DNSSEC name not resolved

classic Classic list List threaded Threaded
2 messages Options
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

DNSSEC name not resolved

Federico87
Hi everybody,

On my dns server running pdns recursor I have noticed that I am not able to reslove the domain www.hollandandbarrett.com if I have DNSSEC enabled


root@raspberrypi:~# dig www.hollandandbarrett.com

; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> www.hollandandbarrett.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21062
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.hollandandbarrett.com.     IN      A

;; Query time: 554 msec
;; SERVER: 172.16.0.2#53(172.16.0.2)
;; WHEN: Thu Apr 28 08:26:42 UTC 2016
;; MSG SIZE  rcvd: 54

root@raspberrypi:~# dig www.hollandandbarrett.com +trace

; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> www.hollandandbarrett.com +trace
;; global options: +cmd
.                       86283   IN      NS      h.root-servers.net.
.                       86283   IN      NS      i.root-servers.net.
.                       86283   IN      NS      f.root-servers.net.
.                       86283   IN      NS      m.root-servers.net.
.                       86283   IN      NS      k.root-servers.net.
.                       86283   IN      RRSIG   NS 8 0 518400 20160507170000 20160427160000 60615 . j2bBV9oiLgxJ9A7FvSPBdqACWI8Uw86wsMTuHDP3IeGYa5VSLBWi69OP d+nJyDof+9hPStbVSD7uV8tdPK78c8+3gDvrGkbaZBjiym4DXaauVhiw kTxfmFr8LxnasF+ESvI4uLauUtsrGTC6ug+lgbBLJtTbLdpPOLUXHwHj oKQ=
.                       86283   IN      NS      c.root-servers.net.
.                       86283   IN      NS      d.root-servers.net.
.                       86283   IN      NS      a.root-servers.net.
.                       86283   IN      NS      l.root-servers.net.
.                       86283   IN      NS      e.root-servers.net.
.                       86283   IN      NS      j.root-servers.net.
.                       86283   IN      NS      b.root-servers.net.
.                       86283   IN      NS      g.root-servers.net.
;; Received 397 bytes from 172.16.0.2#53(172.16.0.2) in 347 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20160507170000 20160427160000 60615 . YOT5cYN8+11DQUxc2anndZ5dApZQOCTuGHIhtFJxLrohG0t+NZIbEiaw 2u1dQwYWIoX5p55CNbqrYAgVmMGPdse9mG5pBA6k7pTZrE+D+ntYAJpd /JatcilNAfA6FrRLVxiQjOfdqun78tkTolzxmvVbRen7ZYUY9xIAOsyk a80=
;; Received 749 bytes from 202.12.27.33#53(m.root-servers.net) in 882 ms

hollandandbarrett.com.  172800  IN      NS      ns1.nbty.net.
hollandandbarrett.com.  172800  IN      NS      ns2.nbty.net.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20160502045841 20160425034841 34745 com. eTc6yc1G33jNdyDy+1e2SW+6qRIWht5EKnKeMO9cPxGC/KQ2VXrNKyA+ hK+yneELNfEvH+RZuSKzhYIqeMYp++4j7Lcl10AAydUte6ZElrJihmcs 4jhQVE5NOlCBOEUxiI6JxWPBcR8dKSl3CZjNKUyNuEWcH99B4RD+EHc3 3xo=
9IPRJFKOE8KVSCTP1HLCMUBS8HLU4PLE.com. 86400 IN NSEC3 1 1 0 - 9IPV4DHBFMP2AV0DLSHT8RO2DRQUOKQQ NS DS RRSIG
9IPRJFKOE8KVSCTP1HLCMUBS8HLU4PLE.com. 86400 IN RRSIG NSEC3 8 2 86400 20160502044659 20160425033659 34745 com. UaFiKDBH8sk3e5JaGaSNV4q3spPdoaD4ai6HueJsCzMZm+p4c7wUlYhO xPYLgv3MKZPfWO0j3yg2poZk4Tt39ddtRezrSet+E05zUFwzKo4ZRfeV mox8V0MAFH/AaPDxSaALe53cz7T8ZNBPVdkKomDEc+ODKiTlsRE4/D37 OUg=
;; Received 615 bytes from 192.48.79.30#53(j.gtld-servers.net) in 678 ms

;; Received 43 bytes from 62.200.53.102#53(ns2.nbty.net) in 25 ms

If I change it from validate to off, I am able to resolve the name

root@raspberrypi:~# dig www.hollandandbarrett.com 

; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> www.hollandandbarrett.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19677
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.hollandandbarrett.com.     IN      A

;; ANSWER SECTION:

;; Query time: 786 msec
;; SERVER: 172.16.0.2#53(172.16.0.2)
;; WHEN: Thu Apr 28 08:29:51 UTC 2016
;; MSG SIZE  rcvd: 141

Any idea why?

Thanks




_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNSSEC name not resolved

Pieter Lexis-2
Hi Frederico,

On Thu, 28 Apr 2016 15:52:27 +0100
Federico Olivieri <[hidden email]> wrote:

> On my dns server running pdns recursor I have noticed that I am not able to
> reslove the domain www.hollandandbarrett.com if I have DNSSEC enabled

This is a bug in the current Alpha or the recursor, where Insecure delegations in
NSEC3-zones are seen as BOGUS. This was fixed yesterday in master [1,2] and will
be part of the upcoming prerelease.

Best regards,

Pieter

1 - https://github.com/PowerDNS/pdns/commit/9503aa8413eaf4221341bcd008df5d2765b576df
2 - https://github.com/PowerDNS/pdns/commit/528c121818fe2639016dbeaea60b913e8e60d848

--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
_______________________________________________
Pdns-users mailing list
[hidden email]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
Loading...