# BIND 9 DNSSEC validation does not work



## jahlives (Jun 27, 2012)

Hello

*M*y first post here so I hope I do "deliver" all the necessary information 

I have a FreeBSD 9.0 system and trying to run BIND 9 (9.9.1-P1) with DNSSEC validation on the resolver. So I set the following in /etc/named/etc/namedb/named.conf

```
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
```
in the options part and restarted named.

The DNSSEC validation does exactly work once after the restart/start of named. So directly after the start the following works:

```
svalbard# dig pir.org +dnssec +multi +short
97.74.26.128
A 5 2 300 20120711085000 ...
```
But if I issue the command again nothing is returned and if I leave out +short then it shows SERVFAIL. If I restart named it works again once.

I'm quite new to FreeBSD/BIND but for me this sounds like a cache problem of the resolver. Any ideas where/what I could check? As a workaround I added another resolver to /etc/resolv.conf before 127.0.0.1 so the request will always be answered.

Thanks a lot for any idea/hint.
Cheers

tobi


----------



## TheDreamer (Jul 2, 2012)

Check if you're behind a firewall or something that doesn't understand EDNS means UDP packets can be larger than 512bytes?

I had a problem with my DNS servers and DNSSEC, because the corporate anti-P2P appliance was classifying the large DNS packets as P2P.  Which was corrupting BIND's DNSSEC key management stuff. The workaround until I got our IT Security people to fix things was to keep restarting BIND (even though I maintain eight caching servers at work, most people think there's only one.)

Though I'm not running 9.9.x anywhere yet. (My FreeBSD servers are 9.8.x and the Solaris servers are 9.7.x).

The Dreamer


----------



## jahlives (Jul 2, 2012)

@TheDreamer

I don't think that this could be a firewall issue as nothing changed on the firewall. Both router-firewalls are identical (hardware and software). But I think that I could narrow it down: I installed another BIND in a jail. There, with the same configuration concerning DNSSEC it works like a charm.

```
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
```
I checked the BIND version in the jail and saw that there is a 9.8 version of BIND running.
With the problematic 9.9 version I found that if I set

```
dnssec-lookaside no;
```
in /etc/named/namedb/named.conf then the `# dig pir.org +dnssec +short` does always work without restarting named.

I think I will "downgrade" BIND to the same version as in the jail and see if it works too.


----------



## TheDreamer (Jul 3, 2012)

That sounds like its having trouble refreshing the managed-keys.bind file, which is the public key to validate responses from the lookaside service.

Yet, it doesn't make sense, because pir.org has a proper DNSSEC trust linkage from the root down...so it doesn't need lookaside validation to validate.

Perhaps the bug introduced in 9.7.5/9.8.2/9.9.0 is still lingering....where the response was stay with 9.7.4-P1/9.8.1-P1...and don't use 9.9.  But the recent 9.7.6-P1/9.8.3-P1/9.9.1-P1 is supposed address the latest DNS vulnerability.

I was hoping at some point that I would upgrade all my DNS servers to 9.9.x, but maybe I'm staying with 9.7.x for another year.....and then when all the secondary and caching servers reach EOL next summer, they become FreeBSD systems.  Though 9.9.x is supposed to introduce some significant performance improvements.  Though I'm now running my (stealth) primary nameserver on a nice beefy Sun Fire X4170....while all the secondary and caching servers are zones on Sun Fire X4100s.

Until recently there had only been some one-off production FreeBSD server at our site (with the HIPPA data nobody wants to know about), but I now have FreeBSD mostly integrated into our configuration management system (missing minor things like NFS, amd, LDAP, and jails seems to need some tweaking)....but soon hope that we'll have a few more in production.  We finally got the kick that enabled us to have FreeBSD in production from the federal government (customer of ours at the USDA wanted FreeBSD/Jails/ZFS to replace their Solaris/Zones/ZFS server.)  Unfortunately, we'll still probably have to support the Linux stuff here....  Though now we'll have another option to try to direct them to before being forced to provide them a Linux host.

Strange... whitebox FreeBSD boxes sitting unlabeled in corner of datacenter, with HIPPA data that we don't want to know of its existence. (co-mingled into our routine backups)  To, a set of HP Proliants, ESX, mostly Windows VMs....front and center in the datacenter, with big steal me signage and with 24/7 video & security all over it....for PCI-DSS. (with separated backups, to clearly labeled 'steal me' tapes.)  Where you have to explain yourself everytime you just walk in front of the rack.  Well, they put next to my DNS servers (of course, they used to be mail servers before we outsourced that.)

Oops...I've rambled off again....

The Dreamer.


----------

