Bug 708709 - Bind no longer validates DNSSEC
Bind no longer validates DNSSEC
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
Unspecified Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2011-05-28 21:08 EDT by Scott Schmit
Modified: 2013-04-30 19:49 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-06-01 07:10:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
The named configuration file (853 bytes, text/plain)
2011-05-30 11:17 EDT, Scott Schmit
no flags Details
Cache dump of the server after two queries (5.98 KB, text/plain)
2011-05-30 11:18 EDT, Scott Schmit
no flags Details
The results of dig +adflag @::1 -t soa cz (678 bytes, text/plain)
2011-05-30 11:20 EDT, Scott Schmit
no flags Details
The results of dig +adflag @::1 www.rhybar.cz (562 bytes, text/plain)
2011-05-30 11:22 EDT, Scott Schmit
no flags Details

  None (edit)
Description Scott Schmit 2011-05-28 21:08:54 EDT
Description of problem:
After upgrading, DNSSEC-signed records are not validated, even with dnssec-validate yes.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install latest bind, configure a recursive resolver with dnssec-validation on
2. dig www.rhybar.cz @yourserver 
Actual results:
A record, NOERROR

Expected results:
No records returned, SERVFAIL

Additional info:
www.rhybar.cz has a deliberately incorrect DNSSEC signature. If bind is validating DNSSEC like it's supposed to, it will not return the invalid result. The fact that it's getting through even though I have dnssec & dnssec validation enabled says that there's a bug here.
Comment 1 Adam Tkac 2011-05-30 04:30:24 EDT
I'm not able to reproduce this issue with 9.7.4-0.1.b1.fc14, named returns SERVFAIL for the rhybar.cz domain. /var/log/messages contains following lines:

May 30 10:19:38 f14 named[1332]: validating @0x7ff63c3fcc70: rhybar.cz DNSKEY: no valid signature found
May 30 10:19:39 f14 named[1332]: error (insecurity proof failed) resolving 'rhybar.cz/DNSKEY/IN':

Can you please check if your server successfully validates for example cz. domain (the "ad" flag is present in the validated response, check it via `dig @yourserver cz SOA +dnssec`)?

If the response contains the ad flag then run following command:

`rndc dumpdb -cache`

and then attach "/var/named/data/cache_dump.db" file, please.
Comment 2 Scott Schmit 2011-05-30 11:16:17 EDT
That's just it -- it's acting like I don't have dnssec validation on, therefore I get no ad flag for anything.

My reproduction recipe is the following:
# service named restart
# dig +adflag @::1 -t soa cz > cz-soa
# dig +adflag @::1 www.rhybar.cz > rhybar-a
# rndc dumpdb -cache

I'm attaching /etc/named.conf, /var/named/data/cache_dump.db, cz-soa, and rhybar-a
Comment 3 Scott Schmit 2011-05-30 11:17:51 EDT
Created attachment 501828 [details]
The named configuration file
Comment 4 Scott Schmit 2011-05-30 11:18:57 EDT
Created attachment 501829 [details]
Cache dump of the server after two queries
Comment 5 Scott Schmit 2011-05-30 11:20:15 EDT
Created attachment 501830 [details]
The results of dig +adflag @::1 -t soa cz

Note that there is no ad flag.
Comment 6 Scott Schmit 2011-05-30 11:22:02 EDT
Created attachment 501831 [details]
The results of dig +adflag @::1 www.rhybar.cz

Note the invalid results are returned. No error shows up in /var/log/messages
Comment 7 Adam Tkac 2011-06-01 07:10:03 EDT
Actually bind-9.7.3-1.fc14 doesn't validate at all with your configuration as well. The named.root.key file must be included this way in named.conf:

include "/etc/named.root.key";

not via "bindkeys-file" directive.

If you use bindkeys-file then you must also set "dnssec-lookaside auto;" in the options {} section. Details are written in BIND9 ARM (/usr/share/doc/bind-9.7.3/arm/Bv9ARM.pdf), section 6.2.16, description of the bindkeys-file and dnssec-lookaside directives.

Closing as notabug, feel free to reopen this ticket if you think something is still wrong.

Note You need to log in before you can comment on or make changes to this bug.