named validating @0x...: ... SOA: no valid signature found
Mark Andrews
marka at isc.org
Fri Jul 20 14:42:21 UTC 2012
In message <jubkum$qve$1 at dough.gmane.org>, "Brian J. Murrell" writes:
> On 12-07-20 08:34 AM, Brian J. Murrell wrote:
> >=20
> > The problem here seems to be fragmented UDP.
>
> I seem to have misdiagnosed this due to tcpdump peculiarities. I only
> initially saw/suspected the problem since my capture for port 53
> packets was including (only the first) ipv4 fragments. When adding a
> capture specifically to get all ipv4 fragments in addition to my port
> 53 packets, I do see all of the fragments.
>
> So back to the drawing board.
>
> In my previous posting, I was able to demonstrate that I do get some
> queries authenticated, but others (corresponding to the errors in my
> logs) are not. For example:
>
> Jul 20 08:59:37 linux named[17472]: validating @0xf48d01b0: 119.in-addr=
> =2Earpa SOA: no valid signature found
>
> and sure enough:
>
> # dig +dnssec @localhost 119.in-addr.arpa SOA
>
> ; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost 119.in-addr.arpa SOA
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49713
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 14
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;119.in-addr.arpa. IN SOA
>
> ;; ANSWER SECTION:
> 119.in-addr.arpa. 172800 IN SOA ns1.apnic.net. read-txt-r=
> ecord-of-zone-first-dns-admin.apnic.net. 3006082431 7200 1800 604800 1728=
> 00
> 119.in-addr.arpa. 172800 IN RRSIG SOA 5 3 172800 2012081905=
> 5026 20120720045026 31291 119.in-addr.arpa. DxSB8J+SsHzLRv/qiFdQOLQ4eYEgC=
> m6lUGr5/qoMje7iY9OIaaXmH/WM GwbTDdT7YNXfkZ7ZfpEnE5N9OeNW6Wghi8Wcerpy3OmEY=
> MTWc1ZNgH70 KC8Rhth23mCkv+IdCEsirVKdgTgLYsRlPFMbp6WQveMQRyJwvGJQm4QI Ejk=3D=
>
>
> ;; AUTHORITY SECTION:
> 119.in-addr.arpa. 78212 IN NS ns1.apnic.net.
> 119.in-addr.arpa. 78212 IN NS sec1.authdns.ripe.net.
> 119.in-addr.arpa. 78212 IN NS ns2.lacnic.net.
> 119.in-addr.arpa. 78212 IN NS ns4.apnic.net.
> 119.in-addr.arpa. 78212 IN NS ns3.apnic.net.
> 119.in-addr.arpa. 78212 IN NS apnic1.dnsnode.net.
> 119.in-addr.arpa. 78212 IN NS tinnie.arin.net.
>
> ;; ADDITIONAL SECTION:
> ns1.apnic.net. 167 IN A 202.12.29.25
> ns1.apnic.net. 164129 IN AAAA 2001:dc0:2001:0:4608::25
> ns2.lacnic.net. 82967 IN A 200.3.13.11
> ns2.lacnic.net. 164257 IN AAAA 2001:13c7:7002:3000::11
> ns3.apnic.net. 167 IN A 202.12.28.131
> ns3.apnic.net. 164129 IN AAAA 2001:dc0:1:0:4777::131
> ns4.apnic.net. 167 IN A 202.12.31.140
> ns4.apnic.net. 164129 IN AAAA 2001:dc0:4001:1:0:1836:0:=
> 140
> sec1.authdns.ripe.net. 167 IN A 193.0.9.3
> apnic1.dnsnode.net. 3767 IN A 194.146.106.106
> tinnie.arin.net. 35918 IN A 199.212.0.53
> tinnie.arin.net. 35918 IN AAAA 2001:500:13::c7d4:35
> sec1.authdns.ripe.net. 167 IN RRSIG A 5 4 3600 20120819100246=
> 20120720090246 16848 ripe.net. PnInozslOygv30AuohnYIzlCkeShxybKYeZ4114kp=
> ClfsMB/t3liXNmw in7Ha8Mh1mOZFtv2lvYDNlnrZgO65xXkUwsH2iz1jCMFU6ZjwGhqVhaX =
> PpN6T6BXDHSohpFkVlx0yu9J7BcPMuCD6FJB5yLF4V0UUkJoPOXFAKBa mto=3D
>
> ;; Query time: 239 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Jul 20 09:02:18 2012
> ;; MSG SIZE rcvd: 892
>
> no "ad" bit set.
>
> But why?
The NS RRset is the delegation records and as such has no RRSIGs.
If you turn on minimal-responses the NS rrset won't be added and
AD won't be cleared. AD is only set to 1 if all the records in the
answer and authority sections are marked as secure.
> Cheers,
> b.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list