Finding dnssec validation failures in the logs
Darren Ankney
darren.ankney at gmail.com
Tue Jan 24 11:19:32 UTC 2023
I looked in logs of my resolver in my home network and see a similar message from January 6th:
06-Jan-2023 17:09:23.677 dnssec: info: validating in-addr.arpa/SOA: got insecure response; parent indicates it should be secure
I interpret that to mean that someone’s DNS is misconfigured. I guess it could mean someone is trying to serve up wrong answers ...
Found many lines of 'no valid signature found’
I think you are probably OK.
> On Jan 23, 2023, at 7:44 PM, John Thurston <john.thurston at alaska.gov> wrote:
>
> On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am writing "category dnssec" to a log file at "severity info;" When I look in the resulting log file, I'm guessing that lines like this:
> validating com/SOA: got insecure response; parent indicates it should be secure
> Are an indication I have a problem I should investigate.
> My question is: Are there other strings I should be reacting to in that log?
>
> I interpret the many lines like this:
> validating wunderkind.co/SOA: no valid signature found
> to mean "We looked for signing information for wunderkind.co and found none. That's cool, we didn't expect them to be."
> --
> --
> Do things because you should, not just because you can.
>
> John Thurston 907-465-8591
> John.Thurston at alaska.gov
> Department of Administration
> State of Alaska
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list