dnssec bug: resolver fails to validate answers
This is actually a validator bug, that's why it retries every time. We can discuss how much effort should resolver do when it's fixed:
[plan] plan 'www.cmu.edu.' type 'A'
[plan] plan 'cmu.edu.' type 'DNSKEY'
[iter] <= rcode: NOERROR
[vldr] <= parent: updating DNSKEY
[vldr] <= answer valid, OK
[iter] <= rcode: NOERROR
[vldr] <= couldn't validate RRSIGs
One of the nameservers for cmu.edu is misconfigured and returns REFUSED
:
$ dig IN A www.cmu.edu @ny-server-03.net.cmu.edu.
;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 61298
;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; www.cmu.edu. IN A
;; Received 29 B
;; Time 2016-04-15 09:13:04 CEST
;; From 38.96.147.4@53(UDP) in 98.5 ms
kresd should try harder and not return REFUSED
, but retry with different nameservers.
$ dig IN A www.cmu.edu @127.0.0.1
;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 60007
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; www.cmu.edu. IN A
;; Received 29 B
;; Time 2016-04-15 09:13:46 CEST
;; From 127.0.0.1@53(UDP) in 165.3 ms