Z flag is different from 0
Mark Andrews
Mark_Andrews at isc.org
Tue Nov 30 21:18:31 UTC 2004
> Hi -
>
> I'm running ISC's bind 9.3.0 on Solaris 9. I have two servers (master =
> and secondard), which support a dozen (+/-) domains. We recently =
> upgraded our firewall to CheckPoint with thier SmartDefense product. (We =
> had been running an older Gauntlet firewall)
>
> My issue is that SmartDefense is alerting on our outgoing DNS queries, =
> saying "Bad DNS Headers, Z flag is different from 0". I've looked at =
> RFC2929, which says:
>
> --quote--
> 2.1 One Spare Bit?
>
> There have been ancient DNS implementations for which the Z bit being
> on in a query meant that only a response from the primary server for
> a zone is acceptable. It is believed that current DNS
> implementations ignore this bit.
>
> Assigning a meaning to the Z bit requires an IETF Standards Action.
> ---------
>
> Should I be looking for a way to configure bind to not set the Z flag? =
> Or is there some other solution to this issue?
>
> Thanks in advance.
BIND 9.3 does not set the final bit. Are you sure it is not
triggering on CD?
dnssec-enable no; // default
07:51:01.130013 192.168.191.236.2498 > 198.6.1.65.53: 16310 [1au] A? ftp.uu.net. (39)
4500 0043 0a63 0000 4011 286b c0a8 bfec
c606 0141 09c2 0035 002f 72bd
3fb6 0000
0001 0000 0000 0001 0366 7470 0275 7503
6e65 7400 0001 0001 0000 2910 0000 0080
0000 00
qr=0, opcode=0, aa=0, tc=0, rd=0, mbz=0, ad=0, cd=0, rcode=0
qr=0, opcode=0, aa=0, tc=0, rd=0, mbz=000 rcode=0 (RFC 1035)
dnssec-enable yes;
07:58:47.055324 192.168.191.236.2498 > 198.6.1.181.53: [udp sum ok] 30669 [1au] A? xx.uu.net. ar: . OPT UDPsize=4096 (38) (ttl 64, id 2712, len 66)
4500 0042 0a98 0000 4011 27c3 c0a8 bfec
c606 01b5 09c2 0035 002e 4a6f
77cd 0010
0001 0000 0000 0001 0278 7802 7575 036e
6574 0000 0100 0100 0029 1000 0000 8000
0000
qr=0, opcode=0, aa=0, tc=0, rd=0, mbz=0, ad=0, cd=1, rcode=0
qr=0, opcode=0, aa=0, tc=0, rd=0, mbz=001 rcode=0 (RFC 1035)
(Note CD is set).
I would be worry about whether your current Firewall is DNSSEC
aware (knows about AD and CD).
Note 9.2.x always has DNSSEC enabled.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list