Walf

Asked: 2017-08-14 23:45:58 +0800 CST2017-08-14 23:45:58 +0800 CST 2017-08-14 23:45:58 +0800 CST

bind9 fails on all .co domains but only when dnssec validation is enabled

I'm running a DNS server on a LAN because I don't want an external point of failure for resolution of a bunch of private subdomains, which don't need to be listed in public DNS, anyway.

I have one view set up that resolves our domain or otherwise forwards to our ISP's DNS servers.

It normally works without issue, but currently cannot reach any .co domain unless dnssec is disabled, and I take it I shouldn't do that.

I updated /etc/bind/bind.keys.

How do I debug the cause of the failure? To me it just looks like the RRSIG record has dodgy NS data, or there's some other network failure with the nsX.cctld.co servers, but I don't know nearly enough to resolve it.

# rndc validation check
DNSSEC validation is enabled (view privateservers)
# dig +trace do.co



; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace do.co
;; global options: +cmd
.           77153   IN  NS  g.root-servers.net.
.           77153   IN  NS  a.root-servers.net.
.           77153   IN  NS  m.root-servers.net.
.           77153   IN  NS  h.root-servers.net.
.           77153   IN  NS  k.root-servers.net.
.           77153   IN  NS  j.root-servers.net.
.           77153   IN  NS  c.root-servers.net.
.           77153   IN  NS  b.root-servers.net.
.           77153   IN  NS  f.root-servers.net.
.           77153   IN  NS  d.root-servers.net.
.           77153   IN  NS  e.root-servers.net.
.           77153   IN  NS  l.root-servers.net.
.           77153   IN  NS  i.root-servers.net.
;; Received 239 bytes from 192.168.20.1#53(192.168.20.1) in 1 ms

co.         172800  IN  NS  ns1.cctld.co.
co.         172800  IN  NS  ns2.cctld.co.
co.         172800  IN  NS  ns3.cctld.co.
co.         172800  IN  NS  ns4.cctld.co.
co.         172800  IN  NS  ns5.cctld.co.
co.         172800  IN  NS  ns6.cctld.co.
co.         86400   IN  DS  21754 8 2 C30634014C0752DA93B0633ED4CE641B63826A5DED820027F4117CA0 C32050A0
co.         86400   IN  DS  21754 8 1 8B9B8FDA21B4CF6FC3E97A31FC0D77C1CB7E70EE
co.         86400   IN  DS  10384 8 1 DF157833AAD57F3561F3A47F178BA46E7E7183DC
co.         86400   IN  DS  10384 8 2 A76358B4C22E95C2C4A56DB8ADC923779E0829142D7C51B04E54769C 86407D70
co.         86400   IN  RRSIG   DS 8 1 86400 20170826170000 20170813160000 15768 . N8hBVmcw3geU/EqNR2fqWH2rd9v5cdGfZ44h5sxPmreta1SZPupsq3RV FN37fZfKuzcwN7Obe3eE6k3Mxn0KyzGY/cF4wnqCD7HWBrvfz50b1yxD REitHlhKt6ZqC/NPaa5NGa6tWyeKuhD/D3tc74rK95eVnfCWmTY1PFth QoB8IZJFw2UIO8bS9Zpd82im1wHP9PRRF8nWUFYd4rOI6LU6ahCsckij HngqmuLFvfsZeRXY/yAzImy1REbSqAon/RGCsckoeuXs4rLBq7QUxLeA W2GcmczUkxspQciGsK71WgFrRyl2o6NrvlsmTO9XHQ2OVccSp8Ee29FY ukm6wA==
couldn't get address for 'ns1.cctld.co': failure
couldn't get address for 'ns2.cctld.co': failure
couldn't get address for 'ns3.cctld.co': failure
couldn't get address for 'ns4.cctld.co': failure
couldn't get address for 'ns5.cctld.co': failure
couldn't get address for 'ns6.cctld.co': failure
dig: couldn't get address for 'ns1.cctld.co': no more

Then I disable validation and I get this:

# rndc validation off
# dig +trace do.co

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace do.co
;; global options: +cmd
.                       84407   IN      NS      m.root-servers.net.
.                       84407   IN      NS      g.root-servers.net.
.                       84407   IN      NS      a.root-servers.net.
.                       84407   IN      NS      k.root-servers.net.
.                       84407   IN      NS      i.root-servers.net.
.                       84407   IN      NS      b.root-servers.net.
.                       84407   IN      NS      l.root-servers.net.
.                       84407   IN      NS      f.root-servers.net.
.                       84407   IN      NS      d.root-servers.net.
.                       84407   IN      NS      j.root-servers.net.
.                       84407   IN      NS      c.root-servers.net.
.                       84407   IN      NS      h.root-servers.net.
.                       84407   IN      NS      e.root-servers.net.
;; Received 239 bytes from 192.168.20.1#53(192.168.20.1) in 1 ms

co.                     172800  IN      NS      ns1.cctld.co.
co.                     172800  IN      NS      ns2.cctld.co.
co.                     172800  IN      NS      ns3.cctld.co.
co.                     172800  IN      NS      ns4.cctld.co.
co.                     172800  IN      NS      ns5.cctld.co.
co.                     172800  IN      NS      ns6.cctld.co.
co.                     86400   IN      DS      10384 8 1 DF157833AAD57F3561F3A47F178BA46E7E7183DC
co.                     86400   IN      DS      10384 8 2 A76358B4C22E95C2C4A56DB8ADC923779E0829142D7C51B04E54769C 86407D70
co.                     86400   IN      DS      21754 8 1 8B9B8FDA21B4CF6FC3E97A31FC0D77C1CB7E70EE
co.                     86400   IN      DS      21754 8 2 C30634014C0752DA93B0633ED4CE641B63826A5DED820027F4117CA0 C32050A0
co.                     86400   IN      RRSIG   DS 8 1 86400 20170826170000 20170813160000 15768 . N8hBVmcw3geU/EqNR2fqWH2rd9v5cdGfZ44h5sxPmreta1SZPupsq3RV FN37fZfKuzcwN7Obe3eE6k3Mxn0KyzGY/cF4wnqCD7HWBrvfz50b1yxD REitHlhKt6ZqC/NPaa5NGa6tWyeKuhD/D3tc74rK95eVnfCWmTY1PFth QoB8IZJFw2UIO8bS9Zpd82im1wHP9PRRF8nWUFYd4rOI6LU6ahCsckij HngqmuLFvfsZeRXY/yAzImy1REbSqAon/RGCsckoeuXs4rLBq7QUxLeA W2GcmczUkxspQciGsK71WgFrRyl2o6NrvlsmTO9XHQ2OVccSp8Ee29FY ukm6wA==
;; Received 867 bytes from 192.5.5.241#53(f.root-servers.net) in 19 ms

do.co.                  7200    IN      NS      walt.ns.cloudflare.com.
do.co.                  7200    IN      NS      kim.ns.cloudflare.com.
131vnuv1malje6dnud9fsaqdrqcs5i91.co. 86400 IN NSEC3 1 1 1 F873A2F5 1356V3361NJ2BQROG5HKD76E66S04L02 NS SOA RRSIG DNSKEY NSEC3PARAM
131vnuv1malje6dnud9fsaqdrqcs5i91.co. 86400 IN RRSIG NSEC3 8 2 86400 20170821234143 20170722233946 63993 co. E8Sg+iSMx1zSNIfC7eDVbBE+TSIg4W58SDPqwXA04EjPlpdubb7cakdv bvwdjBdWpyb+No7SLByqKNnQN7BsYvvdmLsDpbAEGcQ+agXmUwImddDa 9J/2VkOiNkiKYgI174elEuitoWhQH6PVSwO6Nb1nBl4o9em0v9zGhbYA 2Jy6VLKWNYL6bh9CNSGJsl4NthISx9nBZKwBQ7vNnZ/mrQ==
pte00qfgi7b6087qivojmk9kqr2u6gka.co. 86400 IN NSEC3 1 1 1 F873A2F5 PTRFFSEIBU5MCNK4CRV8JFRTQ7QB3I0G NS DS RRSIG
pte00qfgi7b6087qivojmk9kqr2u6gka.co. 86400 IN RRSIG NSEC3 8 2 86400 20170827152341 20170728142341 63993 co. hSH7UQuVYYdfZdKjh8q98boxNOVaE/j8DlWVHcWT17Q3Zb5+m7xDJRQ9 42KaaIla3rZ6e7RYy1qXWh+6VFB5KRxv9ec2RAuYPNB/9XJe2IdlnsE4 t1IqGFo+O4ZY5mlj+QxMcLrx3FlM9ZzSzat9SlS6sSxv7w+0s/yuIMqv 3ZjXqjHYdDgshA+g71QjoSqS3jz0a/muAiznNfuc+Qclcw==
;; Received 643 bytes from 156.154.101.25#53(ns2.cctld.co) in 229 ms

do.co.                  300     IN      A       67.199.248.13
do.co.                  300     IN      A       67.199.248.12
;; Received 66 bytes from 173.245.59.148#53(walt.ns.cloudflare.com) in 27 ms

bind9 fails on all .co domains but only when dnssec validation is enabled

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

bind9 fails on all .co domains but only when dnssec validation is enabled

0 Answers