Home / user-227851

Benjamin Goodacre's questions

Martin Hope
Benjamin Goodacre
Asked: 2016-05-19 01:41:06 +0800 CST
  • 2

Responses from our nameserver are intermittently missing RRSIG records despite being requested. All other associated records (such as A records) are returned OK. Consequently dnsssec validation fails. The example below is for paypal but I believe it is not an issue with their nameservers as when querying their nameservers directly I cannot reproduce the issue.

    $ dig +dnssec api.paypal.com @internalnameserver
    Wed May 11 17:35:22 BST 2016

    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> +dnssec api.paypal.com @internalnameserver
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9849
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;api.paypal.com.  IN A

;; ANSWER SECTION:
api.paypal.com.  47 INA
173.0.84.98
api.paypal.com.  47 INA
173.0.88.98
api.paypal.com.  47 INA
173.0.92.23

;; AUTHORITY SECTION:
paypal.com. 47IN
NSns4.p57.dynect.net.
paypal.com. 47IN
NSns3.p57.dynect.net.
paypal.com. 47IN
NSns2.p57.dynect.net.
paypal.com. 47IN
NSns1.p57.dynect.net.

;; ADDITIONAL SECTION:
ns1.p57.dynect.net.  83856 INA
208.78.70.57
ns2.p57.dynect.net.  83856 INA
204.13.250.57
ns3.p57.dynect.net.  83856 INA
208.78.71.57
ns4.p57.dynect.net.  83856 INA
204.13.251.57

;; Query time: 0 msec
;; SERVER: 172.16.0.2#53(172.16.0.2)
;; WHEN: Wed May 11 17:35:25 2016
;; MSG SIZE  rcvd: 241

RRSIG records are missing, however querying paypal NS directly and they are present:

$ dig +dnssec api.paypal.com @ns1.p57.dynect.net

; <<>> DiG 9.5.1-P3 <<>> +dnssec api.paypal.com @ns1.p57.dynect.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33378
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;api.paypal.com.            IN  A

;; ANSWER SECTION:
api.paypal.com.     300 IN  A   173.0.88.98
api.paypal.com.     300 IN  A   173.0.84.98
api.paypal.com.     300 IN  A   66.211.168.91
api.paypal.com.     300 IN  RRSIG   A 5 3 300 20160617044014 20160518034014 11811 paypal.com. SnkboXg/S1uV0IzYhcaCIrq+YtH+z5vtQcgw2O3GnNPM/oQbNWFmDClq Jj7gRgjKNHLy7zH8BHk1p7QBUCJuhQK3ud02dc5IDBSupMSusMp8tay9 eSG6AJEwkNsed0ztuacJiUw2qYETbgnLQyywOAF97Q68m8210tPXHCE2 2qY=

;; AUTHORITY SECTION:
paypal.com.     300 IN  NS  ns1.p57.dynect.net.
paypal.com.     300 IN  NS  ns2.p57.dynect.net.
paypal.com.     300 IN  NS  ns3.p57.dynect.net.
paypal.com.     300 IN  NS  ns4.p57.dynect.net.
paypal.com.     300 IN  RRSIG   NS 5 2 300 20160606184750 20160507180943 11811 paypal.com. rV5WaDBF1SXjx9jSA0iom5+08dMja2aZIb4bqQhm3egqDAWku4+YXcCd rET1pxVQngIYpIPIF7eHheVSuPNd6mC63/U/1/Ph20Xm70OKL0EDjoVa +KgRT71J1X7Whs4oQ6df4L+E8lb8GspeHVyEGfuE00pZRbKt2ZevXZcu ZIk=

;; Query time: 10 msec
;; SERVER: 208.78.70.57#53(208.78.70.57)
;; WHEN: Wed May 18 10:31:17 2016
;; MSG SIZE  rcvd: 517

10 minutes later and the RRSIG records can be be present again. This does appear to be an internal named caching issue as each 'iteration' of the records being present or not seems to coincide with the TTL being reached. - Once it gets or does not get the RRSIG records the response is cached OK for the lifetime of the TTL of the record.

Running bind 9.7.3

If anything is unclear or further information is needed please let me know.

linux domain-name-system bind