Finding dnssec validation failures in the logs

John Thurston john.thurston at alaska.gov
Tue Jan 24 17:53:32 UTC 2023 

It sounds like I'm correct that lines of the sort:

validating com/SOA: got insecure response; parent indicates it should be 
secure

are my indication that dnssec is doing its job. (Whether I should be 
reacting to messages like the above remains to be seen.)

Let me rephrase my original question (which remains unanswered): Are 
there other strings in the log which similarly indicate dnssec is doing 
its job and logging responses which can not be validated?

Of the lines like the above (for a sample day), 92% of them indicate 
failure to validate SOA-records. Only 4% are for A-records. Of those 
same lines, the most prevalent entris are the SOA-records for:

2%    io
2%    us
2%    ip6.arpa
2%    pure.cloud
2%    org
4%    impervadns.net
6%    net
7%    cloudflare.net
9%    .
33%   com

It concerns me the SOA records I'm requesting are so often being 
rejected as invalid.

I have my suspicions of what's happening, but not enough information to 
form a solid hypothesis or perform tests. I want higher confidence that 
I'm recognizing the important lines in the logs before I start casting 
stones.

--
Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska

On 1/24/2023 5:26 AM, Michael Richardson wrote:
> John Thurston<john.thurston at alaska.gov>  wrote:
>      > On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am
>      > writing "category dnssec" to a log file  at "severity info;"  When I look in
>      > the resulting log file, I'm guessing that lines like this:
>
>      > validating com/SOA: got insecure response; parent indicates it should be
>      > secure
>
>      > Are an indication I have a problem I should investigate.
>
> Maybe.
> It could be that DNSSEC is simply defending you against attackers who are
> trying to race insecure answers to your queries in the belief that "nobody validates"
>
> If it were systematic (every query, every query to some servers...) then you
> should suspect that there is a on-path attacker modifying the responses.
> That's unlikely in general,  but it's why we have DNSSEC.
> It could also be the result of corrupted packets that survive the UDP
> checksum, or which go through a middle box that "fixes" that.  Some satellite
> systems do that.  I imagine that Alaska might have at least one satellite link.
>
> It doesn't sound like it's systematic, so I think they are off-path
> attackers, and it looks like it's queries on .com?
>
> Most likely, there is little you can do.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230124/f4baf144/attachment.htm>

More information about the bind-users mailing list