2604 - Troubleshooting DNSSEC in NIOS
Scenario
You have started as a new DNS administrator at a company. DNSSEC has just been implemented in your environment.
Users are reporting their inability to access various public domains, In the ticket you're currently handling the user is reporting their inability to access www.yahoo.com while being able to access www.example.com, Please investigate the problem and fix it.
Estimate Completion Time
45 to 60 Minutes
Credentials
Description | Username | Password | URL or IP |
|---|---|---|---|
Grid Manager UI | admin | infoblox |
Requirements
2009: Configuring NIOS DNS Services
2023: Configuring NIOS DNS Zones
3011: DNS Troubleshooting Methodology
Lab Initiation
Access jump-desktop
Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:
Username: training
Password: infoblox
Initiate lab
To initiate the lab, double-click the Launch Lab icon on the Desktop.
Launch Lab
Choose the lab number from the list and click OK.
After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.
Lab initiation will take a couple of minutes to finish.
Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.
Tasks
Task 1: First Ticket
You're investigating the reported problem, first you need to verify the problem exists then understand what is causing the problem in order to fix it.
Execute the following dig commands on the Jump-Desktop (10.35.22.10):
dig @10.100.0.105 www.example.com. A
dig @10.100.0.105 www.yahoo.com. AWhich query failed?
Try with DNSSEC disabled and note the difference. What is the root cause?
Solutions
Task 1: First Ticket
Root cause
The correct anchor is installed, but the "responses must be secure" option is enabled.
Detailed Analysis
We are able to lookup secure domain names such as www.example.com and www.fbi.gov However, when querying for other insecure domains such as www.yahoo.com or www.google.com, we get SERVFAIL.
This is a big problem as the vast majority of the domains have yet to be signed. Examples shown the following figures.
On the Grid Master IBGM (10.100.0.100), navigate to Administration → Logs → Syslog, and we can see the syslog messages as shown in following figure that indicates the error is rooted in the must-be-secure option.
We can verify this misconfiguration by navigating to Data Management → DNS, Toolbar → Grid DNS Properties → DNSSEC, scroll down to the Trust Anchor section, and see that the Responses Must Be Secure option is enabled for the root zone, as shown in the following figure.
This configuration instructs the validating resolver to treat all sub domains of root to be secure, which would be every single domain name, and is the root cause of our issue. Uncheck the option, save, and restart services to fix the issue.