[Pdns-users] DNSSEC trouble

Leen Besselink leen at consolejunkie.net
Wed May 20 10:32:45 UTC 2015 

On Wed, May 20, 2015 at 12:26:50PM +0200, Leen Besselink wrote:
> On Wed, May 20, 2015 at 12:16:02PM +0200, Peter Thomassen wrote:
> > Dear experts,
> > 
> > I'm sorry to bug you again, but I am still stuck with deploying DNSSEC
> > for desec.io, and I'd like to ask for your help once more.
> > 
> > I have a hidden primary which does the signing in live mode (MySQL
> > backend), and two public nameservers ns1.desec.io and ns2.desec.io which
> > receive the zones via AXFR (bind backend). All are using PowerDNS 3.3
> > from Ubuntu 14.04.
> > 
> > After communicating my DS records to the .io registry, the DNSSEC
> > debugger http://dnssec-debugger.verisignlabs.com/desec.io tells me the
> > everything is fine, except that desec.io does not have RRSIG records,
> > and my resolver says SERVAIL.
> > 
> > Screenshot: https://www.a4a.de/_temp/DNSSEC.png
> > (I removed the DS records again from the .io zone.)
> > 
> > However,
> > dig RRSIG desec.io @ns1.desec.io
> > dig RRSIG desec.io @ns2.desec.io
> > 
> > gives the RRSIG records. Why does the debugger not find them?
> > 
> 
> Hi,
> 
> Wouldn't consider myself an expert, but RRSIG isn't normally something you query for,
> these are the signatures which get added with DNSSEC-signed response.
> 
> Judging by the image it looks like DNSSEC debugger does 3 queries:
> 
> dig @ns1.desec.io +dnssec +norec desec.io DS # that worked and did include the RRSIG records
> 
> # these failed:
> dig @ns1.desec.io +dnssec +norec desec.io DNSKEY
> dig @ns1.desec.io +dnssec +norec desec.io A
> 
> Here is a working example with an RRSIG for the DNSKEY query:
> 
> $ dig +dnssec +norec @194.171.17.10 nl. DNSKEY
> 
> ; <<>> DiG 9.8.1-P1 <<>> +dnssec +norec @194.171.17.10 nl. DNSKEY
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9281
> ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;nl.                            IN      DNSKEY
> 
> ;; ANSWER SECTION:
> nl.                     7200    IN      DNSKEY  256 3 8 AwEAActQKGjyxDvKZrmtecDqXu5i7hDRnkBH71kukkBWMqi7GlRVnwng tXGLg41p8cBP+HsLLDxr125ukadG0peYLfjx5gBj0CE6VMguwqRtn7MP MIym5outGSRm2uTcO7mxp1ZykusE1GnavVFDUhgoipGaXQ/q0w3Lpyij NE9GZmyH
> nl.                     7200    IN      DNSKEY  257 3 8 AwEAAbgqMqYHpmZrqQd3zFNOzYv2lw8bWBnrtK9TjlwK/ZBYMwKGR6TN bmMuwdjebpIE2vFxTHGLQfb2PmUJpazAGkG0fUaqrjuIU99Qbe5hwLYX qyGe2Mm+ZNRsomBxhluR/ky/XX4V1TjTqeXYH4gkzEs7I6og5IE0tKyh hpU38XHtuFVj7uunIAWGn5g9tZ0ZNnv8CkwLE5hLmRf+AoNTd483ZBX4 FUT32KbF6XV3ikctXbsMe2GqGlIf0gMqJQbNvYf1NuNMbxauh9YavEQ0 yaavI1hz5eLMJRruq4wDTyRnMJHupxY69oZZ9IbIsEf0FurtaA7fXrAx qcfEfARr4b0=
> nl.                     7200    IN      RRSIG   DNSKEY 8 1 7200 20150526002957 20150511201503 21362 nl. lXOt9uoPC+0NdnY2GiPVvCSwK2XeJVfMu1r8d84k47Au2sYc3rExtCGQ JT7Smx6heHQ8kWPPLJ58FTd0oht5yG/0E6Voe2qNh5xKp8htoseTEysv hejOXEevpWkxfkc3JFu7qHzYqNYAEIwKNXIWMhxmVarhwACKkKIelZXy 6o/hD2JspOHCzZO6uK5X1pRQyBFnRt2PgZ6oMWCi4h7/mMNQRAAqcR1V hFmBnYEPQuk3Twiq6geHdP3aq0FxvHnUqHXczVPz2BAf6bV4sl2XRjxP EEtmSRRAkkT8YTNOlKytU8V5bnjAMqeh3nkIHvugdJzDwrkODhrIsLKo 3ywe/A==
> 
> ;; Query time: 7 msec
> ;; SERVER: 194.171.17.10#53(194.171.17.10)
> ;; WHEN: Wed May 20 12:25:14 2015
> ;; MSG SIZE  rcvd: 745
> 
> Hope that helps.
> 

As I mentioned, I'm no expert so I forgot to add:

The DS is signed by the parent, so that is why the DS-query did work.

As we can see, no RRSIG-record on your domain, my guess would be the transfered domain isn't properly signed before it's transfered:

$ dig +dnssec +norec @ns1.desec.io desec.io DNSKEY

; <<>> DiG 9.8.1-P1 <<>> +dnssec +norec @ns1.desec.io desec.io DNSKEY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41947
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 2800
;; QUESTION SECTION:
;desec.io.                      IN      DNSKEY

;; ANSWER SECTION:
desec.io.               3600    IN      DNSKEY  257 3 8 AwEAAcw5QLr0IjC0wKbGoBPQv4qmeqHy9mvL5qGQTuaG5TSrNqEAR6b/ qvxDx6my4JmEmjUPA1JeEI9YfTUieMr2UZflu7aIbZFLw0vqiYrywCGr CHXLalOrEOmrvAxLvq4vHtuTlH7JIszzYBSes8g1vle6KG7xXiP3U5Ll 96Qiu6bZ31rlMQSPB20xbqJJh6psNSrQs41QvdcXAej+K2Hl1Wd8kPri ec4AgiBEh8sk5Pp8W9ROLQ7PcbqqttFaW2m7N/Wy4qcFU13roWKDEAst bxH5CHPoBfZSbIwK4KM6BK/uDHpSPIbiOvOCW+lvu9TAiZPc0oysY6as lO7jXv16Gws=
desec.io.               3600    IN      DNSKEY  256 3 8 AwEAAday3UX323uVzQqtOMQ7EHQYfD5Ofv4akjQGN2zY5AgB/2jmdR/+ 1PvXFqzKCAGJv4wjABEBNWLLFm7ew1hHMDZEKVL17aml0EBKI6Dsz6Mx t6n7ScvLtHaFRKaxT4i2JxiuVhKdQR9XGMiWAPQKrRM5SLG0P+2F+TLK l3D0L/cD

;; Query time: 85 msec
;; SERVER: 54.88.76.245#53(54.88.76.245)
;; WHEN: Wed May 20 12:30:26 2015
;; MSG SIZE  rcvd: 461

I would try the same query on the hidden master first.

> > Thanks a lot for your help,
> > Peter
> > -- 
> > OpenPGP Key: 0x3EF22D2F
> > 
> 
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

More information about the Pdns-users mailing list