Strange log messages
Lars Kollstedt
lk at man-da.de
Thu Apr 23 08:18:26 UTC 2020
Hi Tony, hi List,
on Mittwoch, 22. April 2020 12:27:27 CEST Tony Finch wrote:
> Older versions of BIND can fall back to non-DNSSEC queries for DNSSEC
> zones. This can be more common if there is network disruption (I don't
> know if the CenturyLink fibre cut issues have been resolved yet...)
One of the arpa-Nameservers 192.5.5.241, 2001:500:2::c which is the C-Root-
Server is shown to be not responsive for queries over UDP by DNSviz for a long
time. I haven't found out which flags to set to reproduce this, yet.
e.g.
https://dnsviz.net/d/1.4.0.0.8.b.1.4.1.0.0.2.ip6.arpa/dnssec/
but
dig DNSKEY arpa +tries=1 +dnssec +notcp @2001:500:2::c
simply works for me, and all others I tried, too.
Today there are also similar issues shown up with 193.0.9.2 and 2001:67c:e0::2
for ip6.arpa and 193.0.9.5 for 82.in-addr.arpa, I also can't reproduce them.
So we're possibly not needing link saturation to trigger this. ;-)
But when I understand this bug correctly, the issue is that bind9 is trying
some combinations that simply won't work when trying DNS Protocol legacy in
combination with DNSSEC. This causes unnecessary traffic and log messages but
there are no invalid results cached due to this.
The only case this can turn things worst is in combination with rate limiting
or link saturation.
The only thing that IMHO does'nt really fit into this is, how could the same
message occur e.g. on 09:29:49, 09:29:56, 09:30:18, 09:34:02 and 09:35:39 when
the TTL is 3600, refresh is 1800 and retry 900. From my understanding, the
SOA-RR and its RRSIG should be cached once a successful combination was found,
and there should be no further queries like this for at least 1800 seconds.
Or are there DNS extensions causing this RR to be cached multiple times? I
would expect such for www.google.de IN A or AAAA but not for in-addr.arpa IN
SOA. ;-)
I don't experience any delays when doing my troubleshooting queries, and I'm
seeing the TTL properly decreasing when querying the resolver.
Kind regards,
Lars
--
Lars Kollstedt
Telefon: +49 6151 16-71027
E-Mail: lk at man-da.de
man-da.de GmbH
Dolivostraße 11
64293 Darmstadt
Sitz der man-da.de GmbH: Darmstadt
Amtsgericht Darmstadt, HRB 9484
Geschäftsführer: Andreas Ebert
More information about the bind-users
mailing list