named validating @0x...: ... SOA: no valid signature found

Brian J. Murrell brian at interlinx.bc.ca
Fri Jul 20 13:03:16 UTC 2012 

On 12-07-20 08:34 AM, Brian J. Murrell wrote:
> 
> The problem here seems to be fragmented UDP.

I seem to have misdiagnosed this due to tcpdump peculiarities.  I only
initially saw/suspected the problem since my capture for port 53
packets was including (only the first) ipv4 fragments.  When adding a
capture specifically to get all ipv4 fragments in addition to my port
53 packets, I do see all of the fragments.

So back to the drawing board.

In my previous posting, I was able to demonstrate that I do get some
queries authenticated, but others (corresponding to the errors in my
logs) are not.  For example:

Jul 20 08:59:37 linux named[17472]:   validating @0xf48d01b0: 119.in-addr.arpa SOA: no valid signature found

and sure enough:

# dig +dnssec @localhost 119.in-addr.arpa SOA

; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost 119.in-addr.arpa SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49713
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 14

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;119.in-addr.arpa.              IN      SOA

;; ANSWER SECTION:
119.in-addr.arpa.       172800  IN      SOA     ns1.apnic.net. read-txt-record-of-zone-first-dns-admin.apnic.net. 3006082431 7200 1800 604800 172800
119.in-addr.arpa.       172800  IN      RRSIG   SOA 5 3 172800 20120819055026 20120720045026 31291 119.in-addr.arpa. DxSB8J+SsHzLRv/qiFdQOLQ4eYEgCm6lUGr5/qoMje7iY9OIaaXmH/WM GwbTDdT7YNXfkZ7ZfpEnE5N9OeNW6Wghi8Wcerpy3OmEYMTWc1ZNgH70 KC8Rhth23mCkv+IdCEsirVKdgTgLYsRlPFMbp6WQveMQRyJwvGJQm4QI Ejk=

;; AUTHORITY SECTION:
119.in-addr.arpa.       78212   IN      NS      ns1.apnic.net.
119.in-addr.arpa.       78212   IN      NS      sec1.authdns.ripe.net.
119.in-addr.arpa.       78212   IN      NS      ns2.lacnic.net.
119.in-addr.arpa.       78212   IN      NS      ns4.apnic.net.
119.in-addr.arpa.       78212   IN      NS      ns3.apnic.net.
119.in-addr.arpa.       78212   IN      NS      apnic1.dnsnode.net.
119.in-addr.arpa.       78212   IN      NS      tinnie.arin.net.

;; ADDITIONAL SECTION:
ns1.apnic.net.          167     IN      A       202.12.29.25
ns1.apnic.net.          164129  IN      AAAA    2001:dc0:2001:0:4608::25
ns2.lacnic.net.         82967   IN      A       200.3.13.11
ns2.lacnic.net.         164257  IN      AAAA    2001:13c7:7002:3000::11
ns3.apnic.net.          167     IN      A       202.12.28.131
ns3.apnic.net.          164129  IN      AAAA    2001:dc0:1:0:4777::131
ns4.apnic.net.          167     IN      A       202.12.31.140
ns4.apnic.net.          164129  IN      AAAA    2001:dc0:4001:1:0:1836:0:140
sec1.authdns.ripe.net.  167     IN      A       193.0.9.3
apnic1.dnsnode.net.     3767    IN      A       194.146.106.106
tinnie.arin.net.        35918   IN      A       199.212.0.53
tinnie.arin.net.        35918   IN      AAAA    2001:500:13::c7d4:35
sec1.authdns.ripe.net.  167     IN      RRSIG   A 5 4 3600 20120819100246 20120720090246 16848 ripe.net. PnInozslOygv30AuohnYIzlCkeShxybKYeZ4114kpClfsMB/t3liXNmw in7Ha8Mh1mOZFtv2lvYDNlnrZgO65xXkUwsH2iz1jCMFU6ZjwGhqVhaX PpN6T6BXDHSohpFkVlx0yu9J7BcPMuCD6FJB5yLF4V0UUkJoPOXFAKBa mto=

;; Query time: 239 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 20 09:02:18 2012
;; MSG SIZE  rcvd: 892

no "ad" bit set.

But why?

Cheers,
b.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120720/dd57a5e2/attachment.bin>

More information about the bind-users mailing list