Dnssec-validation auto

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Dnssec-validation auto

Ismael Suarez Maldonado
Hi all

The following domain (www.popularsba.com) does not resolve with dnssec validation set to auto, but when I change the validation off it works.

Why is this? How can I check this validation?

Using bind 9.12

Thanks to all
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Dnssec-validation auto

Petr Mensik
Hi Ismael,

easiest way to check validation is using delv tool from BIND 9.11+. It
uses the same algorithm as BIND server does. If you get SERVFAIL from
your recursive server, try adding +cd parameter to delv or dig. When it
works with +cd, validation is responsible somewhere in recursive servers
chain.

It shows just unsigned to me, today.

$ delv +cd www.popularsba.com
; unsigned answer
www.popularsba.com. 282 IN CNAME
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com.
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com. 282 IN CNAME
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 102 IN A
161.71.31.253

Cheers,
Petr

On 11/13/20 5:26 AM, Ismael Suarez wrote:

> Hi all
>
> The following domain (www.popularsba.com) does not resolve with dnssec validation set to auto, but when I change the validation off it works.
>
> Why is this? How can I check this validation?
>
> Using bind 9.12
>
> Thanks to all
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: [hidden email]
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc (9K) Download Attachment
OpenPGP_signature (677 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Dnssec-validation auto

Ismael Suarez Maldonado
With "dnssec-validation AUTO;" I get:

# delv +cd www.popularsba.com
;; resolution failed: timed out


With "dnssec-validation NO;" I get:

# delv +cd www.popularsba.com
;; resolution failed: timed out
; unsigned answer
www.popularsba.com.     279     IN      CNAME   www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com.


CAPS just to show the difference in .conf


--

Ismael Suárez Maldonado | UNIX ADM | Coqui.Net Corp / ClaroTV
[hidden email]<mailto:[hidden email]> | T: 787-793-0001 x 4007

-----Original Message-----
From: Petr Menšík <[hidden email]<mailto:Petr%20%3d%3fUTF-8%3fQ%3fMen%3dC5%3dA1%3dC3%3dADk%3f%3d%20%[hidden email]%3e>>
To: [hidden email]<mailto:[hidden email]>
Subject: Re: Dnssec-validation auto
Date: Fri, 13 Nov 2020 11:26:17 +0100


Hi Ismael,


easiest way to check validation is using delv tool from BIND 9.11+. It

uses the same algorithm as BIND server does. If you get SERVFAIL from

your recursive server, try adding +cd parameter to delv or dig. When it

works with +cd, validation is responsible somewhere in recursive servers

chain.


It shows just unsigned to me, today.


$ delv +cd

<http://www.popularsba.com>

www.popularsba.com


; unsigned answer

<http://www.popularsba.com>

www.popularsba.com

.       282     IN      CNAME

<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com

.

<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com

. 282 IN CNAME

4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.

4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 102 IN A

161.71.31.253


Cheers,

Petr


On 11/13/20 5:26 AM, Ismael Suarez wrote:

Hi all


The following domain (

<http://www.popularsba.com>

www.popularsba.com

) does not resolve with dnssec validation set to auto, but when I change the validation off it works.


Why is this? How can I check this validation?


Using bind 9.12


Thanks to all

_______________________________________________

Please visit

<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users

 to unsubscribe from this list


ISC funds the development of this software with paid support subscriptions. Contact us at

<https://www.isc.org/contact/>

https://www.isc.org/contact/

 for more information.



bind-users mailing list

<mailto:[hidden email]>

[hidden email]


<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users




_______________________________________________

Please visit

<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users

 to unsubscribe from this list


ISC funds the development of this software with paid support subscriptions. Contact us at

<https://www.isc.org/contact/>

https://www.isc.org/contact/

 for more information.



bind-users mailing list

<mailto:[hidden email]>

[hidden email]


<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Dnssec-validation auto

Petr Mensik
I would check what nameservers are in /etc/resolv.conf, and try to
direct delv or dig to its address.

for H in $(awk '$1 == "nameserver" { print $2 }' /etc/resolv.conf); do
dig +dnssec @$H www.popularsba.com; done

Check every server returns reliable and the same results. I had one
NOERROR and one SERVFAIL from our instrastructure. The second server
provides more servers in ADDITIONAL section. Second retry was successful.

It might take a bit more time to fetch and verify addresses of all
authoritative servers of gslb.siteforce.com. domain. Six seems a lot.


; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> +dnssec @10.5.30.45
www.popularsba.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43145
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.popularsba.com. IN A

;; ANSWER SECTION:
www.popularsba.com. 262 IN CNAME
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com.
www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com. 262 IN CNAME
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.
4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 82 IN A
13.109.220.200

;; AUTHORITY SECTION:
gslb.siteforce.com. 55886 IN NS dns05.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns01.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns02.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns04.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns06.salesforce.com.
gslb.siteforce.com. 55886 IN NS dns03.salesforce.com.

;; ADDITIONAL SECTION:
dns01.salesforce.com. 53547 IN A 204.74.108.235
dns02.salesforce.com. 53547 IN A 204.74.109.235
dns04.salesforce.com. 53547 IN A 199.7.69.235
dns03.salesforce.com. 53547 IN A 199.7.68.235
dns06.salesforce.com. 53547 IN A 204.74.115.235
dns05.salesforce.com. 53547 IN A 204.74.114.235
dns01.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
fUb+1uVGcdeVSsjTj1O++bcNLZwapzTvLcHLP+tykm3y3ziCSIHtxfCp
3kZqdBQtB3nGd7ySGPEblvBJA4ZHUA==
dns02.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
QOVhwrJ0dwkHRHLr/ytEzmZ04bYaAzN2ooDfJOVJXDCinYGFuNTRmPhs
uFawDGlRlFja8OyiIyJXIFvwXKGSxg==
dns04.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
DXOOYz5odrnY7SkWNvU0NiGOZEWalNT+0VYCYgd7wl6Rj0cOR4slFrvR
ADj5eAgFLybADvTviia/xbqz4u7ueQ==
dns03.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
Rkzv/z9vhnURB8hueZgkQrKFffLB9Zj423ZPHoPXtoECxNVk/ZV/ODv4
BQZLT8+t8W7cLILNyXVVpEjG2ejE9Q==
dns06.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201218220609
20201019213201 2317 salesforce.com.
YcTDijezumyiv+WZcvZqFk/yOJ2r7WdxZ5XFwIjt5R6iDOSQNChxhQ3G
dhR28sLna+rM9yVehyyEyCh4iJUeHg==
dns05.salesforce.com. 53547 IN RRSIG A 13 3 86400 20201130021251
20201001013506 2317 salesforce.com.
gmzIaK0lTolbkUaIGfHTLl2+TzUYQUtxHJ5yevEzdLmaE8z0AW7JBVXf
07osroe/7LxRQO38ZCxNZHVXfQnMHA==

;; Query time: 45 msec
;; SERVER: 10.5.30.45#53(10.5.30.45)
;; WHEN: Fri Nov 13 08:12:49 EST 2020
;; MSG SIZE  rcvd: 1076


It seems to me, only dns0?.salesforce.com. hosts are in DNSSEC signed
domain. Try debuging salesforce.com. domain verification instead.

On 11/13/20 1:59 PM, Ismael Suarez wrote:

> With "dnssec-validation AUTO;" I get:
>
> # delv +cd www.popularsba.com
> ;; resolution failed: timed out
>
>
> With "dnssec-validation NO;" I get:
>
> # delv +cd www.popularsba.com
> ;; resolution failed: timed out
> ; unsigned answer
> www.popularsba.com.     279     IN      CNAME   www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com.
>
>
> CAPS just to show the difference in .conf
>
>
> --
>
> Ismael Suárez Maldonado | UNIX ADM | Coqui.Net Corp / ClaroTV
> [hidden email]<mailto:[hidden email]> | T: 787-793-0001 x 4007
>
> -----Original Message-----
> From: Petr Menšík <[hidden email]<mailto:Petr%20%3d%3fUTF-8%3fQ%3fMen%3dC5%3dA1%3dC3%3dADk%3f%3d%20%[hidden email]%3e>>
> To: [hidden email]<mailto:[hidden email]>
> Subject: Re: Dnssec-validation auto
> Date: Fri, 13 Nov 2020 11:26:17 +0100
>
>
> Hi Ismael,
>
>
> easiest way to check validation is using delv tool from BIND 9.11+. It
>
> uses the same algorithm as BIND server does. If you get SERVFAIL from
>
> your recursive server, try adding +cd parameter to delv or dig. When it
>
> works with +cd, validation is responsible somewhere in recursive servers
>
> chain.
>
>
> It shows just unsigned to me, today.
>
>
> $ delv +cd
>
> <http://www.popularsba.com>
>
> www.popularsba.com
>
>
> ; unsigned answer
>
> <http://www.popularsba.com>
>
> www.popularsba.com
>
> .       282     IN      CNAME
>
> <http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>
>
> www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com
>
> .
>
> <http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>
>
> www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com
>
> . 282 IN CNAME
>
> 4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.
>
> 4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 102 IN A
>
> 161.71.31.253
>
>
> Cheers,
>
> Petr
>
>
> On 11/13/20 5:26 AM, Ismael Suarez wrote:
>
> Hi all
>
>
> The following domain (
>
> <http://www.popularsba.com>
>
> www.popularsba.com
>
> ) does not resolve with dnssec validation set to auto, but when I change the validation off it works.
>
>
> Why is this? How can I check this validation?
>
>
> Using bind 9.12
>
>
> Thanks to all
>
> _______________________________________________
>
> Please visit
>
> <https://lists.isc.org/mailman/listinfo/bind-users>
>
> https://lists.isc.org/mailman/listinfo/bind-users
>
>  to unsubscribe from this list
>
>
> ISC funds the development of this software with paid support subscriptions. Contact us at
>
> <https://www.isc.org/contact/>
>
> https://www.isc.org/contact/
>
>  for more information.
>
>
>
> bind-users mailing list
>
> <mailto:[hidden email]>
>
> [hidden email]
>
>
> <https://lists.isc.org/mailman/listinfo/bind-users>
>
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
> _______________________________________________
>
> Please visit
>
> <https://lists.isc.org/mailman/listinfo/bind-users>
>
> https://lists.isc.org/mailman/listinfo/bind-users
>
>  to unsubscribe from this list
>
>
> ISC funds the development of this software with paid support subscriptions. Contact us at
>
> <https://www.isc.org/contact/>
>
> https://www.isc.org/contact/
>
>  for more information.
>
>
>
> bind-users mailing list
>
> <mailto:[hidden email]>
>
> [hidden email]
>
>
> <https://lists.isc.org/mailman/listinfo/bind-users>
>
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: [hidden email]
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc (9K) Download Attachment
OpenPGP_signature (677 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Dnssec-validation auto

Ismael Suarez Maldonado
resolv.conf has only itself as dns server

When using dnssec-validation AUTO, and turning on debug, the following is shown when I nslookup from my PC towards the server.



13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201: request is not signed

13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201: recursion available

13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201 (www.popularsba.com): query: www.popularsba.com IN A + (xxx.xxx.xxx.152)

13-Nov-2020 11:09:18.998 client @0x7f7fb41d6b20 xxx.xxx.xxx.252#30201 (www.popularsba.com): query (cache) 'www.popularsba.com/A/IN' approved

13-Nov-2020 11:09:18.998 fetch: www.popularsba.com/A

13-Nov-2020 11:09:18.999 fetch: ha1.markmonitor.zone/A

13-Nov-2020 11:09:18.999 fetch: ha2.markmonitor.zone/A

13-Nov-2020 11:09:18.999 fetch: ha3.markmonitor.zone/A

13-Nov-2020 11:09:18.999 fetch: ha4.markmonitor.zone/A

13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201: request is not signed

13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201: recursion available

13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201 (www.popularsba.com): query: www.popularsba.com IN A + (xxx.xxx.xxx.152)

13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201 (www.popularsba.com): query (cache) 'www.popularsba.com/A/IN' approved

13-Nov-2020 11:09:24.000 fetch: www.popularsba.com/A

13-Nov-2020 11:09:24.000 client @0x7f7fb41f3a40 xxx.xxx.xxx.252#30201 (www.popularsba.com): request failed: duplicate query

13-Nov-2020 11:09:27.051 fetch: popularsba.com/DS



On my client I get:

** server can't find www.popularsba.com: SERVFAIL



masked the IP just in case



-----Original Message-----
From: Petr Menšík <[hidden email]<mailto:Petr%20%3d%3fUTF-8%3fQ%3fMen%3dC5%3dA1%3dC3%3dADk%3f%3d%20%[hidden email]%3e>>
To: Ismael Suarez <[hidden email]<mailto:Ismael%20Suarez%20%[hidden email]%3e>>, [hidden email] <[hidden email]<mailto:%[hidden email]%22%20%[hidden email]%3e>>
Subject: Re: Dnssec-validation auto
Date: Fri, 13 Nov 2020 14:19:47 +0100


I would check what nameservers are in /etc/resolv.conf, and try to

direct delv or dig to its address.


for H in $(awk '$1 == "nameserver" { print $2 }' /etc/resolv.conf); do

dig +dnssec @$H

<http://www.popularsba.com>

www.popularsba.com

; done


Check every server returns reliable and the same results. I had one

NOERROR and one SERVFAIL from our instrastructure. The second server

provides more servers in ADDITIONAL section. Second retry was successful.


It might take a bit more time to fetch and verify addresses of all

authoritative servers of gslb.siteforce.com. domain. Six seems a lot.



; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> +dnssec @10.5.30.45

<http://www.popularsba.com>

www.popularsba.com


; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43145

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 13


;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;www.popularsba.com.            IN      A


;; ANSWER SECTION:

<http://www.popularsba.com>

www.popularsba.com

.       262     IN      CNAME

<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com

.

<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com

. 262 IN CNAME

4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.

4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 82 IN A

13.109.220.200


;; AUTHORITY SECTION:

gslb.siteforce.com.     55886   IN      NS      dns05.salesforce.com.

gslb.siteforce.com.     55886   IN      NS      dns01.salesforce.com.

gslb.siteforce.com.     55886   IN      NS      dns02.salesforce.com.

gslb.siteforce.com.     55886   IN      NS      dns04.salesforce.com.

gslb.siteforce.com.     55886   IN      NS      dns06.salesforce.com.

gslb.siteforce.com.     55886   IN      NS      dns03.salesforce.com.


;; ADDITIONAL SECTION:

dns01.salesforce.com.   53547   IN      A       204.74.108.235

dns02.salesforce.com.   53547   IN      A       204.74.109.235

dns04.salesforce.com.   53547   IN      A       199.7.69.235

dns03.salesforce.com.   53547   IN      A       199.7.68.235

dns06.salesforce.com.   53547   IN      A       204.74.115.235

dns05.salesforce.com.   53547   IN      A       204.74.114.235

dns01.salesforce.com.   53547   IN      RRSIG   A 13 3 86400 20201130021251

20201001013506 2317 salesforce.com.

fUb+1uVGcdeVSsjTj1O++bcNLZwapzTvLcHLP+tykm3y3ziCSIHtxfCp

3kZqdBQtB3nGd7ySGPEblvBJA4ZHUA==

dns02.salesforce.com.   53547   IN      RRSIG   A 13 3 86400 20201130021251

20201001013506 2317 salesforce.com.

QOVhwrJ0dwkHRHLr/ytEzmZ04bYaAzN2ooDfJOVJXDCinYGFuNTRmPhs

uFawDGlRlFja8OyiIyJXIFvwXKGSxg==

dns04.salesforce.com.   53547   IN      RRSIG   A 13 3 86400 20201130021251

20201001013506 2317 salesforce.com.

DXOOYz5odrnY7SkWNvU0NiGOZEWalNT+0VYCYgd7wl6Rj0cOR4slFrvR

ADj5eAgFLybADvTviia/xbqz4u7ueQ==

dns03.salesforce.com.   53547   IN      RRSIG   A 13 3 86400 20201130021251

20201001013506 2317 salesforce.com.

Rkzv/z9vhnURB8hueZgkQrKFffLB9Zj423ZPHoPXtoECxNVk/ZV/ODv4

BQZLT8+t8W7cLILNyXVVpEjG2ejE9Q==

dns06.salesforce.com.   53547   IN      RRSIG   A 13 3 86400 20201218220609

20201019213201 2317 salesforce.com.

YcTDijezumyiv+WZcvZqFk/yOJ2r7WdxZ5XFwIjt5R6iDOSQNChxhQ3G

dhR28sLna+rM9yVehyyEyCh4iJUeHg==

dns05.salesforce.com.   53547   IN      RRSIG   A 13 3 86400 20201130021251

20201001013506 2317 salesforce.com.

gmzIaK0lTolbkUaIGfHTLl2+TzUYQUtxHJ5yevEzdLmaE8z0AW7JBVXf

07osroe/7LxRQO38ZCxNZHVXfQnMHA==


;; Query time: 45 msec

;; SERVER: 10.5.30.45#53(10.5.30.45)

;; WHEN: Fri Nov 13 08:12:49 EST 2020

;; MSG SIZE  rcvd: 1076



It seems to me, only dns0?.salesforce.com. hosts are in DNSSEC signed

domain. Try debuging salesforce.com. domain verification instead.


On 11/13/20 1:59 PM, Ismael Suarez wrote:

With "dnssec-validation AUTO;" I get:


# delv +cd

<http://www.popularsba.com>

www.popularsba.com


;; resolution failed: timed out



With "dnssec-validation NO;" I get:


# delv +cd

<http://www.popularsba.com>

www.popularsba.com


;; resolution failed: timed out

; unsigned answer

<http://www.popularsba.com>

www.popularsba.com

.     279     IN      CNAME

<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com

.



CAPS just to show the difference in .conf



--


Ismael Suárez Maldonado | UNIX ADM | Coqui.Net Corp / ClaroTV

<mailto:[hidden email]>

[hidden email]

<mailto:

<mailto:[hidden email]>

[hidden email]

> | T: 787-793-0001 x 4007


-----Original Message-----

From: Petr Menšík <

<mailto:[hidden email]>

[hidden email]

<mailto:

<mailto:Petr%20%3d%3fUTF-8%3fQ%3fMen%3dC5%3dA1%3dC3%3dADk%3f%3d%20%[hidden email]>

Petr%20%3d%3fUTF-8%3fQ%3fMen%3dC5%3dA1%3dC3%3dADk%3f%3d%20%[hidden email]

%3e>>

To:

<mailto:[hidden email]>

[hidden email]

<mailto:

<mailto:[hidden email]>

[hidden email]

>

Subject: Re: Dnssec-validation auto

Date: Fri, 13 Nov 2020 11:26:17 +0100



Hi Ismael,



easiest way to check validation is using delv tool from BIND 9.11+. It


uses the same algorithm as BIND server does. If you get SERVFAIL from


your recursive server, try adding +cd parameter to delv or dig. When it


works with +cd, validation is responsible somewhere in recursive servers


chain.



It shows just unsigned to me, today.



$ delv +cd


<

<http://www.popularsba.com>

http://www.popularsba.com

>


<http://www.popularsba.com>

www.popularsba.com




; unsigned answer


<

<http://www.popularsba.com>

http://www.popularsba.com

>


<http://www.popularsba.com>

www.popularsba.com



.       282     IN      CNAME


<

<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com

>


<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com



.


<

<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com

>


<http://www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com>

www.popularsba.com.00d1n000002kxqqua0.live.siteforce.com



. 282 IN CNAME


4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com.


4.0p13m0000008e6qcaq.00d1n000002kxqqua0.gslb.siteforce.com. 102 IN A


161.71.31.253



Cheers,


Petr



On 11/13/20 5:26 AM, Ismael Suarez wrote:


Hi all



The following domain (


<

<http://www.popularsba.com>

http://www.popularsba.com

>


<http://www.popularsba.com>

www.popularsba.com



) does not resolve with dnssec validation set to auto, but when I change the validation off it works.



Why is this? How can I check this validation?



Using bind 9.12



Thanks to all


_______________________________________________


Please visit


<

<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users

>


<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users



 to unsubscribe from this list



ISC funds the development of this software with paid support subscriptions. Contact us at


<

<https://www.isc.org/contact/>

https://www.isc.org/contact/

>


<https://www.isc.org/contact/>

https://www.isc.org/contact/



 for more information.




bind-users mailing list


<mailto:

<mailto:[hidden email]>

[hidden email]

>


<mailto:[hidden email]>

[hidden email]




<

<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users

>


<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users






_______________________________________________


Please visit


<

<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users

>


<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users



 to unsubscribe from this list



ISC funds the development of this software with paid support subscriptions. Contact us at


<

<https://www.isc.org/contact/>

https://www.isc.org/contact/

>


<https://www.isc.org/contact/>

https://www.isc.org/contact/



 for more information.




bind-users mailing list


<mailto:

<mailto:[hidden email]>

[hidden email]

>


<mailto:[hidden email]>

[hidden email]




<

<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users

>


<https://lists.isc.org/mailman/listinfo/bind-users>

https://lists.isc.org/mailman/listinfo/bind-users



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users