Finding dnssec validation failures in the logs
Michael Richardson
mcr at sandelman.ca
Tue Jan 24 14:26:01 UTC 2023
John Thurston <john.thurston at alaska.gov> wrote:
> On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am
> writing "category dnssec" to a log file at "severity info;" When I look in
> the resulting log file, I'm guessing that lines like this:
> validating com/SOA: got insecure response; parent indicates it should be
> secure
> Are an indication I have a problem I should investigate.
Maybe.
It could be that DNSSEC is simply defending you against attackers who are
trying to race insecure answers to your queries in the belief that "nobody validates"
If it were systematic (every query, every query to some servers...) then you
should suspect that there is a on-path attacker modifying the responses.
That's unlikely in general, but it's why we have DNSSEC.
It could also be the result of corrupted packets that survive the UDP
checksum, or which go through a middle box that "fixes" that. Some satellite
systems do that. I imagine that Alaska might have at least one satellite link.
It doesn't sound like it's systematic, so I think they are off-path
attackers, and it looks like it's queries on .com?
Most likely, there is little you can do.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 511 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230124/f2f550bc/attachment-0001.sig>
More information about the bind-users
mailing list