[Pdns-users] dnssec domain validates as bogus

Greg Antic greg.antic at stc.za.com
Wed Mar 14 12:35:10 UTC 2018


Hi Remi,

I posted all the outputs without removing anything, do you refer the rec_control trace, if so that is all that was outputted?

I note in the logs: [14337] Retrieving DNSKeys for cape-epic.com Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337]  cape-epic.com: Wants  DNSSEC processing, auth data in query for DNSKEY

The website is saying it wants DNSSEC processing. I don’t believe the problem is coming from the client side. 

-----Original Message-----
From: Pdns-users [mailto:pdns-users-bounces at mailman.powerdns.com] On Behalf Of Remi Gacogne
Sent: Wednesday, 14 March 2018 1:31 PM
To: pdns-users at mailman.powerdns.com
Subject: Re: [Pdns-users] dnssec domain validates as bogus

Hi Greg,

We can't see the beginning of the trace for the query so we can't know for sure, but if you are indeed running with dnssec=process this line hints at the fact that the client requested validation:

"Sending out SERVFAIL for cape-epic.com|A because recursor or query demands it for Bogus results"

Please be aware that recent version of dig set the AD and DO bits to 1 by default, and you have to use +nodnssec +noadflag to be sure they are not set.

Best regards,

Remi

On 03/12/2018 10:22 AM, Greg Antic wrote:
> Hi Remi,
> 
> Thanks. Yes I read [1] during my troubleshooting. When doing a dig or just browsing from the FTTH customer the A record would not get returned. When I "turned off" the dnssec we were answered with the A record. I tested this on version 4.1.1 and 4.0.6. 
> 
> See below traces and journal log, the trace receives the A record but 
> if you specifically query it you get SERVFAIL
> 
> Current DNSSEC config:
> dnssec=process
> dnssec-log-bogus=yes
> 
> 
> rec_control trace-regex 'cape-epic.com'
> ok
> ok
> ok
> 
> dig a cape-epic.com +trace -b 41.x.y.z
> 
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> a cape-epic.com +trace -b 41.x.y.z ;; 
> global options: +cmd
> .                       3420    IN      NS      b.root-servers.net.
> .                       3420    IN      NS      e.root-servers.net.
> .                       3420    IN      NS      i.root-servers.net.
> .                       3420    IN      NS      d.root-servers.net.
> .                       3420    IN      NS      k.root-servers.net.
> .                       3420    IN      NS      m.root-servers.net.
> .                       3420    IN      NS      l.root-servers.net.
> .                       3420    IN      NS      h.root-servers.net.
> .                       3420    IN      NS      c.root-servers.net.
> .                       3420    IN      NS      g.root-servers.net.
> .                       3420    IN      NS      f.root-servers.net.
> .                       3420    IN      NS      a.root-servers.net.
> .                       3420    IN      NS      j.root-servers.net.
> .                       3420    IN      RRSIG   NS 8 0 518400 20180325050000 20180312040000 41824 . dSAaK8AjXy31BE5RQ+2a/F+ZLfOdStqejfFkKhRSyGptTP0GjSB/Q6pi vB/lI3725G+qEylD7MylOQqyvE1uA/CU3KJDNc00xbGTlEFiTbarzK6p gwbReoujqD09C3ZKGKqAkpql4LHwe5LB4kcD8eapBzs+tCFS8ioNW9kF XOpeTaeB/yJxSPS/AwQSwZGnmW/XOkh13iurfa69tOlJ/3f5Zw5FLsoQ 2u2sL2ZSFUzkBiSlPA3eLgzYiWwBubfrA7HJudhktUkK/LK4IaK+U7u/ FuBMwGyLjARCltI9Q8wR1S/x93UmEi1XF4FCRwCWE7jj1QjBv93M+q5m j8SZwQ==
> ;; Received 540 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
> 
> com.                    172800  IN      NS      d.gtld-servers.net.
> com.                    172800  IN      NS      b.gtld-servers.net.
> com.                    172800  IN      NS      k.gtld-servers.net.
> com.                    172800  IN      NS      l.gtld-servers.net.
> com.                    172800  IN      NS      e.gtld-servers.net.
> com.                    172800  IN      NS      a.gtld-servers.net.
> com.                    172800  IN      NS      j.gtld-servers.net.
> com.                    172800  IN      NS      h.gtld-servers.net.
> com.                    172800  IN      NS      m.gtld-servers.net.
> com.                    172800  IN      NS      i.gtld-servers.net.
> com.                    172800  IN      NS      f.gtld-servers.net.
> com.                    172800  IN      NS      c.gtld-servers.net.
> com.                    172800  IN      NS      g.gtld-servers.net.
> com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
> com.                    86400   IN      RRSIG   DS 8 1 86400 20180325050000 20180312040000 41824 . P1ZaS7sTZ3Cyn5XPnodl1rgsi6yZujPwnm8sWHG/pFXc3+muO+YFIe9S dF5aOqzitsIJIc4Sp3M1aRjiOakvgVPx4IiSVinBUWA84HPeZ0I+eyUK 7KUFRH24ixXGhJGjzIdj867RwatqGq64veehKAU2xUcaitysyaewEJ2K qM060xVV38rkXZA2WIpEz7fTZqyJ/7jfRmZTkixkEWfZbIWhht4OWCqa jKbNN/0poaRYa2M+rQ56OtYWwOY6ZMFvMVOSpzXZ8Y+gyYkSzhXDhceE Yd0FFEpeUyKVfUdvwG1NPj3sepkUgg8EGcqL0rKLNmOYxLMFZSx95BU+ IWmGJg==
> ;; Received 1173 bytes from 202.12.27.33#53(m.root-servers.net) in 177 
> ms
> 
> cape-epic.com.          172800  IN      NS      pdns11.domaincontrol.com.
> cape-epic.com.          172800  IN      NS      pdns12.domaincontrol.com.
> cape-epic.com.          86400   IN      DS      64969 8 1 2AA8209D01A6283ECBD60F083BFB552F64783536
> cape-epic.com.          86400   IN      DS      22732 8 1 ABFD3FC903A8DE4DEEC3EC90D18D936C61523BAF
> cape-epic.com.          86400   IN      RRSIG   DS 8 2 86400 20180316045929 20180309044929 46967 com. T0NAU9r4tknlWi/Vl4U1Lby4H5xWsR0I7Om6xXvppBZjxtkYxSWq7Oqp R/okDcPjKwOkDeJwLlX6WdQzEtk9G+L3vleC1NQeOAFXke9F1G5C4P+/ haNCklxBPhEoo3fJT9OABhIt1lPl1NR9PtJ3jUMhWL/m/wk90/4ZGHxu pw4=
> ;; Received 421 bytes from 192.55.83.30#53(m.gtld-servers.net) in 157 
> ms
> 
> cape-epic.com.          600     IN      A       154.0.167.107
> cape-epic.com.          600     IN      RRSIG   A 8 2 600 20180315200642 20180228200642 32211 cape-epic.com. Xx8/sbvlElY8Ix80/bEn9xia3algcBHNZNfaeOjj5Ly/Z0ZdrMHINR8C noTDzwJtIHreVNsygOgbQxweN/OgnZ/h5yZ4aWHiAXxfB2YB8tRx0pmv Qoq5yEkFS8vHpawW5nRfEQn3E188jVAxOIIt8kM3BaOvZheK10P5yUs1 mu0=
> cape-epic.com.          3600    IN      NS      pdns12.domaincontrol.com.
> cape-epic.com.          3600    IN      NS      pdns11.domaincontrol.com.
> cape-epic.com.          3600    IN      NS      ns.otherdns.com.
> cape-epic.com.          3600    IN      NS      ns.otherdns.net.
> cape-epic.com.          3600    IN      NS      ns.dns2.co.za.
> cape-epic.com.          3600    IN      NS      ns.dns1.co.za.
> cape-epic.com.          3600    IN      RRSIG   NS 8 2 3600 20180315200642 20180228200642 32211 cape-epic.com. cQRz7CUiv0FIF1zjZqaBX0oBrYrfpVj3NAYxjRXMiUMJpCd0s5+KItvM LSnGBtm4TIiTnG5GF0b2hpvY0UGhUHQQxFD1IETXarDeZrvJhx6qfKSJ N0QrqobqSsjTw19J39kLyvVE7OM5YqyFqj9yXC+LPXjc4xjzARNpSQNH OHw=
> ;; Received 564 bytes from 216.69.185.55#53(pdns11.domaincontrol.com) 
> in 157 ms
> 
> dig a cape-epic.com @41.x.y.z
> 
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> a cape-epic.com @41.x.y.z ;; global 
> options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14308 ;; flags: 
> qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;cape-epic.com.                 IN      A
> 
> ;; Query time: 159 msec
> ;; SERVER: 41.x.y.z#53(41.x.y.z)
> ;; WHEN: Mon Mar 12 11:15:23 SAST 2018 ;; MSG SIZE  rcvd: 42
> 
> journalctl -u pdns-recursor -n 100
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] 
> cape-epic.com: accept answer 'cape-epic.com|NS|ns.otherdns.com.' from 
> 'cape-epic.com' nameservers? ttl=3600, Mar 12 11:15:23 ns4.hosted.bz 
> pdns_recursor[1404]: [14337] cape-epic.com: accept answer 
> 'cape-epic.com|NS|ns.otherdns.net.' from 'cape-epic.com' nameservers? 
> ttl=3600, Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] 
> cape-epic.com: accept answer 'cape-epic.com|NS|ns.dns2.co.za.' from 
> 'cape-epic.com' nameservers? ttl=3600, pl Mar 12 11:15:23 
> ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: accept 
> answer 'cape-epic.com|NS|ns.dns1.co.za.' from 'cape-epic.com' 
> nameservers? ttl=3600, pl Mar 12 11:15:23 ns4.hosted.bz 
> pdns_recursor[1404]: [14337] cape-epic.com: accept answer 
> 'cape-epic.com|RRSIG|NS 8 2 3600 20180315200642 20180228200642 32211 
> cape-epic.c Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] 
> cape-epic.com: OPT answer '.' from 'cape-epic.com' nameservers Mar 12 
> 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got status 
> Secure for name cape-epic.com (from cape-epic.com) Mar 12 11:15:23 
> ns4.hosted.bz pdns_recursor[1404]: [14337] : got initial zone status 
> Secure for record cape-epic.com Mar 12 11:15:23 ns4.hosted.bz 
> pdns_recursor[1404]: [14337] Validating non-additional record for 
> cape-epic.com Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: 
> [14337] Retrieving DNSKeys for cape-epic.com Mar 12 11:15:23 
> ns4.hosted.bz pdns_recursor[1404]: [14337]  cape-epic.com: Wants 
> DNSSEC processing, auth data in query for DNSKEY Mar 12 11:15:23 
> ns4.hosted.bz pdns_recursor[1404]: [14337]  cape-epic.com: DNSKEY is negatively cached via 'cape-epic.com' for another 1003 seconds Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337]  cape-epic.com: updating validation state with negative cache content for cape-epic.com to Bogus Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieved 0 DNSKeys for cape-epic.com, state is Bogus Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] validation state was Secure, state update is Bogus, validation state is now Bogus Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got status Secure for name cape-epic.com (from cape-epic.com) Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] : got initial zone status Secure for record cape-epic.com Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Validating non-additional record for cape-epic.com Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieving DNSKeys for cape-epic.com Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337]  cape-epic.com: Wants DNSSEC processing, auth data in query for DNSKEY Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337]  cape-epic.com: DNSKEY is negatively cached via 'cape-epic.com' for another 1003 seconds Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337]  cape-epic.com: updating validation state with negative cache content for cape-epic.com to Bogus Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] Retrieved 0 DNSKeys for cape-epic.com, state is Bogus Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: determining status after receiving this packet Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: answer is in: resolved to '154.0.167.107|A'
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] 
> cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 
> 'pdns12.domaincontrol.com.', had 'cape-epic.com Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'pdns11.domaincontrol.com.', had 'cape-epic.com Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'ns.otherdns.com.', had 'cape-epic.com'
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'ns.otherdns.net.', had 'cape-epic.com'
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'ns.dns2.co.za.', had 'cape-epic.com'
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: got upwards/level NS record 'cape-epic.com' -> 'ns.dns1.co.za.', had 'cape-epic.com'
> Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] 
> cape-epic.com: status=got results, this level of recursion done Mar 12 
> 11:15:23 ns4.hosted.bz pdns_recursor[1404]: [14337] cape-epic.com: 
> validation status is Bogus Mar 12 11:15:23 ns4.hosted.bz 
> pdns_recursor[1404]: Starting validation of answer to cape-epic.com|A 
> for 41.x.y.z:58365 Mar 12 11:15:23 ns4.hosted.bz pdns_recursor[1404]: 
> Answer to cape-epic.com|A for 41.x.y.z:58365 validates as Bogus Mar 12 
> 11:15:23 ns4.hosted.bz pdns_recursor[1404]: Sending out SERVFAIL for 
> cape-epic.com|A because recursor or query demands it for Bogus results
> 
> -----Original Message-----
> From: Pdns-users [mailto:pdns-users-bounces at mailman.powerdns.com] On 
> Behalf Of Remi Gacogne
> Sent: Friday, 09 March 2018 5:20 PM
> To: pdns-users at mailman.powerdns.com
> Subject: Re: [Pdns-users] dnssec domain validates as bogus
> 
> Hi Greg,
> 
> On 03/09/2018 03:44 PM, Greg Antic wrote:
>> We are running recursor 4.1.1. We are having a problem with a domain 
>> that is signed with bogus dnssec records, the domain is cape-epic.com.
>> We have tried the different dnssec modes but only process-no-validate 
>> allows the domain to be resolved. We tried adding an nta for the 
>> domain but the domain still would not resolve.
>>
>> Does anyone have any suggestions how we can accommodate and still 
>> resolve bogus domains but still offer dnssec validation?
> 
> Running with dnssec=process should only return a ServFail if the client actually asks for DNSSEC validation, as described in [1].
> Adding a NTA should also work, would you mind sharing your configuration and a trace (running with --trace or enabling it for this single domain via rec_control trace-regex 'cape-epic.com')?
> 
> 
> [1]: https://doc.powerdns.com/recursor/dnssec.html#what-when
> 
> Best regards,
> 
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
> 


--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/



More information about the Pdns-users mailing list