DNSSEC "passes" the test it should fail at dnssec-failed.org

Latitude · 02-02-2017, 06:43 AM

I'm configuring a DNS Server on RHEL 6.8 with BIND 9.8.2rc1 and testing with DNSSEC with the server set up to intentionally fail DNSSEC (www.dnssec-failed.org) shows a successful test of DNS. Some help determining the cause would be great.

When running the command below it succeeds as it should:

Code:

dig @127.0.0.1 www.isc.org A +dnssec +multiline

However, when I run the command below to intentionally get a DNSSEC failure, it also passes (status: NOERROR) when it should actually fail:

Code:

 ~]# dig @127.0.0.1 www.dnssec-failed.org. A

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> @127.0.0.1 www.dnssec-failed.org. A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38725
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 10

;; QUESTION SECTION:
;www.dnssec-failed.org.         IN      A

;; ANSWER SECTION:
www.dnssec-failed.org.  3535    IN      A       69.252.193.191
www.dnssec-failed.org.  3535    IN      A       68.87.109.242

;; AUTHORITY SECTION:
dnssec-failed.org.      82735   IN      NS      dns102.comcast.net.
dnssec-failed.org.      82735   IN      NS      dns103.comcast.net.
dnssec-failed.org.      82735   IN      NS      dns101.comcast.net.
dnssec-failed.org.      82735   IN      NS      dns105.comcast.net.
dnssec-failed.org.      82735   IN      NS      dns104.comcast.net.

;; ADDITIONAL SECTION:
dns102.comcast.net.     82735   IN      A       68.87.85.132
dns102.comcast.net.     82735   IN      AAAA    2001:558:1004:7:68:87:85:132
dns103.comcast.net.     82735   IN      A       68.87.76.228
dns103.comcast.net.     82735   IN      AAAA    2001:558:1014:c:68:87:76:228
dns105.comcast.net.     82735   IN      A       68.87.72.244
dns105.comcast.net.     82735   IN      AAAA    2001:558:100e:5:68:87:72:244
dns101.comcast.net.     82735   IN      A       69.252.250.103
dns101.comcast.net.     82735   IN      AAAA    2001:558:fe23:8:69:252:250:103
dns104.comcast.net.     82735   IN      A       68.87.68.244
dns104.comcast.net.     82735   IN      AAAA    2001:558:100a:5:68:87:68:244

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb  1 19:48:25 2017
;; MSG SIZE  rcvd: 407

Any ideas as for what the cause could be for DNSSEC to pass when it should indeed fail? I'm thinking of reconfiguring DNSSEC altogether at this point. Turning it off, then adjusting one setting at a time to determine the root cause.

Ellendhel · 02-02-2017, 08:21 AM

Did you set any forwarder in your BIND configuration? It seems that the answer that you get comes from Comcast.

I have never been using Comcast and I don't know if their DNS servers are reliable or not, but if your DNS server relies on the ones from Comcast and they are lying... I know that Verizon does this, they provide answers for non-existent domains and redirect people to a "friendly error page".

If you really want to have a DNS server with DNSSEC, your server should be doing all the work itself, not using forwarders if possible.

Latitude · 02-02-2017, 01:35 PM

After I read your post I looked again at my options section of named.conf and didn't see any forwarders, which I also originally searched for. I've included the options section of named.conf below.

Code:

options {
        // Server options
        directory "/var/named";
        auth-nxdomain yes;
        interface-interval 0;
        lame-ttl 900;
        listen-on-v6 { none; };
        version " ";
        zone-statistics yes;
        dump-file "data/named_dump.db";
        statistics-file "data/named.stats";
//      pid-file none;
        pid-file "/var/run/named/named.pid";

I'm still searching for other causes. The latest thing I tried was changing dnssec-validation from yes to auto but I saw no change in the failures. The //DNS Security section of the named.conf file is below:

Code:

 // DNS Security
        dnssec-enable yes;
        dnssec-validation auto;
        dnssec-lookaside auto;