Tracking down validation failures

Chris Thompson cet1 at cam.ac.uk
Thu Jun 11 17:34:36 UTC 2009 

We have recently turned on DNSSEC validation (using dlv.isc.org) in our
main university-wide recursive nameservers, which are running BIND 9.6.1rc1.

No-one is actually complaining, but the counts I am seeing for "ValFail"
on the statistics channel are quite a bit higher than we were seeing
during testing, running at 0.2% - 0.4% of "ValAttempt" (but the counter
increases in bursts), and I would be happier knowing what they were
coming from.

The advice usually given is to log category "dnssec" at debug level 3,
but this produces far too much data. Reducing it debug level 2, on the
other hand, gives almost nothing. I do see a trickle of info-level
messages:

11-Jun-2009 18:12:32.375 info:   validating @15abde10:
 17.62.212.IN-ADDR.ARPA NSEC: no valid signature found
11-Jun-2009 18:12:32.376 info:   validating @15abde10:
 17.62.212.IN-ADDR.ARPA NSEC: no valid signature found
11-Jun-2009 18:12:42.258 info:   validating @f3e9cb8:
 99.188.91.IN-ADDR.ARPA NSEC: no valid signature found
11-Jun-2009 18:12:42.259 info:   validating @f3e9cb8:
 99.188.91.IN-ADDR.ARPA NSEC: no valid signature found
11-Jun-2009 18:15:08.235 info:   validating @15bed590:
 97.102.91.IN-ADDR.ARPA NSEC: no valid signature found
11-Jun-2009 18:15:08.236 info:   validating @15bed590:
 97.102.91.IN-ADDR.ARPA NSEC: no valid signature found
11-Jun-2009 18:15:08.592 info:   validating @15bed590:
 97.102.91.IN-ADDR.ARPA NSEC: no valid signature found
11-Jun-2009 18:15:08.593 info:   validating @15bed590:
 97.102.91.IN-ADDR.ARPA NSEC: no valid signature found
11-Jun-2009 18:19:32.048 info:   validating @8af4a40:
 99.96.79.IN-ADDR.ARPA NSEC: no valid signature found
11-Jun-2009 18:19:32.049 info:   validating @8af4a40:
 99.96.79.IN-ADDR.ARPA NSEC: no valid signature found

but it's not even obvious what the original query was in these cases.
(If I could find that out I could try the same query on a quieter
nameserver with more logging turned on.) There are no messages 
generated at this level when I force a validation failure to occur 
("dig soa advocaat.pro" remains my favourite).

Any suggestions?

-- 
Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list