Skip to content

DNSSEC fails for subdomains

For this zone(and other signed zones) i can resolve the main domain just fine, but it seems that all subdomains fail.

root@turris:~# dig foo.simonvikstrom.se 

; <<>> DiG 9.10.5-P3 <<>> foo.simonvikstrom.se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58022
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.simonvikstrom.se.		IN	A

;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 19 08:25:49 CEST 2017
;; MSG SIZE  rcvd: 38

root@turris:~# dig foo.simonvikstrom.se +cd

; <<>> DiG 9.10.5-P3 <<>> foo.simonvikstrom.se +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35728
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;foo.simonvikstrom.se.		IN	A

;; ANSWER SECTION:
foo.simonvikstrom.se.	621	IN	A	46.30.215.95

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 19 08:25:53 CEST 2017
;; MSG SIZE  rcvd: 65

root@turris:~# dig foo.simonvikstrom.se +dnssec @8.8.8.8

; <<>> DiG 9.10.5-P3 <<>> foo.simonvikstrom.se +dnssec @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31743
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;foo.simonvikstrom.se.		IN	A

;; ANSWER SECTION:
foo.simonvikstrom.se.	2	IN	RRSIG	A 8 3 900 20170928000000 20170907000000 57360 simonvikstrom.se. qRn7an14BlTAivITgke6148y1dMt/aMDCbFX3GXgSpo3KrLmQBTLpB2F EH08ff0myYgPFWOOmlBIhXep4y0Ue7XtZ33DiH3iKb+RGfvIQEd93OiI 2MPbcbRMCXs8ZONoKGz/xo0/uyh+MEt5onUOM5aolb7uJsZr3o4z9DhJ NFo=
foo.simonvikstrom.se.	2	IN	A	46.30.215.95

;; Query time: 71 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Sep 19 08:36:48 CEST 2017
;; MSG SIZE  rcvd: 241

The verbose log for the failing request can be found here: https://allg.one/G4er

The version is: Knot DNS Resolver, version 1.3.3 on my turris omnia

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information