RE: DNSSEC SERVFAIL when parent zone has no DS record
Hello, You do not provide sufficient data for diagnose ! But it seems to me that bind is not complaining about the DS of subdomain.domain.com. but rather about a missing RRSIG for a NSEC when fetching DS of domain.com. Admittingly, logmessages could be somewhat more userfriendly, but I'd check if domain.com. itself is properly signed. Kind regards, Marc Lampo -Original Message- From: Sergio Charpinel Jr. [mailto:sergiocharpi...@gmail.com] Sent: 05 October 2011 01:57 PM To: bind-users@lists.isc.org Subject: DNSSEC SERVFAIL when parent zone has no DS record Hi, Dig returns SERVFAIL while trying to resolve a dnssec enabled zone without DS record in parent zone. For example, I have these two DNSSEC enabled zones: domain.com subdomain.domain.com domain.com zone has NO DS record for subdomain.domain.com zone, and subdomain.domain.com has an A record for the zone, and an A record for www . If I query subdomain.domain.com , I get SERVFAIL from dig and these log messages: 03-Oct-2011 11:03:07.893 validating @0x7f9ea305b2d0: domain.com SOA: no valid signature found 03-Oct-2011 11:03:07.894 createfetch: domain.com DS 03-Oct-2011 11:03:07.894 validating @0x7f9ea305df70: domain.com NSEC: no valid signature found 03-Oct-2011 11:03:07.895 createfetch: domain.com DS 03-Oct-2011 11:03:07.896 error (broken trust chain) resolving 'subdomain.domain.com/DNSKEY/IN': x.x.x.x#53 03-Oct-2011 11:03:07.896 error (broken trust chain) resolving 'subdomain.domain.com/A/IN': x.x.x.x#53 If I run the query again, I get NXDOMAIN (from cache). So I can't query subdomain.domain.com zone. Now, if I query www.subdomain.domain.com I get the same, but when I run the query again I get a valid answer (from cache). I know the DS is not configured properly and so DNSSEC shouldn't work, but bind shouldn't behave like this. If the zone is not configured properly, bind should query it anyway, the same way it does when the zone isn't signed. I didn't find any related bugs. Is this a known bug? Btw, I'm using bind 9.7.3 from debian 6.0.2. Thanks. -- Sergio Roberto Charpinel Jr. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC SERVFAIL when parent zone has no DS record
Marc, After suplying DS and the respective NS record for subdomain in the parent zone (domain.com), it works. If I disable dnssec in my recursive server, it also works. So, if a zone is not signed properly (or doesnt have DS records) the query will fail? Isn't it better to query those misconfigured servers without DNSSEC, just like it does when the zone is not signed? And what about the second case, when I query www.subdomain.domain.com . If I run two queries, the first fail with the same error, but the second works (I think the second comes from cache). How can I provide more data for diagnose?? Thanks. 2011/10/5 Marc Lampo marc.la...@eurid.eu: Hello, You do not provide sufficient data for diagnose ! But it seems to me that bind is not complaining about the DS of subdomain.domain.com. but rather about a missing RRSIG for a NSEC when fetching DS of domain.com. Admittingly, logmessages could be somewhat more userfriendly, but I'd check if domain.com. itself is properly signed. Kind regards, Marc Lampo -Original Message- From: Sergio Charpinel Jr. [mailto:sergiocharpi...@gmail.com] Sent: 05 October 2011 01:57 PM To: bind-users@lists.isc.org Subject: DNSSEC SERVFAIL when parent zone has no DS record Hi, Dig returns SERVFAIL while trying to resolve a dnssec enabled zone without DS record in parent zone. For example, I have these two DNSSEC enabled zones: domain.com subdomain.domain.com domain.com zone has NO DS record for subdomain.domain.com zone, and subdomain.domain.com has an A record for the zone, and an A record for www . If I query subdomain.domain.com , I get SERVFAIL from dig and these log messages: 03-Oct-2011 11:03:07.893 validating @0x7f9ea305b2d0: domain.com SOA: no valid signature found 03-Oct-2011 11:03:07.894 createfetch: domain.com DS 03-Oct-2011 11:03:07.894 validating @0x7f9ea305df70: domain.com NSEC: no valid signature found 03-Oct-2011 11:03:07.895 createfetch: domain.com DS 03-Oct-2011 11:03:07.896 error (broken trust chain) resolving 'subdomain.domain.com/DNSKEY/IN': x.x.x.x#53 03-Oct-2011 11:03:07.896 error (broken trust chain) resolving 'subdomain.domain.com/A/IN': x.x.x.x#53 If I run the query again, I get NXDOMAIN (from cache). So I can't query subdomain.domain.com zone. Now, if I query www.subdomain.domain.com I get the same, but when I run the query again I get a valid answer (from cache). I know the DS is not configured properly and so DNSSEC shouldn't work, but bind shouldn't behave like this. If the zone is not configured properly, bind should query it anyway, the same way it does when the zone isn't signed. I didn't find any related bugs. Is this a known bug? Btw, I'm using bind 9.7.3 from debian 6.0.2. Thanks. -- Sergio Roberto Charpinel Jr. -- Sergio Roberto Charpinel Jr. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC SERVFAIL when parent zone has no DS record
After supplying NS's and DS in the parent zone, is that parent zone properly resigned ? (to generate NSEC(3) and RRSIG's) If you ask your validating caching name server for the DS of domain.com. do you get a proper reply with AD bit set ? If you ask your validating caching name server for the DS of subdomain.domain.com. do you get a proper reply with AD bit set ? (no idea yet about the www.subdomain.domain.com observations) Kind regards, Marc -Original Message- From: Sergio Charpinel Jr. [mailto:sergiocharpi...@gmail.com] Sent: 05 October 2011 02:22 PM To: Marc Lampo Cc: bind-users@lists.isc.org Subject: Re: DNSSEC SERVFAIL when parent zone has no DS record Marc, After suplying DS and the respective NS record for subdomain in the parent zone (domain.com), it works. If I disable dnssec in my recursive server, it also works. So, if a zone is not signed properly (or doesnt have DS records) the query will fail? Isn't it better to query those misconfigured servers without DNSSEC, just like it does when the zone is not signed? And what about the second case, when I query www.subdomain.domain.com . If I run two queries, the first fail with the same error, but the second works (I think the second comes from cache). How can I provide more data for diagnose?? Thanks. 2011/10/5 Marc Lampo marc.la...@eurid.eu: Hello, You do not provide sufficient data for diagnose ! But it seems to me that bind is not complaining about the DS of subdomain.domain.com. but rather about a missing RRSIG for a NSEC when fetching DS of domain.com. Admittingly, logmessages could be somewhat more userfriendly, but I'd check if domain.com. itself is properly signed. Kind regards, Marc Lampo -Original Message- From: Sergio Charpinel Jr. [mailto:sergiocharpi...@gmail.com] Sent: 05 October 2011 01:57 PM To: bind-users@lists.isc.org Subject: DNSSEC SERVFAIL when parent zone has no DS record Hi, Dig returns SERVFAIL while trying to resolve a dnssec enabled zone without DS record in parent zone. For example, I have these two DNSSEC enabled zones: domain.com subdomain.domain.com domain.com zone has NO DS record for subdomain.domain.com zone, and subdomain.domain.com has an A record for the zone, and an A record for www . If I query subdomain.domain.com , I get SERVFAIL from dig and these log messages: 03-Oct-2011 11:03:07.893 validating @0x7f9ea305b2d0: domain.com SOA: no valid signature found 03-Oct-2011 11:03:07.894 createfetch: domain.com DS 03-Oct-2011 11:03:07.894 validating @0x7f9ea305df70: domain.com NSEC: no valid signature found 03-Oct-2011 11:03:07.895 createfetch: domain.com DS 03-Oct-2011 11:03:07.896 error (broken trust chain) resolving 'subdomain.domain.com/DNSKEY/IN': x.x.x.x#53 03-Oct-2011 11:03:07.896 error (broken trust chain) resolving 'subdomain.domain.com/A/IN': x.x.x.x#53 If I run the query again, I get NXDOMAIN (from cache). So I can't query subdomain.domain.com zone. Now, if I query www.subdomain.domain.com I get the same, but when I run the query again I get a valid answer (from cache). I know the DS is not configured properly and so DNSSEC shouldn't work, but bind shouldn't behave like this. If the zone is not configured properly, bind should query it anyway, the same way it does when the zone isn't signed. I didn't find any related bugs. Is this a known bug? Btw, I'm using bind 9.7.3 from debian 6.0.2. Thanks. -- Sergio Roberto Charpinel Jr. -- Sergio Roberto Charpinel Jr. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC SERVFAIL when parent zone has no DS record
Sergio Charpinel Jr. sergiocharpi...@gmail.com wrote: After suplying DS and the respective NS record for subdomain in the parent zone (domain.com), it works. That sounds like you had no delegation RRs in the parent zone. In that case the parent zone will contain a secure denial of existence of the child zone. If you have delegation NS RRs but no DS RRs, this is an insecure delegation in which the parent says the child zone exists but is not signed (at least not in a way that the parent can authenticate). How can I provide more data for diagnose?? Provide real zone names and name server IP addresses. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Rockall, Malin: West 6 to gale 8, increasing severe gale 9, perhaps storm 10 later. Very rough becoming high. Squally showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC SERVFAIL when parent zone has no DS record
On 10/5/2011 5:21 AM, Sergio Charpinel Jr. wrote: After suplying DS and the respective NS record for subdomain in the parent zone (domain.com), it works. If I disable dnssec in my recursive server, it also works. So, if a zone is not signed properly (or doesnt have DS records) the query will fail? Isn't it better to query those misconfigured servers without DNSSEC, just like it does when the zone is not signed? Without the necessary NS records in the parent, the zone was never correctly delegated. It worked, but only due to a fluke of being served on the same server as its parent zone. Implementing DNSSEC made you fix your zone. This is not a bad thing. There is no reason to try again without DNSSEC if you get a failure, because that failure means it didn't work. You may end up trying different authoritative servers if you get a failure (to work around poisoned or disrupted servers), but you don't ever fall back to non-DNSSEC lookups on zones that should be secure. AlanC -- a...@clegg.com 1.919.355.8851 signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users