Can't find domainname

Unbound
1

Hi,

We can't reach the domainname gruintjes.nl, when we look into the
logging with verbosity: 2 we got the following messages:

Aug 22 11:43:30 unbound[4957:1] info: resolving www.gruintjes.nl. A IN
Aug 22 11:43:30 unbound[4957:1] info: response for www.gruintjes.nl. A
IN
Aug 22 11:43:30 unbound[4957:1] info: response for www.gruintjes.nl. A
IN
Aug 22 11:43:30 unbound[4957:1] info: reply from <gruintjes.nl.>
83.137.192.101#53
Aug 22 11:43:30 unbound[4957:1] info: response for www.gruintjes.nl. A
IN
Aug 22 11:43:30 unbound[4957:1] info: reply from <gruintjes.nl.>
217.170.1.241#53
Aug 22 11:43:35 unbound[4957:0] info: resolving www.gruintjes.nl. A IN
Aug 22 11:43:42 unbound[4957:1] info: response for www.gruintjes.nl. A
IN
Aug 22 11:43:42 unbound[4957:1] info: reply from <gruintjes.nl.>
83.137.192.101#53
Aug 22 11:43:42 unbound[4957:1] info: validated DS gruintjes.nl. DS IN
Aug 22 11:43:42 unbound[4957:1] info: resolving gruintjes.nl. DNSKEY IN
Aug 22 11:43:42 unbound[4957:1] info: response for gruintjes.nl. DNSKEY
IN
Aug 22 11:43:42 unbound[4957:1] info: reply from <gruintjes.nl.>
217.170.1.241#53
Aug 22 11:43:42 unbound[4957:1] info: resolving gruintjes.nl. DNSKEY IN
Aug 22 11:43:42 unbound[4957:1] info: response for gruintjes.nl. DNSKEY
IN
Aug 22 11:43:42 unbound[4957:1] info: reply from <gruintjes.nl.>
83.137.192.101#53
Aug 22 11:43:42 unbound[4957:1] info: resolving gruintjes.nl. DNSKEY IN
Aug 22 11:43:42 unbound[4957:1] info: response for gruintjes.nl. DNSKEY
IN
Aug 22 11:43:42 unbound[4957:1] info: reply from <gruintjes.nl.>
217.170.1.241#53
Aug 22 11:43:42 unbound[4957:1] info: resolving gruintjes.nl. DNSKEY IN
Aug 22 11:43:42 unbound[4957:1] info: response for gruintjes.nl. DNSKEY
IN
Aug 22 11:43:42 unbound[4957:1] info: reply from <gruintjes.nl.>
83.137.192.101#53
Aug 22 11:43:42 unbound[4957:1] info: resolving gruintjes.nl. DNSKEY IN
Aug 22 11:43:42 unbound[4957:1] info: response for gruintjes.nl. DNSKEY
IN
Aug 22 11:43:42 unbound[4957:1] info: reply from <gruintjes.nl.>
217.170.1.241#53
Aug 22 11:43:42 unbound[4957:1] info: resolving gruintjes.nl. DNSKEY IN
Aug 22 11:43:42 unbound[4957:1] info: response for gruintjes.nl. DNSKEY
IN
Aug 22 11:43:42 unbound[4957:1] info: reply from <gruintjes.nl.>
217.170.1.241#53
Aug 22 11:43:42 unbound[4957:1] info: Could not establish a chain of
trust to keys for gruintjes.nl. DNSKEY IN
Aug 22 11:43:53 unbound[4957:0] info: response for www.gruintjes.nl. A
IN
Aug 22 11:43:53 unbound[4957:0] info: reply from <gruintjes.nl.>
217.170.1.241#53
Aug 22 11:44:15 unbound[4957:1] info: resolving gruintjes.nl. MX IN

We are using unbound version 1.4.16.

When we snif the packet we do not see any problems except that the
nameservers ns1.hix.nl and ns2.hix.nl are mentioned 8 times in the
additional section, also the nameserver ns-3.eu. is not responding.

But I do not think that this would be the problem.

So I can't find the solution on this problem?

Kind regards,

Michiel Piscaer

2

Hi Michiel,

Hi,

We can't reach the domainname gruintjes.nl, when we look into the
logging with verbosity: 2 we got the following messages:

val-log-level: 2 shows a detailed error, here

validation failure <gruintjes.nl. A IN>: No DNSKEY record from
217.170.1.241 for key gruintjes.nl. while building chain of trust

We are using unbound version 1.4.16.

When we snif the packet we do not see any problems except that the
nameservers ns1.hix.nl and ns2.hix.nl are mentioned 8 times in the
additional section, also the nameserver ns-3.eu. is not
responding.

There is a gruintjes.nl DS record, but the nameservers do not have any
DNSSEC information at all. I should say, the answers that I got did
not contain any DNSSEC, some imposter must have removed them and
therefore it is considered false information. But I surmise that this
is a configuration problem of gruintjes.nl : enabled DNSSEC with a DS
record in the parent but does have DNSSEC records in the zone.

But I do not think that this would be the problem.

So I can't find the solution on this problem?

Can you get "hix.nl" to sign gruintjes.nl (they must have this planned
since there is a DS record). Or remove the DS record.

Normally, you first sign the domain, then publish the DNSSEC records,
and only then put the DS up.

(to make your life happier, if you decide to remove the DS record, the
domain name will likely start to work very quickly (with a much lower
TTL than usual): because of the DNSSEC-bogus indication, unbound keeps
fetching fresh data for this name frequently (BIND has similar
behaviour)).

If you have no way to engage with hix or mr.gruintjes, then there is
the config option domain-insecure: "gruintjes.nl" that would instruct
unbound to ignore DNSSEC for the domain name.

Best regards,
   Wouter

3

validation failure <gruintjes.nl. A IN>: No DNSKEY record from
    217.170.1.241 for key gruintjes.nl. while building chain of trust
    
etc.

A great tool to see whether the problem is caused by a broken
configuration or broken software is:
<http://dnssec-debugger.verisignlabs.com/&gt;\. Testing gruintjes.nl it
comes to the same conclusion as Wouter.

  jaap

4

I saw that website, but I didn't understand it completely. That is why I
wrote the e-mail.

I have noticed the client and he will call the hosting company to get it
fixed.

Thanks for helping me out.

Kind regards,

Michiel Piscaer

5

I saw that website, but I didn't understand it completely. That is why I
wrote the e-mail.

I have noticed the client and he will call the hosting company to get it
fixed.

Thanks for helping me out.

Kind regards,

Michiel Piscaer

Hi,

As I'm curious why a hoster would do this.

Do you know if they recently changed DNS-provider for this domain ?

That would, to me, seem like the most likely cause.

The previous provider does use DNSSEC, the new provider does not (and
forgot to remove the DS).

Have a nice day,
  Leen.

6

Hi,

As I'm curious why a hoster would do this.

Do you know if they recently changed DNS-provider for this domain ?

That would, to me, seem like the most likely cause.

The previous provider does use DNSSEC, the new provider does not (and
forgot to remove the DS).

Have a nice day,
  Leen.

That sounds plausible, but I did not check it.

Kind regards,

Michiel Piscaer