none
DNS server won't return RRSIGs in response RRS feed

  • Question

  • I have set up an Active Directory and during that, a DNS zone was created. I signed the zone via DNSSEC, but the DNS server is not returning RRSIG in responses, although they actually exist.

    Here are screenshots:

    pasteboard.co/GDG6Vpv.png

    pasteboard.co/GDG7cHP.png

    Any solutions for that?

    Tuesday, August 1, 2017 7:37 PM

Answers

  • Please also verify that DNSSEC is enabled on the server.

    Note that it is possible to sign a zone even if DNSSEC is disabled. But, if DNSSEC is disabled then the server will not return RRSIG.

    To see if DNSSEC is enabled, use Windows PowerShell and issue this command:

    (Get-DnsServerSetting -All).EnableDnsSec

    A setting of 0 means it is disabled.

    If it is disabled, you can enable it using the following commands.

    $a = Get-DnsServerSetting -All

    $a.EnableDnsSec = 1

    $a | Set-DnsServerSetting


    Tuesday, September 12, 2017 7:26 AM
    Owner

All replies

  • Hi Matyáš Koc,

    >> I signed the zone via DNSSEC, but the DNS server is not returning RRSIG in responses, although they actually exist.

    It is possibly that the job is only half done. You may need to distribute the trust anchor to the caching only DNS server on HACHIMON.suex.cz.

    Please refer to the following steps:

    1.As soon as you sign a zone the public keys will be generated and stored in the TrustAnchors.dns file under system32\dns folder. On Server Go to Properties > Sharing > Advanced Sharing, Share this folder and click OK.

    2.Import the trust points In DNS Manager on that server, right click the Trust Points folder > select import and then click on DNSKEY. In the dialog box point it to the keyset-dnssec.securebits.in file that we shared in ou previous step.

    3.Navigate to Trust Points > in > securebits > dnssec and verify that import was successful, you will see two DNSKEY trust points one of them is for the\active key and one for the standby key.

    One the features added for DNSSEC in Server 2012 is to automate the distribtion of Trust Anchors to all the domain Controllers in the forest hosting a DNS zone, to enable it, Right Click the zone > DNSSEC > Properties > Trust Anchor > Select Enable the Distribution of Trust Anchors for this zone.

    4.Then you could check if the DNS server could return RRSIG in response.

    For more details, please refer to the following link:

    DNSSEC changes and deployment in Windows Server 2012

    http://securebits.in/dnssec-changes-and-deployment-windows-server-2012/?i=1

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice.
    Microsoft does not guarantee the accuracy of this information.

    How to add a trust point for a zone that has been signed with DNSSEC.

    https://technet.microsoft.com/en-us/library/dn593661(v=ws.11).aspx

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, August 2, 2017 8:14 AM
  • >> You may need to distribute the trust anchor to the caching only DNS server

    The DNS recursion is disabled on that DNS server. Users in this network use another server as recursive resolver. The SUEX.CZ domain name is supposed to be delegated and therefore I think these records should go to the parent zone (.cz). Am I right?

    >> 1.As soon as you sign a zone the public keys will be generated and stored in the TrustAnchors.dns

    It isn't actually here, but could it be the keyset?

    https://pasteboard.co/GDLWnLb.png

    ---

    Oh, and I forgot to mention this: the server is running Windows Server 2016

    Wednesday, August 2, 2017 10:31 AM
  • Hi Matyáš Koc

    Based on the complexity and the specific situation, we need do more researches. If we have any updates or any thoughts about this issue, we will keep you posted as soon as possible. Your kind understanding is appreciated.

    Sorry for the inconvenience and thank you for your understanding and patience.

    Best Regards,
    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 4, 2017 8:52 AM
  • Hi Matyáš Koc,

    Before we go further, I would like to confirm the following background information:

    1.After signing the zone via DNSSEC, how did you find the DNS Server not respond RRSIG? What did you do and how did you find the error on the picture below?

       

    2.Did you try to resolve dns records in the signed zone? 

    Actually, only when the client is DNSSEC-aware or DO (DNSSEC Ok) bit is included in the query will the DNS Server return DNSSEC data.

    Therefore, we can just send a query whose DO bit sets to 1 as below to check the problem.

    (1)The client should be windows server 2012, 2012r2 or win8, win10
    (2)The client’s preferred DNS Server should be  HACHIMON.suex.cz

    If there are forwarders in your environment, we can firstly skip that part and make client query directly to the DNS Server which hold the signed zone.

    If the DNS Server can return a RRSIG record, we can conclude that the problem happens in the forwarder process.(The DNS Server in this process should have trust anchors to perform DNSSEC validation of DNS responses for the signed zone. Otherwise there would be problems.)

    3.Run cmd and enter command

    resolve-dnsname -name finance.secure.contoso.com<A record in suex.cz zone> -type A -server HACHIMON.suex.cz -dnssecok

    Check whether client can receive RRSIG resource records like below. Please provide us the picture.

    If you have any questions or concerns, please don't hesitate to contact me.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Thursday, August 10, 2017 7:02 AM
  • Hi Matyáš Koc

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.              

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 11, 2017 8:33 AM
  • Hi Matyáš Koc

    Was your issue resolved?

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 17, 2017 7:07 AM
  • Hi,

    Sorry, I fogrot to set my email to notify me of responses, so I thought nobody answered.

    1) It is in the errors sections of the screenshot you posted.

    2) Yes, I tried to resolve it. My client is was Windows 10 and the recursive resolver was BIND-9 with DNSSEC-enabled on Ubuntu 17.04 server

    And by the way, HACHIMON isn't a recursive resolver. It's and authoritative DNS server.

    3) 

    Thank you
    • Edited by Matyáš Koc Saturday, August 26, 2017 7:07 PM added more information
    Saturday, August 26, 2017 7:05 PM
  • Hi Matyáš Koc,

    Sorry for my delayed response.

    Firstly, when we use command resolve-dnsname -name finance.secure.contoso.com<A record in suex.cz zone> -type A -server HACHIMON.suex.cz -dnssecok, the client will directly query DNS Server HACHIMON to resolve A record. Therefore, current issue has nothing to do with the recursive DNS Server.  

    Secondly, in order to narrow down the problem, we need to confirm below information both on client and DNS Server.

    1.Only one W10 client in your environment cannot get the RRSIG record in response or all clients cannot get the RRSIG record

    2.Please provide us the information on DNS Server HACHIMON

    Open DNS manager -> right click the zone -> click DNSSEC -> click properties -> click tab Key     Master,please provide us the screenshot

    Steps to collect network packet

    1.Download and install NetMon 3.4 on both client and DNS Server

    Download and Install from http://www.microsoft.com/en-us/download/details.aspx?id=4865

    2.On both client and DNS Server, start capturing network packet

    Step 1 After installation, run the Network Monitor as administrator

    Step 2 Click the "New Capture" button to start a network capture

    Step 3 After clicking the "New Capture" button, you can see the new tab named "Capture1",           Click on "Start" in the toolbar

    3.Reproduce the problem. Run the bellow command on the client

    resolve-dnsname -name finance.secure.contoso.com<A record in suex.cz zone> -             type A -server 10.10.10.10 <HACHIMON.suex.cz host IP address> -dnssecok

    4.Stop capturing network packet

    Click “Stop” button and save the file as cap file. Please provide us the network packet.

    Finally, you could upload the information to OneDrive and then share the link with me:

    https://onedrive.live.com/

    If you have any problem, please feel free to let me know.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Monday, September 4, 2017 8:02 AM
  • Currently, no computer in the AD is able to get that record.

    Monday, September 4, 2017 10:19 AM
  • Hi Matyáš Koc,

    Could you please upload the network packet for us to troubleshooting?

    Best Regard,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 6, 2017 3:06 AM
  • I have a quick question about your setup. The suex.cz domain is hosted by two name servers:

    suex.cz.                3600    IN      NS      ns.suex.cz.
    suex.cz.                3600    IN      NS      hachimon.suex.cz.

    hachimon.suex.cz resolves to two IP addresses, one of which is private.

    ns.suex.cz resolves to one public IP address.

    Is this the same server with two network adapters, or two different servers?

    ;; ANSWER SECTION:
    hachimon.suex.cz.       1200    IN      A       192.168.2.44
    hachimon.suex.cz.       1200    IN      A       185.47.222.240

    ;; ANSWER SECTION:
    ns.suex.cz.             3600    IN      A       185.47.222.240

    Also note there are several errors in the zone. 

    http://dnsviz.net/d/suex.cz/dnssec/

    Thursday, September 7, 2017 7:41 AM
    Owner
  • Hi Matyáš Koc,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 12, 2017 7:18 AM
  • Please also verify that DNSSEC is enabled on the server.

    Note that it is possible to sign a zone even if DNSSEC is disabled. But, if DNSSEC is disabled then the server will not return RRSIG.

    To see if DNSSEC is enabled, use Windows PowerShell and issue this command:

    (Get-DnsServerSetting -All).EnableDnsSec

    A setting of 0 means it is disabled.

    If it is disabled, you can enable it using the following commands.

    $a = Get-DnsServerSetting -All

    $a.EnableDnsSec = 1

    $a | Set-DnsServerSetting


    Tuesday, September 12, 2017 7:26 AM
    Owner
  • I had to reinstall the server (for some other reason). Also the server was renamed in this process (FlameWeaver is the new name).

    This server has one network card (only one). That interface has both the private and the public IP address. I can't get the private one out from the DNS, and the public is for access outside of our network. (The server is behind NAT.)

    And by the way, there are two listed nameservers, but there's only one server.

    The DNSSEC was really disabled. So I enabled it and it started to work now. Thank you!


    • Edited by Matyáš Koc Tuesday, September 12, 2017 1:44 PM
    Tuesday, September 12, 2017 1:43 PM