Hello
On 27.12.2022 09:45, Benoit Panizzon via swinog wrote:
Hi List
Fancy another DNS issue hunt?
We have DNSSEC validation enabled on our BIND DNS Servers.
Same for my private servers.
We started seeing:
no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 2a01:8100:2901::1:183:202#53 no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 2a01:8100:2901::1:183:201#53 no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 81.88.58.219#53 no valid RRSIG resolving 'www.numberportability.ch/DS/IN': 195.110.124.196#53
broken trust chain resolving 'www.numberportability.ch/HTTPS/IN': 2a01:8100:2901::1:183:202#53 broken trust chain resolving 'www.numberportability.ch/AAAA/IN': 2a01:8100:2901::1:183:202#53 client @0x803541d60 X.X.X.X#27325 (www.numberportability.ch): query failed (broken trust chain) for www.numberportability.ch/IN/AAAA at query.c:7724
It all looks fine so far from my end, or did I miss something important?
fabian@flashback:~ % dig -t ns numberportability.ch +dnssec
; <<>> DiG 9.10.6 <<>> -t ns numberportability.ch +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28854 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;numberportability.ch. IN NS
;; ANSWER SECTION: numberportability.ch. 900 IN NS dns2.swizzonic.ch. numberportability.ch. 900 IN NS dns1.swizzonic.ch. numberportability.ch. 900 IN RRSIG NS 13 2 900 20230105000000 20221215000000 10556 numberportability.ch. YDc8MgSRBZDVlRBaP5RfxeGZdkYvNkci8N2rpxQ5NsvjWz9M/HDasP6P AAk4H2tJsJyVK0HqghSCuwuTub1opA==
;; Query time: 42 msec ;; SERVER: 2001:8a8:1005:1::2#53(2001:8a8:1005:1::2) ;; WHEN: Wed Dec 28 11:24:10 CET 2022 ;; MSG SIZE rcvd: 215
fabian@flashback:~ % dig www.numberportability.ch +dnssec @dns1.swizzonic.ch.
; <<>> DiG 9.10.6 <<>> www.numberportability.ch +dnssec @dns1.swizzonic.ch. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 669 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1680 ;; QUESTION SECTION: ;www.numberportability.ch. IN A
;; ANSWER SECTION: www.numberportability.ch. 900 IN A 164.128.159.204 www.numberportability.ch. 900 IN RRSIG A 13 3 900 20230105000000 20221215000000 10556 numberportability.ch. 5PpTJZ19GmcEyD8i3iUBWoZdGYECB3Hvdx2JclKfDVKl3KVbuBekf6RL kP1HRSYPhJZak25YeyhKe1oPemHXrw==
;; Query time: 21 msec ;; SERVER: 2a01:8100:2901::1:183:201#53(2a01:8100:2901::1:183:201) ;; WHEN: Wed Dec 28 11:24:22 CET 2022 ;; MSG SIZE rcvd: 185
fabian@flashback:~ % dig www.numberportability.ch +dnssec @dns2.swizzonic.ch.
; <<>> DiG 9.10.6 <<>> www.numberportability.ch +dnssec @dns2.swizzonic.ch. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14397 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1680 ;; QUESTION SECTION: ;www.numberportability.ch. IN A
;; ANSWER SECTION: www.numberportability.ch. 900 IN A 164.128.159.204 www.numberportability.ch. 900 IN RRSIG A 13 3 900 20230105000000 20221215000000 10556 numberportability.ch. FuWo8czeDf/KyCcyYXJF+pYkFJ8HsIX4RrW5a9+fIGqtDUVud7+lxPo9 1oW4H1v69+Mf7rze8SdxAsODJwFUQw==
;; Query time: 36 msec ;; SERVER: 2a01:8100:2901::1:183:202#53(2a01:8100:2901::1:183:202) ;; WHEN: Wed Dec 28 11:24:31 CET 2022 ;; MSG SIZE rcvd: 185
fabian@flashback:~ %
Also checking at DNSViz it looks fine: https://dnsviz.net/d/numberportability.ch/dnssec/
So either they fixed it in the meantime or then your server may have some issue or something bad in cache.
Best regards, Fabian