2.freebsd.org : looking for DLV 28-Mar-2010 18:35:58.811 dnssec: debug 3: validating @0x8307000: mx2.freebsd.org : plain DNSSEC returns unsecure (.): looking for DLV 28-Mar-2010 18:35:58.811 dnssec: debug 3: validating @0x8307000: mx2.freebsd.org : looking for DLV mx2.freebsd.org.dlv.isc.org 28-Mar-2010 18:35:58.811 dnssec: debug 9: validating @0x8307000: mx2.freebsd.org : finddlvsep: creating fetch for mx2.freebsd.org.dlv.isc.org DLV 28-Mar-2010 18:35:58.811 dnssec: debug 3: validating @0x8307000: mx2.freebsd.org : DLV lookup: wait 28-Mar-2010 18:35:58.816 dnssec: debug 3: validating @0x830a000: mx2.freebsd.org.dlv.isc.org DLV: starting 28-Mar-2010 18:35:58.816 dnssec: debug 3: validating @0x830a000: mx2.freebsd.org.dlv.isc.org DLV: attempting negative response validation 28-Mar-2010 18:35:58.816 dnssec: debug 9: validating @0x830a000: mx2.freebsd.org.dlv.isc.org DLV: nsecvalidate: creating validator for dlv.isc.org SOA 28-Mar-2010 18:35:58.816 dnssec: debug 3: validating @0x830b000: dlv.isc.org SOA: starting 28-Mar-2010 18:35:58.816 dnssec: debug 3: validating @0x830b000: dlv.isc.org SOA: attempting positive response validation 28-Mar-2010 18:35:58.816 dnssec: debug 3: validating @0x830b000: dlv.isc.org SOA: keyset with trust 8 28-Mar-2010 18:35:58.816 dnssec: debug 3: validating @0x830b000: dlv.isc.org SOA: verify rdataset (keyid=64263): success 28-Mar-2010 18:35:58.816 dnssec: debug 3: validating @0x830b000: dlv.isc.org SOA: marking as secure, noqname proof not needed 28-Mar-2010 18:35:58.817 dnssec: debug 3: validator @0x830b000: dns_validator_destroy 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x830a000: mx2.freebsd.org.dlv.isc.org DLV: in authvalidated 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x830a000: mx2.freebsd.org.dlv.isc.org DLV: resuming nsecvalidate 28-Mar-2010 18:35:58.817 dnssec: debug 9: validating @0x830a000: mx2.freebsd.org.dlv.isc.org DLV: nsecvalidate: creating validator for flame.org.dlv.isc.org NSEC 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x830b000: flame.org.dlv.isc.org NSEC: starting 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x830b000: flame.org.dlv.isc.org NSEC: attempting positive response validation 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x830b000: flame.org.dlv.isc.org NSEC: keyset with trust 8 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x830b000: flame.org.dlv.isc.org NSEC: verify rdataset (keyid=64263): success 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x830b000: flame.org.dlv.isc.org NSEC: marking as secure, noqname proof not needed 28-Mar-2010 18:35:58.817 dnssec: debug 3: validator @0x830b000: dns_validator_destroy 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x830a000: mx2.freebsd.org.dlv.isc.org DLV: in authvalidated 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x830a000: mx2.freebsd.org.dlv.isc.org DLV: looking for relevant nsec 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x830a000: mx2.freebsd.org.dlv.isc.org DLV: nsec range ok 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x830a000: mx2.freebsd.org.dlv.isc.org DLV: resuming nsecvalidate 28-Mar-2010 18:35:58.817 dnssec: debug 9: validating @0x830a000: mx2.freebsd.org.dlv.isc.org DLV: nsecvalidate: creating validator for org.dlv.isc.org NSEC 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x8306000: org.dlv.isc.org NSEC: starting 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x8306000: org.dlv.isc.org NSEC: attempting positive response validation 28-Mar-2010 18:35:58.817 dnssec: debug 3: validating @0x8306000: org.dlv.isc.org NSEC: keyset with trust 8 28-Mar-2010 18:35:58.818 dnssec: debug 3: validating @0x8306000: org.dlv.isc.org NS
