in-addr.arpa insecure?

Robert Moskowitz rgm at htt-consult.com
Fri Mar 1 14:19:42 UTC 2013 

On 03/01/2013 08:57 AM, Tony Finch wrote:
> Robert Moskowitz <rgm at htt-consult.com> wrote:
>
>> I got tipped off about this from logwatch report. On my public DNS server had
>> the following:
>>
>> Feb 26 04:02:04 onlo named[19336]:   validating @0xb2929ee0: in-addr.arpa SOA:
>> got insecure response; parent indicates it should be secure
> Looks like something in your setup is dropping RRSIGs, and this is
> probably responsible for both your private htt. TLD validation problems
> and these in-addr.arpa validation problems. Do you all your servers have
> "dnssec-enable yes"? Do you have any non-BIND servers or middleboxes?

All my boxes are Centos 6.3 running RHEL bind 9.8.2.  I have 3. onlo is 
public facing and my main server.  rigel is my internal test box.  
klovia is my new mail server running as a cache server, currently 
forwarding to rigel, but will be switched to onlo when I swap it for the 
current klovia.  onlo and rigel are completely independent and on 
different subnets.  I mention the names as they are all findable via 
DNS; nothing private about that (though I am blocking chaos digs on all 
of them).

All in the global options have the lines:

     dnssec-enable yes;
     dnssec-lookaside auto;

Onlo and rigel have:

     dnssec-validation auto;

and klovia has:

     dnssec-validation yes;

hmmm.  I THOUGHT I had set onlo to also be 'dnssec-validation yes'. 
Probably did that in an earlier test version and when I did the final 
build, I forgot to change that line (auto is the RHEL default setting).  
And rigel started life as a clone of onlo.

So I will change dnssec-validation to yes, and see what happens.

Anything else I should look for?

Oh, no non-bind servers knowingly in the way.  I pay my ISP for a clear 
IP connection and 64 IPv4 addresses and a /48 IPv6 allocation.  My 
firewall is a Juniper SSG5 'branch' firewall with current firmware 
(there was an IPv6 bug in earlier releases that caused outbound routing 
problems) that is just passing port 53; no proxying enabled.

More information about the bind-users mailing list