[Pdns-users] DNSSEC failure on non-DNSSEC subdomain
Ask Bjørn Hansen
ask at develooper.com
Fri Feb 24 19:12:57 UTC 2012
Hi everyone,
develooper.org is using DNSSEC (NSEC, native in PowerDNS - show-zone output below). l.develooper.org is pointed to a different set of nameservers with no DS record (they don't have DNSSEC configured).
This morning I got a report that DNSSEC validating resolvers stopped being able to get to the l.develooper.org names (cpan-global.l.develooper.org specifically). Not sure if it being Thursday yesterday is related or if it was broken all along.
I can't figure out what I might have done wrong. I am still using 3.0.1.
As an example our bind (9.6) in the office says:
Feb 24 19:12:29 net-services1 named[97805]: no valid DS resolving 'cpan-global.l.develooper.org/A/IN': 208.78.71.20#53
Feb 24 19:12:29 net-services1 named[97805]: no valid DS resolving 'cpan-global.l.develooper.org/A/IN': 204.13.251.20#53
Feb 24 19:12:29 net-services1 named[97805]: no valid DS resolving 'cpan-global.l.develooper.org/A/IN': 208.78.70.20#53
Feb 24 19:12:29 net-services1 named[97805]: no valid DS resolving 'cpan-global.l.develooper.org/A/IN': 204.13.250.20#53
Ask
# pdnssec show-zone develooper.org
Zone has NSEC semantics
Zone is not presigned
keys:
ID = 13 (KSK), tag = 30319, algo = 8, bits = 2048 Active: 1
KSK DNSKEY = develooper.org IN DNSKEY 257 3 8 AwEAAas2WeVtrNrCSA2M/3XFJKkC59ppLQOlXXE4T6R4AbNESbj5t+g64wI7k/eEaxlhVQgChwr3MjT4l3rSIp7jJz+sSUxdDuGx7Go7aB+MIQKhdRIM1+WXR4F3/OIDkyUPDl+VHOdqalD5JBG90eBGlQKCrFD39+uNkoogFsp/U3Vx12qUBavj9TFr9vP7gN3ChKkoRpqj0MUKXK33oxX40Wkfjb93l9WDFfXLgLNJeu3J/ZVsfgRMa2xUIp7T8PxJHoAxruLjE4TBJDP8RZq8AhpJyeSFtTgeabXYY9uN9OsTAZ/CsRK/AAsQf1Tp/GMwvR5Bex2bOK5YjnFE+bztISM=
DS = develooper.org IN DS 30319 8 1 a64f439a53eecc7280964d1f5a6832fb48ac86ee
DS = develooper.org IN DS 30319 8 2 6605f44544efab4b801c9d83b70cff8e8c1bbc1dac6031bac27354ea052aa292
DS = develooper.org IN DS 30319 8 3 06d3e11b3dec87f29f850f7acb76f3bb26a5dbbd7bee84d36f8f01ae2b9c818d
ID = 14 (ZSK), tag = 50380, algo = 8, bits = 1024 Active: 1
ID = 15 (ZSK), tag = 3243, algo = 8, bits = 1024 Active: 0
More information about the Pdns-users
mailing list