Unable to resolv 1 domain

Ondřej Surý ondrej at sury.org
Mon Apr 10 12:48:45 UTC 2017


Wouter,

are you sure about the BOGUS status?  I see (stripped down to minimum):

1. at the parent:

$ kdig +multi +dnssec IN NS lkpp.go.id. @b.dns.id.

KSK 31653

lkpp.go.id.             43200 IN DS 31653 7 1 (
				1DD2E4B3643C20097ECE57ECC1F36B8EFBBE303B
				)

2. at the child:

$ kdig +multi +dnssec IN DNSKEY lkpp.go.id. @ns1.lkpp.go.id.

KSK 31653

lkpp.go.id.             604800 IN DNSKEY 257 3 7 (
				AwEAAc4geZlrl3lZHie+wgyVayHtQ/KX1LSLZ6FsfPUO
				lHFsqHFV9osTQ+v9PR++SVPfU8cQZgmWeWsLut7JDqgX
				WRSt1833y8Q80HCB67RLRNoyktFkVrhGh2/1qL+bPvJW
				RdZjufqmvYMPpLJ+g8U1hx1JdsTOwSmEKuxGPlSJJft2
				crQBIN/XRi6MEDE8tGdw3SnwkgocVmTRJteO2V+uLRpK
				HN0WJYD7R7CGI0INoWbI2rsAgZr4hvbCQ3J0BToVoWue
				2UbPbACaZgmJXx1FPOC4bHKDzLVtLi62k/L1a/AJwp9E
				Zo7x5F7yCNQg6XUudxI+Nl7jJ5d12mJnQLsOFqUt48/R
				UKV0Fm1hl6lka6DiogwqA+7iTcaGknRoIXXjZ2p/D7vf
				i4vQGgmVV42POvrOi7rffhzbQEpiA7Vqx597cP8yCfbL
				5cpWFZncxkkLgp92u3D2MWxtdE9aFcuP58xPbnO6mvKq
				RrdnXzY4o2XbTtV4WlhJ69VzDoVeMm6p67R4R2cdqDZq
				LkdrbLU29nj3fVkrMK+9IswIfVJl/DOEHzCCye8brlce
				HF+vqNOb0g6OHj6S86aKtfKgl6DhiBFoaMneNSAFtca4
				yVhCMngZOfiWTnxTPqWE0VHu8QrnNL7M2AjZXrZFweLl
				AKvoYkUCb7HoOI+FASbZm3+0mkYx
				) ; KSK; alg = NSEC3RSASHA1; key id =
				31653

and

lkpp.go.id.             604800 IN RRSIG  DNSKEY 7 3 604800 (
				20170428022332 20170329022332 31653
				lkpp.go.id.
				iAMSKEUwNHmjqCRBygXeqvK2+kYAOGhHd1ZdTFkZeQDv
				D5/AmgfVASEpeso9kQ3Y/YRC8NBQ5JDFT/B3DFB26y9y
				FKBgLLsIrOjLNw7286FikQGtp4ZIGJmxgSbClaZsMnBA
				YS0vMu4uY42pOQ8C4gDMav94g1au+CU9w4QpBKDS8xtb
				6f+1B+yc3eodXdzS/iyKJYrpqPVRlOnAFGlJuxLXQxNJ
				GgC2ZvxmITARjfwDPROvo9zx9BoSKKnN1EV+sFqY0/xY
				j9OO8Q2CcQFRRuwHO4UO4or2aa1xn8lle7yhQAG46pbB
				74rFHU7Tyd5tfLNs0wD+gLTC27xw2kXRIJixgLM3bHOr
				nREuAjeokP0KulNe/TvfTiUVD+jcdDRsdTcBOZRyDOQy
				4Ke6pFp0jgQXXcwdRYnq39G6z+hdWuAmdN9ejnSg2R5N
				o7CF/Kh+uL5E+tlkEZAdW5i94FDSxrmlnbqLNwD+Bc4Z
				kwR8Rq7d4x2o1p5SjS8/v+vvsOUOVWN99Lnk9w7NwLfc
				pwn83kN5a91jkcu1lcgR+Dr+l2WVUlqWSgTIwfIKQ8A5
				y2PzaQCXZ1nCK5iexoYOl1zIgps4pM0WenAviFjHWgAE
				med75qM7rwLZqqZpRBBOB3VaaHqYFQohm8f3sVLN1n+O
				T6kkCOkeGsO+Saaht2SHHoU= )

ZSK 15284

lkpp.go.id.             604800 IN DNSKEY 256 3 7 (
				AwEAAdX16LDm+07IAtsXv+bf2HHO5S+jngvxcpay
				9awjHYtoy2tAPrjWWabRm8ymSO3wStqH6YY9xNiJ
				sKF8t+BXBenV4TQgbFO/FuioTZwTex4t3dJf01Ss
				auhidhoVVrPzkAOHOstHCjuIIxwH8DaGMncn7tx/
				lF4+S3Joi8CwceBWrwbdA0IWq7e7WG5Z/w4pK96E
				y4bpFDeY737EkBhPGiI5KAW5mD9eMkz7PZPss3vy
				5oC863I+XcD1RyaCv+Yljq1ZLLvgfpN8fCkokAYM
				QXxBK0PW0M4UPUTRbLatCHfxRawXpkg+bE/06bm/
				QrgbwYoDCiOjvkasZUJ/Vdavr4M=
				) ; ZSK, RSASHA1_NSEC3_SHA1 (2048b), id
				= 15284


$ kdig +multi +dnssec IN A lkpp.go.id. @ns1.lkpp.go.id.


lkpp.go.id.             604800 IN A 103.206.244.234
lkpp.go.id.             604800 IN RRSIG A 7 3 604800 20170428022332 (
				20170329022332 15284 lkpp.go.id.
				FfCuaRXD14lOhnTQgL1g3DjUXo/OFLrhn9Y1x+9Q
				NWXniZgdiKhubf53ZxV8+xVYiBWvGGq0imcFoyzt
				98Uv8DrT9iHP4a6aZgE45Z1DXX6UE7u4x0CYeZd7
				g9JeV2s4jNWR1rYyln+DsbTBY5qLWNStaA71gvsn
				w29Pk34ssV6AP38i9OHD7bk39CY6ClOlvVtd+8Uh
				cZXAeWOr4BI+aCuJw5EYBte9GrlbBVD4z20Aw4/1
				KBK9jitG0Ty5SJz/1gJPDwAzIN6SLMNLzGNEjGz9
				cRsaPmlLBIOXwVC9MlTdR0GeYDTLzOZRRSviv/2u
				Dglyc3eRIjofg/O8A6yzkQ==
				)

And Verisign's DNSSEC Debugger also seems to disagree with DNSViz:

http://dnssec-debugger.verisignlabs.com/lkpp.go.id

O.
-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

On Thu, Apr 6, 2017, at 12:32, W.C.A. Wijngaards via Unbound-users
wrote:
> Hi Franky,
> 
> The domain is DNSSEC bogus.  Unbound says:
> validation failure <lkpp.go.id. A IN>: no keys have a DS with algorithm
> RSASHA1-NSEC3-SHA1 from 103.13.181.24 for key lkpp.go.id. while building
> chain of trust
> 
> And dnsviz output also shows it is bogus, here is a link
> http://dnsviz.net/d/lkpp.go.id/dnssec/
> 
> If you want to make unbound ignore this failure, add to unbound.conf:
> domain-insecure: "lkpp.go.id"
> 
> Best regards, Wouter
> 
> On 06/04/17 12:16, battossai via Unbound-users wrote:
> > Hi,
> > 
> > My Unbound server unable to resolv this domain : lkpp.go.id
> > <http://lkpp.go.id>
> > In fact i have forward it to other dns server and its domain server.
> > 
> > But again it is no issue on named.
> > Any idea what i have to check ?
> > 
> > Here is some information :
> > 
> > [root at ns1smg ~]# dig @103.55.160.20 <http://103.55.160.20> lkpp.go.id
> > <http://lkpp.go.id>
> > 
> > 
> > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> @103.55.160.20
> > <http://103.55.160.20> lkpp.go.id <http://lkpp.go.id>
> > 
> > ; (1 server found)
> > 
> > ;; global options: +cmd
> > 
> > ;; Got answer:
> > 
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22042
> > 
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> > 
> > 
> > ;; QUESTION SECTION:
> > 
> > ;lkpp.go.id <http://lkpp.go.id>.INA
> > 
> > 
> > ;; ANSWER SECTION:
> > 
> > lkpp.go.id <http://lkpp.go.id>.604800INA103.206.244.234
> > 
> > 
> > ;; AUTHORITY SECTION:
> > 
> > lkpp.go.id <http://lkpp.go.id>.604800INNSns2.lkpp.go.id
> > <http://ns2.lkpp.go.id>.
> > 
> > lkpp.go.id <http://lkpp.go.id>.604800INNSns1.lkpp.go.id
> > <http://ns1.lkpp.go.id>.
> > 
> > 
> > ;; ADDITIONAL SECTION:
> > 
> > ns1.lkpp.go.id <http://ns1.lkpp.go.id>.604800INA103.13.181.24
> > 
> > ns2.lkpp.go.id <http://ns2.lkpp.go.id>.604800INA103.55.160.20
> > 
> > 
> > ;; Query time: 9 msec
> > 
> > ;; SERVER: 103.55.160.20#53(103.55.160.20)
> > 
> > ;; WHEN: Thu Apr  6 17:14:58 2017
> > 
> > ;; MSG SIZE  rcvd: 112
> > 
> > 
> > 
> > On my unbound server :
> > 
> > [root at ns1smg ~]# dig @111.68.27.3 <http://111.68.27.3> lkpp.go.id
> > <http://lkpp.go.id>
> > 
> > 
> > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> @111.68.27.3
> > <http://111.68.27.3> lkpp.go.id <http://lkpp.go.id>
> > 
> > ; (1 server found)
> > 
> > ;; global options: +cmd
> > 
> > ;; Got answer:
> > 
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41327
> > 
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > 
> > 
> > ;; QUESTION SECTION:
> > 
> > ;lkpp.go.id <http://lkpp.go.id>.INA
> > 
> > 
> > ;; Query time: 9 msec
> > 
> > ;; SERVER: 111.68.27.3#53(111.68.27.3)
> > 
> > ;; WHEN: Thu Apr  6 17:14:34 2017
> > 
> > ;; MSG SIZE  rcvd: 28
> > 
> > 
> > 
> > Regards,
> > Franky Yu
> > 
> 
> 
> Email had 1 attachment:
> + signature.asc
>   1k (application/pgp-signature)



More information about the Unbound-users mailing list