[Pdns-users] dnssec domain validates as bogus
Remi Gacogne
remi.gacogne at powerdns.com
Wed Mar 14 11:30:40 UTC 2018
Hi Greg,
We can't see the beginning of the trace for the query so we can't know
for sure, but if you are indeed running with dnssec=process this line
hints at the fact that the client requested validation:
"Sending out SERVFAIL for cape-epic.com|A because recursor or query
demands it for Bogus results"
Please be aware that recent version of dig set the AD and DO bits to 1
by default, and you have to use +nodnssec +noadflag to be sure they are
not set.
Best regards,
Remi
On 03/12/2018 10:22 AM, Greg Antic wrote:
> Hi Remi,
>
> Thanks. Yes I read [1] during my troubleshooting. When doing a dig or just browsing from the FTTH customer the A record would not get returned. When I "turned off" the dnssec we were answered with the A record. I tested this on version 4.1.1 and 4.0.6.
>
> See below traces and journal log, the trace receives the A record but if you specifically query it you get SERVFAIL
>
> Current DNSSEC config:
> dnssec=process
> dnssec-log-bogus=yes
>
>
> rec_control trace-regex 'cape-epic.com'
> ok
> ok
> ok
>
> dig a cape-epic.com +trace -b 41.x.y.z
>
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> a cape-epic.com +trace -b 41.x.y.z
> ;; global options: +cmd
> . 3420 IN NS b.root-servers.net.
> . 3420 IN NS e.root-servers.net.
> . 3420 IN NS i.root-servers.net.
> . 3420 IN NS d.root-servers.net.
> . 3420 IN NS k.root-servers.net.
> . 3420 IN NS m.root-servers.net.
> . 3420 IN NS l.root-servers.net.
> . 3420 IN NS h.root-servers.net.
> . 3420 IN NS c.root-servers.net.
> . 3420 IN NS g.root-servers.net.
> . 3420 IN NS f.root-servers.net.
> . 3420 IN NS a.root-servers.net.
> . 3420 IN NS j.root-servers.net.
> . 3420 IN RRSIG NS 8 0 518400 20180325050000 20180312040000 41824 . dSAaK8AjXy31BE5RQ+2a/F+ZLfOdStqejfFkKhRSyGptTP0GjSB/Q6pi vB/lI3725G+qEylD7MylOQqyvE1uA/CU3KJDNc00xbGTlEFiTbarzK6p gwbReoujqD09C3ZKGKqAkpql4LHwe5LB4kcD8eapBzs+tCFS8ioNW9kF XOpeTaeB/yJxSPS/AwQSwZGnmW/XOkh13iurfa69tOlJ/3f5Zw5FLsoQ 2u2sL2ZSFUzkBiSlPA3eLgzYiWwBubfrA7HJudhktUkK/LK4IaK+U7u/ FuBMwGyLjARCltI9Q8wR1S/x93UmEi1XF4FCRwCWE7jj1QjBv93M+q5m j8SZwQ==
> ;; Received 540 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
>
> com. 172800 IN NS d.gtld-servers.net.
> com. 172800 IN NS b.gtld-servers.net.
> com. 172800 IN NS k.gtld-servers.net.
> com. 172800 IN NS l.gtld-servers.net.
> com. 172800 IN NS e.gtld-servers.net.
> com. 172800 IN NS a.gtld-servers.net.
> com. 172800 IN NS j.gtld-servers.net.
> com. 172800 IN NS h.gtld-servers.net.
> com. 172800 IN NS m.gtld-servers.net.
> com. 172800 IN NS i.gtld-servers.net.
> com. 172800 IN NS f.gtld-servers.net.
> com. 172800 IN NS c.gtld-servers.net.
> com. 172800 IN NS g.gtld-servers.net.
> com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
> com. 86400 IN RRSIG DS 8 1 86400 20180325050000 20180312040000 41824 . P1ZaS7sTZ3Cyn5XPnodl1rgsi6yZujPwnm8sWHG/pFXc3+muO+YFIe9S dF5aOqzitsIJIc4Sp3M1aRjiOakvgVPx4IiSVinBUWA84HPeZ0I+eyUK 7KUFRH24ixXGhJGjzIdj867RwatqGq64veehKAU2xUcaitysyaewEJ2K qM060xVV38rkXZA2WIpEz7fTZqyJ/7jfRmZTkixkEWfZbIWhht4OWCqa jKbNN/0poaRYa2M+rQ56OtYWwOY6ZMFvMVOSpzXZ8Y+gyYkSzhXDhceE Yd0FFEpeUyKVfUdvwG1NPj3sepkUgg8EGcqL0rKLNmOYxLMFZSx95BU+ IWmGJg==
> ;; Received 1173 bytes from 202.12.27.33#53(m.root-servers.net) in 177 ms
>
> cape-epic.com. 172800 IN NS pdns11.domaincontrol.com.
> cape-epic.com. 172800 IN NS pdns12.domaincontrol.com.
> cape-epic.com. 86400 IN DS 64969 8 1 2AA8209D01A6283ECBD60F083BFB552F64783536
> cape-epic.com. 86400 IN DS 22732 8 1 ABFD3FC903A8DE4DEEC3EC90D18D936C61523BAF
> cape-epic.com. 86400 IN RRSIG DS 8 2 86400 20180316045929 20180309044929 46967 com. T0NAU9r4tknlWi/Vl4U1Lby4H5xWsR0I7Om6xXvppBZjxtkYxSWq7Oqp R/okDcPjKwOkDeJwLlX6WdQzEtk9G+L3vleC1NQeOAFXke9F1G5C4P+/ haNCklxBPhEoo3fJT9OABhIt1lPl1NR9PtJ3jUMhWL/m/wk90/4ZGHxu pw4=
> ;; Received 421 bytes from 192.55.83.30#53(m.gtld-servers.net) in 157 ms
>
> cape-epic.com. 600 IN A 154.0.167.107
> cape-epic.com. 600 IN RRSIG A 8 2 600 20180315200642 20180228200642 32211 cape-epic.com. Xx8/sbvlElY8Ix80/bEn9xia3algcBHNZNfaeOjj5Ly/Z0ZdrMHINR8C noTDzwJtIHreVNsygOgbQxweN/OgnZ/h5yZ4aWHiAXxfB2YB8tRx0pmv Qoq5yEkFS8vHpawW5nRfEQn3E188jVAxOIIt8kM3BaOvZheK10P5yUs1 mu0=
> cape-epic.com. 3600 IN NS pdns12.domaincontrol.com.
> cape-epic.com. 3600 IN NS pdns11.domaincontrol.com.
> cape-epic.com. 3600 IN NS ns.otherdns.com.
> cape-epic.com. 3600 IN NS ns.otherdns.net.
> cape-epic.com. 3600 IN NS ns.dns2.co.za.
> cape-epic.com. 3600 IN NS ns.dns1.co.za.
> cape-epic.com. 3600 IN RRSIG NS 8 2 3600 20180315200642 20180228200642 32211 cape-epic.com. cQRz7CUiv0FIF1zjZqaBX0oBrYrfpVj3NAYxjRXMiUMJpCd0s5+KItvM LSnGBtm4TIiTnG5GF0b2hpvY0UGhUHQQxFD1IETXarDeZrvJhx6qfKSJ N0QrqobqSsjTw19J39kLyvVE7OM5YqyFqj9yXC+LPXjc4xjzARNpSQNH OHw=
> ;; Received 564 bytes from 216.69.185.55#53(pdns11.domaincontrol.com) in 157 ms
>
> dig a cape-epic.com @41.x.y.z
>
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> a cape-epic.com @41.x.y.z
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14308
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;cape-epic.com. IN A
>
> ;; Query time: 159 msec
> ;; SERVER: 41.x.y.z#53(41.x.y.z)
> ;; WHEN: Mon Mar 12 11:15:23 SAST 2018
> ;; MSG SIZE rcvd: 42
>
> journalctl -u pdns-recursor -n 100
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: accept answer 'cape-epic.com|NS|ns.otherdns.com.' from 'cape-epic.com' nameservers? ttl=3600,
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: accept answer 'cape-epic.com|NS|ns.otherdns.net.' from 'cape-epic.com' nameservers? ttl=3600,
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: accept answer 'cape-epic.com|NS|ns.dns2.co.za.' from 'cape-epic.com' nameservers? ttl=3600, pl
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: accept answer 'cape-epic.com|NS|ns.dns1.co.za.' from 'cape-epic.com' nameservers? ttl=3600, pl
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: accept answer 'cape-epic.com|RRSIG|NS 8 2 3600 20180315200642 20180228200642 32211 cape-epic.c
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: OPT answer '.' from 'cape-epic.com' nameservers
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got status Secure for name cape-epic.com (from cape-epic.com)
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got initial zone status Secure for record cape-epic.com
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Validating non-additional record for cape-epic.com
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieving DNSKeys for cape-epic.com
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: Wants DNSSEC processing, auth data in query for DNSKEY
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: DNSKEY is negatively cached via 'cape-epic.com' for another 1003 seconds
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: updating validation state with negative cache content for cape-epic.com to Bogus
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieved 0 DNSKeys for cape-epic.com, state is Bogus
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] validation state was Secure, state update is Bogus, validation state is now Bogus
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got status Secure for name cape-epic.com (from cape-epic.com)
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got initial zone status Secure for record cape-epic.com
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Validating non-additional record for cape-epic.com
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieving DNSKeys for cape-epic.com
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: Wants DNSSEC processing, auth data in query for DNSKEY
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: DNSKEY is negatively cached via 'cape-epic.com' for another 1003 seconds
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: updating validation state with negative cache content for cape-epic.com to Bogus
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieved 0 DNSKeys for cape-epic.com, state is Bogus
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: determining status after receiving this packet
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: answer is in: resolved to '154.0.167.107|A'
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'pdns12.domaincontrol.com.', had 'cape-epic.com
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'pdns11.domaincontrol.com.', had 'cape-epic.com
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'ns.otherdns.com.', had 'cape-epic.com'
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'ns.otherdns.net.', had 'cape-epic.com'
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'ns.dns2.co.za.', had 'cape-epic.com'
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'ns.dns1.co.za.', had 'cape-epic.com'
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: status=got results, this level of recursion done
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: validation status is Bogus
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: Starting validation of answer to cape-epic.com|A for 41.x.y.z:58365
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: Answer to cape-epic.com|A for 41.x.y.z:58365 validates as Bogus
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: Sending out SERVFAIL for cape-epic.com|A because recursor or query demands it for Bogus results
>
> -----Original Message-----
> From: Pdns-users [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of Remi Gacogne
> Sent: Friday, 09 March 2018 5:20 PM
> To: pdns-users at mailman.powerdns.com
> Subject: Re: [Pdns-users] dnssec domain validates as bogus
>
> Hi Greg,
>
> On 03/09/2018 03:44 PM, Greg Antic wrote:
>> We are running recursor 4.1.1. We are having a problem with a domain
>> that is signed with bogus dnssec records, the domain is cape-epic.com.
>> We have tried the different dnssec modes but only process-no-validate
>> allows the domain to be resolved. We tried adding an nta for the
>> domain but the domain still would not resolve.
>>
>> Does anyone have any suggestions how we can accommodate and still
>> resolve bogus domains but still offer dnssec validation?
>
> Running with dnssec=process should only return a ServFail if the client actually asks for DNSSEC validation, as described in [1].
> Adding a NTA should also work, would you mind sharing your configuration and a trace (running with --trace or enabling it for this single domain via rec_control trace-regex 'cape-epic.com')?
>
>
> [1]: https://doc.powerdns.com/recursor/dnssec.html#what-when
>
> Best regards,
>
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
>
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180314/44a5f696/attachment.sig>
More information about the Pdns-users
mailing list