verisign error -> Query to DNSKEY timed out or failed

Question

I am trying to find the origin of an error I cannot get rid of on the verisign dnssec debugger Verisign debugger

Dig queries the server just fine

dig ex-mailer.com ANY @108.61.190.64

All of my logs are clean and error free in debugger mode Log output

In fact, the onlt sign of anything amiss is in a packet capture with what looks like excessive fragmentation

The MTU on my NIC is 1500

vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 56:00:00:05:53:09
        inet6 2001:19f0:6c00:8141::64 prefixlen 64
        inet6 fe80::5400:ff:fe05:5309%vtnet0 prefixlen 64 scopeid 0x1
        inet 108.61.190.64 netmask 0xffffff00 broadcast 108.61.190.255
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active

but the pmtu looks jacked:

ping -s 1500 -M do 108.61.190.64
From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490)
From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490)
From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490)
From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490)
From 192.168.0.68: icmp_seq=1 Frag needed and DF set (mtu = 1490)

I'm not sure where else to look. I am pretty sure this MTU fragmentation is the source of the error.

How do I get rid of this verisign dns error?

master config:

acl "trusted" {
        108.61.190.64;
        107.191.60.48;
        2001:19f0:7000:8945::64;
        2001:19f0:6c00:8141::64;
        108.61.10.10;
        127.0.0.1/32;
        ::1/128;
};

acl "outside" {
        any;
};

options {
        directory "/usr/local/etc/namedb/working/";
        pid-file "/var/run/named/named.pid";
        dnssec-enable yes;
        dnssec-validation auto;
        dnssec-lookaside auto;
        listen-on-v6 { ::1; 2001:19f0:6c00:8141::64;};
        listen-on { 127.0.0.1; 108.61.190.64;};
        max-cache-ttl 1600;
        version none;
        auth-nxdomain no;    # conform to RFC1035
        allow-recursion-on { any; };
        allow-recursion{ any; };
        allow-query-cache-on{ any; };
        allow-query-on{ any; };
        allow-update-forwarding{ any; };
        allow-query {
                any;
        };

        allow-query-cache {
                any;
        };

        allow-transfer {
                any;
        };
        //forward first;
        forwarders {
                108.61.10.10;
                108.61.190.64;
                107.191.60.48;
        };
};


logging {
        category default { default_log; };
        category queries { resolver_file; };
        channel default_log {
                file "/var/log/named/named.log" versions 5 size 50M;
                print-time yes;
                print-severity yes;
                print-category yes;
                severity debug;
        };
        channel resolver_file {
                file "/var/log/named/resolver.log" versions 3 size 5m;
                severity dynamic;
                print-time yes;
        };
        channel xfer-in_file {
                file "/var/log/named/xfer-in.log" versions 3 size 5m;
                severity dynamic;
                print-time yes;
        };
        category default { default_log; };
        category general { default_log; };
};


#include "/usr/local/etc/namedb/rndc.key";

controls {
        inet * port 953 allow { 127.0.0.1/32; ::1/128; 107.191.60.48; 108.61.190.64;} keys {"rndc-key"; };
};
key "rndc-key" {
        algorithm hmac-md5;
        secret "KcnxhOeXddg8dRNrn9Qfew==";
};


view "external" {
        match-clients { any; };
        match-destinations { any; };
        recursion yes;
        allow-query { any; };
        zone "." IN {
                type hint;
                file "/usr/local/etc/namedb/named.root";
        };
        zone "ex-mailer.com" {
                type master;
                allow-transfer { trusted; };
                also-notify { 108.61.190.64; };
                update-policy local;
                auto-dnssec allow;
                key-directory "/usr/local/etc/namedb/";
                file "/usr/local/etc/namedb/ex-mailer.com.external.signed";
        };
        zone "nyctelecomm.com" {
                type master;
                #allow-transfer {107.191.60.48;};
                also-notify {107.191.60.48;};
                key-directory "/usr/local/etc/namedb/";
                file "/usr/local/etc/namedb/nyctelecomm.com.external.signed";
        };
        zone "emailingu.com" {
                type master;
                update-policy local;
                auto-dnssec allow;
                key-directory "/usr/local/etc/namedb/";
                file "/usr/local/etc/namedb/emailingu.com.external.signed";
        };
        zone "instaknowit.com" {
                type master;
                update-policy local;
                auto-dnssec allow;
                key-directory "/usr/local/etc/namedb/";
                file "/usr/local/etc/namedb/instaknowit.com.external";
        };

        zone "zippy-mail.com" {
                type master;
                update-policy local;
                auto-dnssec allow;
                key-directory "/usr/local/etc/namedb/";
                file "/usr/local/etc/namedb/zippy-mail.com.external.signed";
        };

        zone "190.61.108.in-addr.arpa"{
                type master;
                file "/usr/local/etc/namedb/reverse.external";
        };
        zone "127.in-addr.arpa" {
                type master;
                file "/usr/local/etc/namedb/127.0.0.1";
        };

};

slave config:

acl "trusted" {
        108.61.190.64;
        107.191.60.48;
        2001:19f0:7000:8945::64;
        2001:19f0:6c00:8141::64;
        108.61.10.10;
        127.0.0.1/32;
        ::1/128;
};

acl "outside" {
        any;
};

options {
        directory "/usr/local/etc/namedb/working/";
        pid-file "/var/run/named/named.pid";
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        auth-nxdomain no;
        listen-on-v6 { ::1; 2001:19f0:7000:8945::64;};
        listen-on { 127.0.0.1; 107.191.60.48;};
        max-cache-ttl 1600;
        version none;
        notify yes;
        also-notify { 108.61.190.64; };
        allow-notify { 107.191.60.48; };
        allow-recursion { any; };
        allow-recursion-on { any; };
        allow-query-cache-on{ any; };
        allow-query-on{ any; };
        allow-update-forwarding{ any; };
        allow-transfer { any; };
        allow-query {
                any;
        };
        allow-query-cache {
                any;
        };

        allow-update {
                trusted;
        };

        //forward first;
        forwarders {
                108.61.10.10;
                108.61.190.64;
                107.191.60.48;
        };
};


logging {
        category default { default_log; };
        category queries { resolver_file; };
        channel default_log {
                file "/var/log/named/named.log" versions 5 size 50M;
                print-time yes;
                print-severity yes;
                print-category yes;
                severity debug;
        };
        channel general_file {
                file "/var/log/named/general.log" versions 3 size 5m;
                severity dynamic;
                print-time yes;
        };
        channel config_file {
                file "/var/log/named/config.log" versions 3 size 5m;
                severity dynamic;
                print-time yes;
        };
        channel resolver_file {
                file "/var/log/named/resolver.log" versions 3 size 5m;
                severity dynamic;
                print-time yes;
        };
        channel xfer-in_file {
                file "/var/log/named/xfer-in.log" versions 3 size 5m;
                severity dynamic;
                print-time yes;
        };
        category default { default_log; };
        category general { default_log; };
};


#include "/usr/local/etc/namedb/rndc.key";

controls {
        inet * port 953 allow { 127.0.0.1/32; ::1/128; 108.61.190.64; 107.191.60.48; } keys {"rndc-key"; };
};

key "rndc-key" {
        algorithm hmac-md5;
        secret "N/SB9HZwr5yRIBwtRjcA6A==";
};

view "external" {
        match-clients { outside; };
        match-destinations { outside; };
        recursion yes;
        allow-recursion { any; };
        allow-query { outside; };
        zone "." IN {
                type hint;
                file "/usr/local/etc/namedb/named.root";
        };

        #include "/usr/local/etc/namedb/tmp/zonelist.db";

        zone "nyctelecomm.com" {
                type slave;
                masters {108.61.190.64;};
                allow-notify { trusted; };
                allow-transfer { any; };
                notify yes;
                auto-dnssec allow;
                key-directory "/usr/local/etc/namedb/";
                file "/usr/local/etc/namedb/nyctelecomm.com.external.signed";
        };
        zone "ex-mailer.com" {
                type slave;
                masters {108.61.190.64; };
                #transfer-source { 108.61.190.64; };
                allow-notify{ trusted; };
                notify yes;
                allow-transfer { any; };
                auto-dnssec allow;
                key-directory "/usr/local/etc/namedb/";
                file "/usr/local/etc/namedb/ex-mailer.com.external.signed";
        };

        zone "emailingu.com" {
                masters {108.61.190.64; };
                type slave;
                auto-dnssec allow;
                key-directory "/usr/local/etc/namedb/";
                file "/usr/local/etc/namedb/emailingu.com.external.signed";
        };
        zone "zippy-mail.com" {
                type slave;
                masters {108.61.190.64; };
                auto-dnssec allow;
                key-directory "/usr/local/etc/namedb/";
                file "/usr/local/etc/namedb/zippy-mail.com.external.signed";
        };

        zone "190.61.108.in-addr.arpa"{
                type master;
                allow-update {none;};
                file "/usr/local/etc/namedb/reverse.external";
        };
        zone "127.in-addr.arpa" {
                type master;
                allow-update {none;};
                file "/usr/local/etc/namedb/127.0.0.1";
        };

};

Answer 1

Thanks for posting all of this info, it helped greatly.

The Verisign tool errored out on:

Query to yoda.ex-mailer.com/108.61.175.48 for ex-mailer.com/A timed out or failed

The domain you're interested in is publishing two different NS records.

ex-mailer.com   nameserver = yoda.ex-mailer.com.
ex-mailer.com   nameserver = r2d2.ex-mailer.com.

From my own network, I can connect to r2d2 and query the IP of yoda. When I try to connect to yoda, I get nothing. This is what Verisign is pointing out. When I look a bit deeper, I see my connection attempts to yoda are getting ICMP Destination Unreachable packets from yoda itself on 108.61.175.20.

Interestingly, r2d2 is showing the IP address of Yoda to be 108.61.175.48, but your config-file suggests it should be either 108.61.190.64 or 108.61.10.10. Of those two the first responds successfully.

Looks like one of two things.

1. The A record for 'yoda' is off. It should be 108.61.190.64, not 108.61.175.48
2. The NS record should be pointing to the A record of whatever 108.61.190.64 is.