named validating @0x...: ... SOA: no valid signature found
Brian J. Murrell
brian at interlinx.bc.ca
Fri Jul 20 13:03:16 UTC 2012
On 12-07-20 08:34 AM, Brian J. Murrell wrote:
>
> The problem here seems to be fragmented UDP.
I seem to have misdiagnosed this due to tcpdump peculiarities. I only
initially saw/suspected the problem since my capture for port 53
packets was including (only the first) ipv4 fragments. When adding a
capture specifically to get all ipv4 fragments in addition to my port
53 packets, I do see all of the fragments.
So back to the drawing board.
In my previous posting, I was able to demonstrate that I do get some
queries authenticated, but others (corresponding to the errors in my
logs) are not. For example:
Jul 20 08:59:37 linux named[17472]: validating @0xf48d01b0: 119.in-addr.arpa SOA: no valid signature found
and sure enough:
# dig +dnssec @localhost 119.in-addr.arpa SOA
; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost 119.in-addr.arpa SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49713
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 14
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;119.in-addr.arpa. IN SOA
;; ANSWER SECTION:
119.in-addr.arpa. 172800 IN SOA ns1.apnic.net. read-txt-record-of-zone-first-dns-admin.apnic.net. 3006082431 7200 1800 604800 172800
119.in-addr.arpa. 172800 IN RRSIG SOA 5 3 172800 20120819055026 20120720045026 31291 119.in-addr.arpa. DxSB8J+SsHzLRv/qiFdQOLQ4eYEgCm6lUGr5/qoMje7iY9OIaaXmH/WM GwbTDdT7YNXfkZ7ZfpEnE5N9OeNW6Wghi8Wcerpy3OmEYMTWc1ZNgH70 KC8Rhth23mCkv+IdCEsirVKdgTgLYsRlPFMbp6WQveMQRyJwvGJQm4QI Ejk=
;; AUTHORITY SECTION:
119.in-addr.arpa. 78212 IN NS ns1.apnic.net.
119.in-addr.arpa. 78212 IN NS sec1.authdns.ripe.net.
119.in-addr.arpa. 78212 IN NS ns2.lacnic.net.
119.in-addr.arpa. 78212 IN NS ns4.apnic.net.
119.in-addr.arpa. 78212 IN NS ns3.apnic.net.
119.in-addr.arpa. 78212 IN NS apnic1.dnsnode.net.
119.in-addr.arpa. 78212 IN NS tinnie.arin.net.
;; ADDITIONAL SECTION:
ns1.apnic.net. 167 IN A 202.12.29.25
ns1.apnic.net. 164129 IN AAAA 2001:dc0:2001:0:4608::25
ns2.lacnic.net. 82967 IN A 200.3.13.11
ns2.lacnic.net. 164257 IN AAAA 2001:13c7:7002:3000::11
ns3.apnic.net. 167 IN A 202.12.28.131
ns3.apnic.net. 164129 IN AAAA 2001:dc0:1:0:4777::131
ns4.apnic.net. 167 IN A 202.12.31.140
ns4.apnic.net. 164129 IN AAAA 2001:dc0:4001:1:0:1836:0:140
sec1.authdns.ripe.net. 167 IN A 193.0.9.3
apnic1.dnsnode.net. 3767 IN A 194.146.106.106
tinnie.arin.net. 35918 IN A 199.212.0.53
tinnie.arin.net. 35918 IN AAAA 2001:500:13::c7d4:35
sec1.authdns.ripe.net. 167 IN RRSIG A 5 4 3600 20120819100246 20120720090246 16848 ripe.net. PnInozslOygv30AuohnYIzlCkeShxybKYeZ4114kpClfsMB/t3liXNmw in7Ha8Mh1mOZFtv2lvYDNlnrZgO65xXkUwsH2iz1jCMFU6ZjwGhqVhaX PpN6T6BXDHSohpFkVlx0yu9J7BcPMuCD6FJB5yLF4V0UUkJoPOXFAKBa mto=
;; Query time: 239 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 20 09:02:18 2012
;; MSG SIZE rcvd: 892
no "ad" bit set.
But why?
Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120720/dd57a5e2/attachment.bin>
More information about the bind-users
mailing list