Re: Why DNSSEC errors for bund.de?
To follow up on this thread (there's been much more about it on DNS-OARC than here), it was a bug that is fixed (change 3020) together with the more serious security problem (change 3121) in the new BIND versions 9.6-ESV-R4-P1, 9.7.3-P1 and 9.8.0-P2. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Why DNSSEC errors for bund.de?
Chris Thompson writes: We are getting DNSSEC-related SERVFAILs on names in bund.de (e.g. mx1.bind.de). This happens with all of BIND 9.7.3-P1, 9.7.4b1 and 9.8.0-P1 configured with the root and dlv.isc.org trust anchors. However, I can't see what is actually wrong with it, using dig +cd as necessary. All the signatures appear to have valid start/stop times, and http://dnsviz.net/d/mx1.bund.de/dnssec/ seems pretty happy with it. There are a lot of false trails (e.g. the DS records for it in de) but that shouldn't stop BIND finding the one that works (DLV in dlv.isc.org - KSK with tag 10923 - ZSK with tag 4814), should it? It may be significant that this problem was reported to us on the same day that obscured DNSKEY records were introduced into the de zone... Maybe this is a symptom of DUdeZ (deliberately unvalidatable DE zone)? http://www.heise.de/newsticker/meldung/DENIC-startet-unbemerkt-mit-der-Verteilung-der-signierten-de-Zone-1247415.html http://www.denic.de/domains/dnssec.html ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Why DNSSEC errors for bund.de?
On May 24 2011, I wrote: We are getting DNSSEC-related SERVFAILs on names in bund.de (e.g. mx1.bind.de). This happens with all of BIND 9.7.3-P1, 9.7.4b1 and 9.8.0-P1 configured with the root and dlv.isc.org trust anchors. However, I can't see what is actually wrong with it, using dig +cd as necessary. All the signatures appear to have valid start/stop times, and http://dnsviz.net/d/mx1.bund.de/dnssec/ seems pretty happy with it. There are a lot of false trails (e.g. the DS records for it in de) but that shouldn't stop BIND finding the one that works (DLV in dlv.isc.org - KSK with tag 10923 - ZSK with tag 4814), should it? It may be significant that this problem was reported to us on the same day that obscured DNSKEY records were introduced into the de zone... That seems almost certain to be the precipitating event, in fact. I can produce the same effect for all 31 zones that are both registered in dlv.isc.org *and* have a DS record in dlv.isc.org: adns1.de. ralf-pulz.de. brj-berlin.de. reichel-jens.de. btw-kinderdorf.de. schrimpe.de. buergerhaushalt-marzahn.de. sgfun.de. bund.de.sgmail.de. com.de. stadtteilzeitung-nordwest.de. exanames.de.stefan-gransow.de. gun.de. stegranet.de. idkom-networks.de. steinmuss.de. ifw-dresden.de. unixbuero.de. iks-jena.de.verein-kiekin.de. ipse-online.de. wartenbergerhof.de. judo-dresden.de.wikileaks.de. ombudschaft.de. zrb-kiekin.de. ombudschaft-jugendhilfe.de. Among other oddities: dig +dnssec dnskey [zone] gives the right answer *without* the ad bit dig +dnssec soa [zone] gives SERVFAIL, unless +cd is used as well. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Why DNSSEC errors for bund.de?
On May 24 2011, I wrote: [...] That seems almost certain to be the precipitating event, in fact. I can produce the same effect for all 31 zones that are both registered in dlv.isc.org *and* have a DS record in dlv.isc.org: Aaargh ... I meant *and* have a DS record in de, of course. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
