Bug 708709

Summary: Bind no longer validates DNSSEC
Product: [Fedora] Fedora Reporter: Scott Schmit <i.grok>
Component: bindAssignee: Adam Tkac <atkac>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 14CC: atkac, ovasik
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-01 11:10:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
The named configuration file
none
Cache dump of the server after two queries
none
The results of dig +adflag @::1 -t soa cz
none
The results of dig +adflag @::1 www.rhybar.cz none

Description Scott Schmit 2011-05-29 01:08:54 UTC 
Description of problem:
After upgrading, DNSSEC-signed records are not validated, even with dnssec-validate yes.

Version-Release number of selected component (if applicable):
bind-9.7.4-0.1.b1.fc14.i686

How reproducible:
100%

Steps to Reproduce:
1. Install latest bind, configure a recursive resolver with dnssec-validation on
2. dig www.rhybar.cz @yourserver 
  
Actual results:
A record, NOERROR

Expected results:
No records returned, SERVFAIL

Additional info:
www.rhybar.cz has a deliberately incorrect DNSSEC signature. If bind is validating DNSSEC like it's supposed to, it will not return the invalid result. The fact that it's getting through even though I have dnssec & dnssec validation enabled says that there's a bug here.
Comment 1 Adam Tkac 2011-05-30 08:30:24 UTC 
I'm not able to reproduce this issue with 9.7.4-0.1.b1.fc14, named returns SERVFAIL for the rhybar.cz domain. /var/log/messages contains following lines:

May 30 10:19:38 f14 named[1332]: validating @0x7ff63c3fcc70: rhybar.cz DNSKEY: no valid signature found
May 30 10:19:39 f14 named[1332]: error (insecurity proof failed) resolving 'rhybar.cz/DNSKEY/IN': 194.0.13.1#53

Can you please check if your server successfully validates for example cz. domain (the "ad" flag is present in the validated response, check it via `dig @yourserver cz SOA +dnssec`)?

If the response contains the ad flag then run following command:

`rndc dumpdb -cache`

and then attach "/var/named/data/cache_dump.db" file, please.
Comment 2 Scott Schmit 2011-05-30 15:16:17 UTC 
That's just it -- it's acting like I don't have dnssec validation on, therefore I get no ad flag for anything.

My reproduction recipe is the following:
# service named restart
# dig +adflag @::1 -t soa cz > cz-soa
# dig +adflag @::1 www.rhybar.cz > rhybar-a
# rndc dumpdb -cache

I'm attaching /etc/named.conf, /var/named/data/cache_dump.db, cz-soa, and rhybar-a
Comment 3 Scott Schmit 2011-05-30 15:17:51 UTC 
Created attachment 501828 [details]
The named configuration file
Comment 4 Scott Schmit 2011-05-30 15:18:57 UTC 
Created attachment 501829 [details]
Cache dump of the server after two queries
Comment 5 Scott Schmit 2011-05-30 15:20:15 UTC 
Created attachment 501830 [details]
The results of dig +adflag @::1 -t soa cz

Note that there is no ad flag.
Comment 6 Scott Schmit 2011-05-30 15:22:02 UTC 
Created attachment 501831 [details]
The results of dig +adflag @::1 www.rhybar.cz

Note the invalid results are returned. No error shows up in /var/log/messages
Comment 7 Adam Tkac 2011-06-01 11:10:03 UTC 
Actually bind-9.7.3-1.fc14 doesn't validate at all with your configuration as well. The named.root.key file must be included this way in named.conf:

include "/etc/named.root.key";

not via "bindkeys-file" directive.

If you use bindkeys-file then you must also set "dnssec-lookaside auto;" in the options {} section. Details are written in BIND9 ARM (/usr/share/doc/bind-9.7.3/arm/Bv9ARM.pdf), section 6.2.16, description of the bindkeys-file and dnssec-lookaside directives.

Closing as notabug, feel free to reopen this ticket if you think something is still wrong.