BIND dnssec issue

Mark Andrews marka at isc.org
Mon Nov 7 06:30:38 UTC 2016 

In message <BL2PR01MB33945CAAA8A8216C9FFB830FFA70 at BL2PR01MB339.prod.exchangelabs.com>, Mahdi Adnan writes:
> Thank you for your response.
>
>
> Date is correct in all servers as well as RRSIG.
>
> Mon Nov  7 08:56:03 AST 2016
> Mon Nov  7 05:56:03 UTC 2016
>
>
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +cd +dnssec dnskey +multi
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2882
> ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL:
> 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;. IN NS
>
> ;; ANSWER SECTION:
> . 475207 IN NS e.root-servers.net.
> . 475207 IN NS l.root-servers.net.
> . 475207 IN NS f.root-servers.net.
> . 475207 IN NS c.root-servers.net.
> . 475207 IN NS d.root-servers.net.
> . 475207 IN NS j.root-servers.net.
> . 475207 IN NS g.root-servers.net.
> . 475207 IN NS i.root-servers.net.
> . 475207 IN NS h.root-servers.net.
> . 475207 IN NS a.root-servers.net.
> . 475207 IN NS b.root-servers.net.
> . 475207 IN NS m.root-servers.net.
> . 475207 IN NS k.root-servers.net.
> . 518400 IN RRSIG NS 8 0 518400 (
> 20161120050000 20161107040000 39291 .
> eKuJRWssJm+Qy4q+R+bKAIfSkxsDSl3y1S8ib/BC6i1c
> Uxd36YM/lRLTOvqcjiZu18lsgSC7cpmiyNkQ4ibbqe5z
> sgOXAdhXhmeqK8Bo3x3kP8VHWzbU6MOkN+O+LHOFXgx1
> BUlo83LKqsJVMw/mYTLo0RguMGS5L7lLgDSbMUe0ow78
> vg0MdIJo90AeEga084UIF9swAi3JZt5ds+82xkbhmmYT
> RrsUknd763IUS04z8lEo60bAlMD3huGboa8Dtagd6lXC
> NKXvCbQYQJu6hwMwxC5Kdmj0+cYn7PJJqye7XCSSipUo
> Uxa1j/P+TTPmZSR4z6/YmNoM6ynmo2P4mw== )
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Nov 07 08:57:33 AST 2016
> ;; MSG SIZE  rcvd: 525
>
>
>
>
> as for the messages, i only got these messages during the period of 4
> minutes from 10:00 PM to 10:04 PM.

You need to be checking the records listed in the log messages.
As you failed to copy the names no one else can do that.

Mark

> --
>
> Respectfully
> Mahdi A. Mahdi
>
> ________________________________
> From: Mark Andrews <marka at isc.org>
> Sent: Monday, November 7, 2016 12:17:21 AM
> To: Mahdi Adnan
> Cc: bind-users at lists.isc.org
> Subject: Re: BIND dnssec issue
>
>
> First check your system clocks and make sure they are correct.
>
> 'date -u' will show the time in UTC.
>
> Here in Australia we are 11 hours in front of UTC so
> where I run 'date; date -u' I get:
>
> Mon  7 Nov 2016 07:42:33 EST
> Sun  6 Nov 2016 20:42:33 UTC
>
> 'dig +cd +dnssec' will let you see the RRSIG inception and expiration
> times. They are in UTC.  Below the RRsig expires at 20161114235959
> and it was create at 20161031000000.
>
> ;; BADCOOKIE, retrying.
>
> ; <<>> DiG 9.11.0 <<>> +cd +dnssec dnskey . +multi
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43548
> ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; COOKIE: c393bcde3d692889e9f12574581f9746ca751f3f49a0a1aa (good)
> ;; QUESTION SECTION:
> ;.                      IN DNSKEY
>
> ;; ANSWER SECTION:
> .                       171135 IN DNSKEY 256 3 8 (
>
> AwEAAYbinauHA9oUb4aGNtJIrepyGoYy0OL01rvIhvo3
>
> RWN/Ch8p2C4ZEkpvUYkx74r9JpgrOsjKOv+JQdKtT2u8
>
> AxGjUoH8x8HdpDiMV7XnpWJo9wAxlFtDtbMnPwRQ3dWs
>
> T1p5myrGcm7EFJ9j7KmiAEG5hGsevZqcnqMOW9QFkmp/
>
> zM0TFYXYWq6AsAof2uZqLUyd+nHIW0TGsaHMzcTNfA8W
>
> w+OYV7R4bcR/8edCEo6OAh9j48R1hRtuO1e2MQdnkITc
>
> 9DJljB4Cq1gQKwv/ku7mAvmFuWkRotMZIFN3vDhpmpmy
>                                 7M0C1EHSRAgP+HkblLRQKOPnwI/VksJEU4fmnhk=
>                                 ) ; ZSK; alg = RSASHA256 ; key id = 39291
> .                       171135 IN DNSKEY 257 3 8 (
>
> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
>
> bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
>
> /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
>
> JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
>
> oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
>
> LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
>
> Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
>                                 LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
>                                 ) ; KSK; alg = RSASHA256 ; key id = 19036
> .                       171135 IN RRSIG DNSKEY 8 0 172800 (
>                                 20161114235959 20161031000000 19036 .
>
> LPuldf5oWFdSHSTPYL5WvrvwJTElxY6LTEw2Cit0JOcV
>
> AbZG6LLCmlpCJ55Ngf/sdE4UXUPJ/m6CFRYT+aAePvEW
>
> rjRPGGX64V82oCeCPyAqD4XHd3CIQi3LBYk8ZbEktyvB
>
> X+VS16rbSEQib7xNYvohtiJ0dRiw/wjr6YVF8xUdYO1v
>
> vXPYOGXISYwW4vDiKAuyLDGuoLRh/F9GZQxBPwv6Bmx8
>
> /JfNCfIygbnZ/8qIZUsFH68DPbAHPBqwR1GP+haAa6vQ
>
> PhXwn4p+Vci7rYNzfPzdQfDNWsQ+8ur8xxSdanAZcZRr
>                                 ytaidLtIQx4DeGANdwmNjnAn8ZSg6q8etQ== )
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Nov 07 07:49:10 EST 2016
> ;; MSG SIZE  rcvd: 892
>
> As for "got insecure response; parent indicates it should be secure",
> there are still systems out there that do not response to EDNS
> queries or only respond to the first EDNS query.  To get answers
> from these systems, especially after a lost packet, named has to
> ask plain DNS questions and as plain DNS does not have EDNS there
> is no DO=1 flag one does not DNSSEC records in the responses to
> those queries.  When such answers go through the validator and the
> zone is signed you will this message logged.
>
> Old Microsoft Windows DNS servers exhibit this only answer the first
> EDNS query issue.  You need to as a plain DNS query to get a response
> after the first EDNS query.  When we do EDNS compliance testing we
> can see these systems as they end up being formerr and timeouts
> except for plain DNS.
>
> bihasitka-nsn.gov. @64.37.122.49 (ns2.chicagowebs.com.): dns=ok
> edns=formerr,nosoa edns1=formerr,badversion edns at 512=timeout
> ednsopt=timeout edns1opt=timeout do=timeout ednsflags=timeout
> optlist=timeout signed=timeout ednstcp=formerr
>
> hamiltontn.gov. @12.204.222.241 (ns1.hamiltontn.gov.): dns=ok
> edns=timeout edns1=timeout edns at 512=timeout ednsopt=formerr,echoed,nosoa
> edns1opt=timeout do=timeout ednsflags=timeout optlist=timeout
> signed=timeout ednstcp=timeout
>
> If you have lots of these messages check that you firewall allows
> through large (> 1500 byte) EDNS responses.  Packet loss and bad
> local firewalls can make named think that it is talking to such a
> system.  Excessive buffer bloat can also cause named to think it
> is talking to such a system.  A big upload / download can make
> visible the buffer bloat in the routers on you link.
>
> Mark
>
> In message
> <BL2PR01MB3393C454FDCE60904E2781CFFA40 at BL2PR01MB339.prod.exchangelabs.com>
> , Mahdi Adnan writes:
> > Hello,
> >
> >
> > We have several Bind recursive servers and all of them stop responding
> to
> > queries at 10:00 PM daily for 4 minutes starting from November 1st with
> > the following error in the logs;
> >
> >
> > "SOA: got insecure response; parent indicates it should be secure"
> >
> > "DNSKEY: verify failed due to bad signature (keyid=56467): RRSIG has
> > expired"
> >
> > "dlv.isc.org SOA: got insecure response; parent indicates it should be
> > secure"
> >
> >
> >
> > servers running different versions of BIND (9.9 and 910) but all are up
> > to date.
> >
> > anyone have any idea about this issue ?
> >
> >
> > Thanks
> > --
> >
> > Respectfully
> > Mahdi A. Mahdi
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list