[yadifa-users] Is a DNSSEC related bug possible in 2.0.4?

Eric Diaz Fernandez eric.diaz.fernandez at eurid.eu
Wed Mar 4 07:13:15 CET 2015


Dear Mr Kolb,

If I understand correctly, you see an error "999" from the DNSSEC test 
page at http://www.denic.de/en/background/nast.html
The documentation at 
http://www.denic.de/fileadmin/public/documentation/DENIC-26p_EN.pdf says 
that it means the DNS query failed.
This may be caused by an issue on the Resource Rate Limiter that has 
been fixed for the release 2.0.5.

Regards,

R&D Team

On 27/02/15 11:38, Markus Kolb wrote:
> The check of Denic sends the following queries when the check is not
> approved:
>
> 2015-02-27 09:21:58.337569 | queries  | I | query [136f] {-------} it-newmedia.de. IN SOA (81.91.160.254#30993)
> 2015-02-27 09:21:58.337701 | queries  | I | query [434e] {-------} it-newmedia.de. IN SOA (81.91.160.254#53665)
> 2015-02-27 09:21:58.353038 | queries  | I | query [64d3] {---T---} it-newmedia.de. IN NS (81.91.160.254#25900)
> 2015-02-27 09:21:58.353138 | queries  | I | query [c6d6] {---T---} it-newmedia.de. IN NS (81.91.160.254#7540)
> 2015-02-27 09:21:58.361102 | queries  | I | query [a36f] {--E-D--} it-newmedia.de. IN SOA (81.91.160.254#58913)
> 2015-02-27 09:21:58.361182 | queries  | I | query [b913] {--E-D--} it-newmedia.de. IN DNSKEY (81.91.160.254#9074)
> 2015-02-27 09:21:58.361244 | queries  | I | query [4531] {--E-D--} it-newmedia.de. IN SOA (81.91.160.254#27506)
> 2015-02-27 09:21:58.361291 | queries  | I | query [ed65] {--E-D--} it-newmedia.de. IN DNSKEY (81.91.160.254#39832)
> 2015-02-27 09:21:58.376208 | queries  | I | query [9df4] {--ETD--} it-newmedia.de. IN SOA (81.91.160.254#9897)
> 2015-02-27 09:22:01.365449 | queries  | I | query [250b] {--E-D--} it-newmedia.de. IN DNSKEY (81.91.160.254#22941)
> 2015-02-27 09:22:01.365610 | queries  | I | query [4b4b] {--E-D--} it-newmedia.de. IN DNSKEY (81.91.160.254#30404)
>
> When the check is approved those queries:
>
> 2015-02-27 09:22:22.642853 | queries  | I | query [65c9] {-------} it-newmedia.de. IN SOA (81.91.160.254#60462)
> 2015-02-27 09:22:22.642925 | queries  | I | query [589a] {-------} it-newmedia.de. IN SOA (81.91.160.254#63259)
> 2015-02-27 09:22:22.657871 | queries  | I | query [fe57] {---T---} it-newmedia.de. IN NS (81.91.160.254#33254)
> 2015-02-27 09:22:22.657957 | queries  | I | query [63b0] {---T---} it-newmedia.de. IN NS (81.91.160.254#10298)
> 2015-02-27 09:22:22.665857 | queries  | I | query [564b] {--E-D--} it-newmedia.de. IN SOA (81.91.160.254#51714)
> 2015-02-27 09:22:22.666006 | queries  | I | query [37ec] {--E-D--} it-newmedia.de. IN DNSKEY (81.91.160.254#42246)
> 2015-02-27 09:22:22.666113 | queries  | I | query [958c] {--E-D--} it-newmedia.de. IN SOA (81.91.160.254#19612)
> 2015-02-27 09:22:22.666131 | queries  | I | query [ab2d] {--E-D--} it-newmedia.de. IN DNSKEY (81.91.160.254#44694)
> 2015-02-27 09:22:25.669001 | queries  | I | query [3b36] {--E-D--} it-newmedia.de. IN SOA (81.91.160.254#61206)
> 2015-02-27 09:22:25.669078 | queries  | I | query [0246] {--E-D--} it-newmedia.de. IN DNSKEY (81.91.160.254#59747)
>
>
> Does this help you?
>
>
>
> Am 2015-02-27 11:13, schrieb Thomas Dupas:
>> Hi Markus,
>>
>> do so you other queries arriving before the one with —ETD— flag?
>>
>> Those flags represent the query flags / options:
>> +: recursion desired
>> S: query signed
>> E: EDNS
>> T: TCP
>> D: DO bit set (DNSSEC OK)
>> C: CD bit set (Checking Disabled)
>>
>> Br,
>>
>> Thomas
>>
>> On 27 Feb 2015, at 10:37, Markus Kolb <markus.kolb+yadifa at tower-net.de>
>> wrote:
>>
>>> Hello,
>>>
>>> I've problems to get DNSSEC to work with 2.0.4.
>>>
>>> It's a domain in the de-zone.
>>> The denic has a DNS checker tool at
>>> http://www.denic.de/hintergrund/nast.html
>>>
>>> If I check my signed domain, sometimes it is approved and sometimes I
>>> get an unexpected exception error 999.
>>> I do not change anything in the meantime.
>>>
>>> I've used the tools of bind for generating keys and signing the zone.
>>>
>>> e.g.:
>>> dnssec-signzone -v 9 -A -3 b0255d9fc8b8cf81 -o tower-net.de -K
>>> /var/lib/yadifad/zones/keys -d /var/lib/yadifad/zones/keys -k
>>> Ktower-net.de.+007+62298.key -N increment -t
>>> /var/lib/yadifad/zones/masters/tower-net.de.zone
>>> Ktower-net.de.+007+62654.key Ktower-net.de.+007+62298.key
>>>
>>> For your info: The example domain is not yet delegated to my domain
>>> servers. With the denic tool I've specified the domain servers with
>>> the
>>> available signed zones.
>>>
>>> Btw. the bind tools are the hell of usability. Why you have to specify
>>> the KSK 2 times? Isn't it enough to say -k KSK ?! And no warning. Just
>>> the fully signed zones are not correctly signed. ;-)
>>>
>>> Ok. Back to the remaining problem...
>>>
>>> In the query log I see different entries when the zone is approved and
>>> when it is denied.
>>>
>>> approved:
>>> 2015-02-27 09:22:22.666113 | queries  | I | query [958c] {--E-D--}
>>> it-newmedia.de. IN SOA (81.91.160.254#19612)
>>>
>>> denied:
>>> 2015-02-27 09:21:58.376208 | queries  | I | query [9df4] {--ETD--}
>>> it-newmedia.de. IN SOA (81.91.160.254#9897)
>>>
>>> So there is a T-flag when the denic denies my zone.
>>>
>>> What does these flags mean? Couldn't find documentation for them.
>>>
>>> br,
>>> Markus
>>> _______________________________________________
>>> yadifa-users mailing list
>>> yadifa-users at mailinglists.yadifa.eu
>>> http://www.yadifa.eu/mailman/listinfo/yadifa-users
>>
>> Disclaimer:
>> This email  and  any  attachment  hereto  is  intended  solely  for
>> the  person
>> to which  it  is  addressed  and  may  contain  confidential  and/or
>> privileged
>> information.  If you are not the intended recipient  or  if  you  have
>> received
>> this email in error, please delete it and  immediately  contact  the
>> sender  by
>> telephone or email, and destroy any copies  of  this  information.
>> You  should
>> not use or copy it, nor disclose  its  content  to  any  other  person
>> or  rely
>> upon this information.  Please note that any views presented in  the
>> email  and
>> any attachment hereto are solely those of the  author  and  do  not
>> necessarily
>> represent those of EURid.  While all care has been  taken  to  avoid
>> any  known
>> viruses, the recipient is advised to check this email  and  any
>> attachment  for
>> presence of viruses.
>>
>> http://www.eurid.eu/en/legal-disclaimer
> _______________________________________________
> yadifa-users mailing list
> yadifa-users at mailinglists.yadifa.eu
> http://www.yadifa.eu/mailman/listinfo/yadifa-users



More information about the yadifa-users mailing list