delv could not verify www.ahou.edu.cn after upgrade to 9.11.3-1ubuntu1.11-Ubuntu

Asked by Zhang Huanjie on 2020-01-23

delv could not verify www.ahou.edu.cn after upgrade to 9.11.3-1ubuntu1.11-Ubuntu from 9.11.3-1ubuntu1.9-Ubuntu.

it says:
delv @8.8.8.8 www.ahou.edu.cn
;; validating ahou.edu.cn/DNSKEY: no valid signature found
;; insecurity proof failed resolving 'ahou.edu.cn/DNSKEY/IN': 8.8.8.8#53
;; broken trust chain resolving 'www.ahou.edu.cn/A/IN': 8.8.8.8#53
;; resolution failed: broken trust chain

I am sure 9.11.3-1ubuntu1.9-Ubuntu works.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu bind9 Edit question
Assignee:
No assignee Edit question
Solved by:
Zhang Huanjie
Solved:
2020-01-25
Last query:
2020-01-25
Last reply:
2020-01-24

Does dig work OK to the same IP?
If you have iptable / ufw configured are you allowing 53/TCP in and out?

Also try:

delv -4 @8.8.8.8 www.ahou.edu.cn

Can you Telnet to 8.8.8.8 on port 53

Zhang Huanjie (bg6cq) said : #3

Just now I find .cn domain key expired before 8 hours, so I could not do test now.

The following two files are output of "delv -d 10 www.ahou.edu.cn" and "delv -d 10 www.ustc.edu.cn" of delv 9.11.3-1ubuntu1.11-Ubuntu, logged before 4 days .

www.ustc.edu.cn verify ok, it's key alg is NSEC3RSASHA1
www.ahou.edu.cn verify fail, it's key alg is ECDSAP384SHA384

https://ipv6.ustc.edu.cn/ahou.txt
https://ipv6.ustc.edu.cn/ustc.txt

I am sure both verify ok when delv is 9.11.3-1ubuntu1.9-Ubuntu

a lot of thanks

I suggest you report a bug. Mark it as a regression

Zhang Huanjie (bg6cq) said : #5

thank you for you advice.

I do a fresh install of ubuntu 18.04, and do some test.

The problem was caused by libssl1.1 upgrade, not caused by delv upgrade.

In the fresh installation of ubuntu 18.04, libssl1.1 version is 1.1.0g-2ubuntu4. delv works ok.

After upgrade libssl1.1 to 1.1.1-1ubuntu2.1~18.04.5, delv could not verify www.ahou.edu.cn.

If you use a different URL does it work OK or is it all URLs?

Zhang Huanjie (bg6cq) said : #7

bind 9.11.0 - 9.11.15 could not work with libssl1.1 1.1.1-1ubuntu2.1~18.04.5
bind 9.14.* work