[Pdns-users] DNSSEC UDP problems

Pieter Lexis pieter.lexis at powerdns.com
Tue Mar 9 12:38:13 UTC 2021


Hi Steffen,

On 3/9/21 1:13 PM, Steffan via Pdns-users wrote:
> Suddenly im getting DNSSE|C warnings.
> Any idees what im missing here?
> 
> When analysing the dns with dnsviz.net im seeing
> 
> " The server(s) were not responsive to queries over UDP. (2a00:1bd0:740:1:2::2, 2a00:1bd0:740:1:46::162)
> 
> I dont understand why,
> I disabled the firewall for testing
> 
> netstat -tulpn | grep pdns
> tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      861967/pdns_server
> tcp6       0      0 :::53                   :::*                    LISTEN      861967/pdns_server
> udp        0      0 0.0.0.0:11597           0.0.0.0:*                           861967/pdns_server
> udp        0      0 0.0.0.0:53              0.0.0.0:*                           861967/pdns_server
> udp6       0      0 :::12790                :::*                                861967/pdns_server
> udp6       0      0 :::53                   :::*                                861967/pdns_server

>From my vantage points (multiple networks) I can reach those nameservers
over IPv6. If SIDN or DNSVIZ can't, there probably is an issue with the
IPv6 routing along the path from them to your nameservers. Problems like
this _usually_ mean a network, firewall, or middle-box is doing things
to either the incoming query or the outgoing response from the nameserver.

However, your actual problem is this message:

crazyforprint.nl/A: No RRSIG covering the RRset was returned in the
response. (5.22.255.2, 46.182.222.162, UDP_-_EDNS0_4096_D_KN)

This is the case over v4 _and_ v6. The zone is signed, but no RRSIG is
sent on the response for the A record of crazyforprint.nl. Can you
describe your set up, including the full configuration of PowerDNS
(without passwords). Can you also check what `pdnsutil check-zone
crazyforprint.nl` and `pdnsutil show-zone crazyforprint.nl` reports?

The SOA and DNSKEY responses do carry RRSIGs, which is weird though. Is
there a cache or middle box in front of the auth that strips these?

Cheers,

Pieter
-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com


More information about the Pdns-users mailing list