[Pdns-users] dnssec domain validates as bogus

Greg Antic greg.antic at stc.za.com
Mon Mar 12 09:22:27 UTC 2018


Hi Remi,

Thanks. Yes I read [1] during my troubleshooting. When doing a dig or just browsing from the FTTH customer the A record would not get returned. When I "turned off" the dnssec we were answered with the A record. I tested this on version 4.1.1 and 4.0.6. 

See below traces and journal log, the trace receives the A record but if you specifically query it you get SERVFAIL

Current DNSSEC config:
dnssec=process
dnssec-log-bogus=yes


rec_control trace-regex 'cape-epic.com'
ok
ok
ok

dig a cape-epic.com +trace -b 41.x.y.z

; <<>> DiG 9.10.3-P4-Ubuntu <<>> a cape-epic.com +trace -b 41.x.y.z
;; global options: +cmd
.                       3420    IN      NS      b.root-servers.net.
.                       3420    IN      NS      e.root-servers.net.
.                       3420    IN      NS      i.root-servers.net.
.                       3420    IN      NS      d.root-servers.net.
.                       3420    IN      NS      k.root-servers.net.
.                       3420    IN      NS      m.root-servers.net.
.                       3420    IN      NS      l.root-servers.net.
.                       3420    IN      NS      h.root-servers.net.
.                       3420    IN      NS      c.root-servers.net.
.                       3420    IN      NS      g.root-servers.net.
.                       3420    IN      NS      f.root-servers.net.
.                       3420    IN      NS      a.root-servers.net.
.                       3420    IN      NS      j.root-servers.net.
.                       3420    IN      RRSIG   NS 8 0 518400 20180325050000 20180312040000 41824 . dSAaK8AjXy31BE5RQ+2a/F+ZLfOdStqejfFkKhRSyGptTP0GjSB/Q6pi vB/lI3725G+qEylD7MylOQqyvE1uA/CU3KJDNc00xbGTlEFiTbarzK6p gwbReoujqD09C3ZKGKqAkpql4LHwe5LB4kcD8eapBzs+tCFS8ioNW9kF XOpeTaeB/yJxSPS/AwQSwZGnmW/XOkh13iurfa69tOlJ/3f5Zw5FLsoQ 2u2sL2ZSFUzkBiSlPA3eLgzYiWwBubfrA7HJudhktUkK/LK4IaK+U7u/ FuBMwGyLjARCltI9Q8wR1S/x93UmEi1XF4FCRwCWE7jj1QjBv93M+q5m j8SZwQ==
;; Received 540 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20180325050000 20180312040000 41824 . P1ZaS7sTZ3Cyn5XPnodl1rgsi6yZujPwnm8sWHG/pFXc3+muO+YFIe9S dF5aOqzitsIJIc4Sp3M1aRjiOakvgVPx4IiSVinBUWA84HPeZ0I+eyUK 7KUFRH24ixXGhJGjzIdj867RwatqGq64veehKAU2xUcaitysyaewEJ2K qM060xVV38rkXZA2WIpEz7fTZqyJ/7jfRmZTkixkEWfZbIWhht4OWCqa jKbNN/0poaRYa2M+rQ56OtYWwOY6ZMFvMVOSpzXZ8Y+gyYkSzhXDhceE Yd0FFEpeUyKVfUdvwG1NPj3sepkUgg8EGcqL0rKLNmOYxLMFZSx95BU+ IWmGJg==
;; Received 1173 bytes from 202.12.27.33#53(m.root-servers.net) in 177 ms

cape-epic.com.          172800  IN      NS      pdns11.domaincontrol.com.
cape-epic.com.          172800  IN      NS      pdns12.domaincontrol.com.
cape-epic.com.          86400   IN      DS      64969 8 1 2AA8209D01A6283ECBD60F083BFB552F64783536
cape-epic.com.          86400   IN      DS      22732 8 1 ABFD3FC903A8DE4DEEC3EC90D18D936C61523BAF
cape-epic.com.          86400   IN      RRSIG   DS 8 2 86400 20180316045929 20180309044929 46967 com. T0NAU9r4tknlWi/Vl4U1Lby4H5xWsR0I7Om6xXvppBZjxtkYxSWq7Oqp R/okDcPjKwOkDeJwLlX6WdQzEtk9G+L3vleC1NQeOAFXke9F1G5C4P+/ haNCklxBPhEoo3fJT9OABhIt1lPl1NR9PtJ3jUMhWL/m/wk90/4ZGHxu pw4=
;; Received 421 bytes from 192.55.83.30#53(m.gtld-servers.net) in 157 ms

cape-epic.com.          600     IN      A       154.0.167.107
cape-epic.com.          600     IN      RRSIG   A 8 2 600 20180315200642 20180228200642 32211 cape-epic.com. Xx8/sbvlElY8Ix80/bEn9xia3algcBHNZNfaeOjj5Ly/Z0ZdrMHINR8C noTDzwJtIHreVNsygOgbQxweN/OgnZ/h5yZ4aWHiAXxfB2YB8tRx0pmv Qoq5yEkFS8vHpawW5nRfEQn3E188jVAxOIIt8kM3BaOvZheK10P5yUs1 mu0=
cape-epic.com.          3600    IN      NS      pdns12.domaincontrol.com.
cape-epic.com.          3600    IN      NS      pdns11.domaincontrol.com.
cape-epic.com.          3600    IN      NS      ns.otherdns.com.
cape-epic.com.          3600    IN      NS      ns.otherdns.net.
cape-epic.com.          3600    IN      NS      ns.dns2.co.za.
cape-epic.com.          3600    IN      NS      ns.dns1.co.za.
cape-epic.com.          3600    IN      RRSIG   NS 8 2 3600 20180315200642 20180228200642 32211 cape-epic.com. cQRz7CUiv0FIF1zjZqaBX0oBrYrfpVj3NAYxjRXMiUMJpCd0s5+KItvM LSnGBtm4TIiTnG5GF0b2hpvY0UGhUHQQxFD1IETXarDeZrvJhx6qfKSJ N0QrqobqSsjTw19J39kLyvVE7OM5YqyFqj9yXC+LPXjc4xjzARNpSQNH OHw=
;; Received 564 bytes from 216.69.185.55#53(pdns11.domaincontrol.com) in 157 ms

dig a cape-epic.com @41.x.y.z

; <<>> DiG 9.10.3-P4-Ubuntu <<>> a cape-epic.com @41.x.y.z
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14308
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cape-epic.com.                 IN      A

;; Query time: 159 msec
;; SERVER: 41.x.y.z#53(41.x.y.z)
;; WHEN: Mon Mar 12 11:15:23 SAST 2018
;; MSG SIZE  rcvd: 42

journalctl -u pdns-recursor -n 100
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: accept answer 'cape-epic.com|NS|ns.otherdns.com.' from 'cape-epic.com' nameservers? ttl=3600,
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: accept answer 'cape-epic.com|NS|ns.otherdns.net.' from 'cape-epic.com' nameservers? ttl=3600,
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: accept answer 'cape-epic.com|NS|ns.dns2.co.za.' from 'cape-epic.com' nameservers? ttl=3600, pl
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: accept answer 'cape-epic.com|NS|ns.dns1.co.za.' from 'cape-epic.com' nameservers? ttl=3600, pl
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: accept answer 'cape-epic.com|RRSIG|NS 8 2 3600 20180315200642 20180228200642 32211 cape-epic.c
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: OPT answer '.' from 'cape-epic.com' nameservers
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got status Secure for name cape-epic.com (from cape-epic.com)
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got initial zone status Secure for record cape-epic.com
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Validating non-additional record for cape-epic.com
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieving DNSKeys for cape-epic.com
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337]  cape-epic.com: Wants DNSSEC processing, auth data in query for DNSKEY
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337]  cape-epic.com: DNSKEY is negatively cached via 'cape-epic.com' for another 1003 seconds
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337]  cape-epic.com: updating validation state with negative cache content for cape-epic.com to Bogus
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieved 0 DNSKeys for cape-epic.com, state is Bogus
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] validation state was Secure, state update is Bogus, validation state is now Bogus
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got status Secure for name cape-epic.com (from cape-epic.com)
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got initial zone status Secure for record cape-epic.com
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Validating non-additional record for cape-epic.com
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieving DNSKeys for cape-epic.com
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337]  cape-epic.com: Wants DNSSEC processing, auth data in query for DNSKEY
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337]  cape-epic.com: DNSKEY is negatively cached via 'cape-epic.com' for another 1003 seconds
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337]  cape-epic.com: updating validation state with negative cache content for cape-epic.com to Bogus
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieved 0 DNSKeys for cape-epic.com, state is Bogus
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: determining status after receiving this packet
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: answer is in: resolved to '154.0.167.107|A'
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'pdns12.domaincontrol.com.', had 'cape-epic.com
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'pdns11.domaincontrol.com.', had 'cape-epic.com
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'ns.otherdns.com.', had 'cape-epic.com'
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'ns.otherdns.net.', had 'cape-epic.com'
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'ns.dns2.co.za.', had 'cape-epic.com'
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'ns.dns1.co.za.', had 'cape-epic.com'
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: status=got results, this level of recursion done
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: validation status is Bogus
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: Starting validation of answer to cape-epic.com|A for 41.x.y.z:58365
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: Answer to cape-epic.com|A for 41.x.y.z:58365 validates as Bogus
Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: Sending out SERVFAIL for cape-epic.com|A because recursor or query demands it for Bogus results

-----Original Message-----
From: Pdns-users [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of Remi Gacogne
Sent: Friday, 09 March 2018 5:20 PM
To: pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] dnssec domain validates as bogus

Hi Greg,

On 03/09/2018 03:44 PM, Greg Antic wrote:
> We are running recursor 4.1.1. We are having a problem with a domain 
> that is signed with bogus dnssec records, the domain is cape-epic.com.
> We have tried the different dnssec modes but only process-no-validate 
> allows the domain to be resolved. We tried adding an nta for the 
> domain but the domain still would not resolve.
> 
> Does anyone have any suggestions how we can accommodate and still 
> resolve bogus domains but still offer dnssec validation?

Running with dnssec=process should only return a ServFail if the client actually asks for DNSSEC validation, as described in [1].
Adding a NTA should also work, would you mind sharing your configuration and a trace (running with --trace or enabling it for this single domain via rec_control trace-regex 'cape-epic.com')?


[1]: https://doc.powerdns.com/recursor/dnssec.html#what-when

Best regards,

--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/



More information about the Pdns-users mailing list