Ubuntu
bind9 package

delv could not verify www.ahou.edu.cn after upgrade to 9.11.3-1ubuntu1.11-Ubuntu

Asked by Zhang Huanjie

delv could not verify www.ahou.edu.cn after upgrade to 9.11.3-1ubuntu1.11-Ubuntu from 9.11.3-1ubuntu1.9-Ubuntu.

it says:
delv @8.8.8.8 www.ahou.edu.cn
;; validating ahou.edu.cn/DNSKEY: no valid signature found
;; insecurity proof failed resolving 'ahou.edu.cn/DNSKEY/IN': 8.8.8.8#53
;; broken trust chain resolving 'www.ahou.edu.cn/A/IN': 8.8.8.8#53
;; resolution failed: broken trust chain

I am sure 9.11.3-1ubuntu1.9-Ubuntu works.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu bind9 Edit question
Assignee:
No assignee Edit question
Solved by:
Zhang Huanjie
Solved:
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

Does dig work OK to the same IP?
If you have iptable / ufw configured are you allowing 53/TCP in and out?

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#2

Also try:

delv -4 @8.8.8.8 www.ahou.edu.cn

Can you Telnet to 8.8.8.8 on port 53

Revision history for this message
Zhang Huanjie (bg6cq) said : 		#3

Just now I find .cn domain key expired before 8 hours, so I could not do test now.

The following two files are output of "delv -d 10 www.ahou.edu.cn" and "delv -d 10 www.ustc.edu.cn" of delv 9.11.3-1ubuntu1.11-Ubuntu, logged before 4 days .

www.ustc.edu.cn verify ok, it's key alg is NSEC3RSASHA1
www.ahou.edu.cn verify fail, it's key alg is ECDSAP384SHA384

https://ipv6.ustc.edu.cn/ahou.txt
https://ipv6.ustc.edu.cn/ustc.txt

I am sure both verify ok when delv is 9.11.3-1ubuntu1.9-Ubuntu

a lot of thanks

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#4

I suggest you report a bug. Mark it as a regression

Revision history for this message
Zhang Huanjie (bg6cq) said : 		#5

thank you for you advice.

I do a fresh install of ubuntu 18.04, and do some test.

The problem was caused by libssl1.1 upgrade, not caused by delv upgrade.

In the fresh installation of ubuntu 18.04, libssl1.1 version is 1.1.0g-2ubuntu4. delv works ok.

After upgrade libssl1.1 to 1.1.1-1ubuntu2.1~18.04.5, delv could not verify www.ahou.edu.cn.

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#6

If you use a different URL does it work OK or is it all URLs?

Revision history for this message
Zhang Huanjie (bg6cq) said : 		#7

bind 9.11.0 - 9.11.15 could not work with libssl1.1 1.1.1-1ubuntu2.1~18.04.5
bind 9.14.* work