Tracking down validation failures
Mark Andrews
marka at isc.org
Fri Jun 12 01:36:29 UTC 2009
In message <Prayer.1.3.1.0906111834360.6966 at hermes-2.csi.cam.ac.uk>, Chris Thom
pson writes:
> We have recently turned on DNSSEC validation (using dlv.isc.org) in our
> main university-wide recursive nameservers, which are running BIND 9.6.1rc1.
>
> No-one is actually complaining, but the counts I am seeing for "ValFail"
> on the statistics channel are quite a bit higher than we were seeing
> during testing, running at 0.2% - 0.4% of "ValAttempt" (but the counter
> increases in bursts), and I would be happier knowing what they were
> coming from.
>
> The advice usually given is to log category "dnssec" at debug level 3,
> but this produces far too much data. Reducing it debug level 2, on the
> other hand, gives almost nothing. I do see a trickle of info-level
> messages:
>
> 11-Jun-2009 18:12:32.375 info: validating @15abde10:
> 17.62.212.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:12:32.376 info: validating @15abde10:
> 17.62.212.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:12:42.258 info: validating @f3e9cb8:
> 99.188.91.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:12:42.259 info: validating @f3e9cb8:
> 99.188.91.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:15:08.235 info: validating @15bed590:
> 97.102.91.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:15:08.236 info: validating @15bed590:
> 97.102.91.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:15:08.592 info: validating @15bed590:
> 97.102.91.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:15:08.593 info: validating @15bed590:
> 97.102.91.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:19:32.048 info: validating @8af4a40:
> 99.96.79.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:19:32.049 info: validating @8af4a40:
> 99.96.79.IN-ADDR.ARPA NSEC: no valid signature found
>
> but it's not even obvious what the original query was in these cases.
> (If I could find that out I could try the same query on a quieter
> nameserver with more logging turned on.) There are no messages
> generated at this level when I force a validation failure to occur
> ("dig soa advocaat.pro" remains my favourite).
>
> Any suggestions?
>
> --
> Chris Thompson
> Email: cet1 at cam.ac.uk
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Do you have RIPE's trusted-keys configured into named.conf and are
they up to date?
http://www.ripe.net/projects/disi/keys/
https://www.ripe.net/projects/disi/keys/ripe-ncc-dnssec-keys-new.txt
Note named won't go to dlv if the answer is within a island of security
identified by a trusted-key in named.conf.
The data currently being returned looks good to me.
This is a referral to a insecure zone.
17.62.212.IN-ADDR.ARPA. 172800 IN NS ans2.cw.net.
17.62.212.IN-ADDR.ARPA. 172800 IN NS ans1.cw.net.
17.62.212.IN-ADDR.ARPA. 7200 IN NSEC 170.62.212.in-addr.arpa. NS RRSIG NSEC
17.62.212.IN-ADDR.ARPA. 7200 IN RRSIG NSEC 5 5 7200 20090711232326 20090611232326 34470 212.in-addr.arpa. pY89tH87GQjFm4YRAHCx8wY0R14fjN0Qb+wwGCDbJjAC1zezYUT+ltZN J/5akqXTY7vQ/h7u/t8gz7qf1Q1mSE0xngF/3amoZaNHpPNT9BGOeF89 kC4ucFI2e/MnU9lvmEJHVT5Ma0eJ4LRgFlGaeUmSMaPjRBxpOJpNGP/x O/jxf84LTsANHVBew8a7BI9tmg0ozppN
;; Received 338 bytes from 2001:660:3006:1::1:1#53(NS3.NIC.FR) in 548 ms
% date -u +%Y%m%d%H%M%S
20090612011526
%
Validation interval ok. 20090711232326 > 20090612011526 > 20090611232326
No DS in list of types that exist at 17.62.212.IN-ADDR.ARPA.
Signed with key 34470.
; <<>> DiG 9.3.6-P1 <<>> +dnssec +multi dnskey 212.IN-ADDR.ARPA
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4082
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;212.IN-ADDR.ARPA. IN DNSKEY
;; ANSWER SECTION:
212.IN-ADDR.ARPA. 2663 IN DNSKEY 256 3 5 (
AwEAAbW5cAVaimsuasYP4uwC/Id+/MJce+q+9FwBz4iO
bkPa5YNFz7qeV+y8BjKI/7nQ/4fh/Xd7tp+5eYT47GEx
ALl4GBGKoW22k/IpD1nqNuGs4BYvuG/kTfhtTEWyfMbB
20M17W0vPbHmhLDbdGO0qg1HPQZ0gXYFCofu9OX86OGL
V+YFEJ+NeWiNHg91xq1svv0sehJp7w==
) ; key id = 34470
212.IN-ADDR.ARPA. 2663 IN DNSKEY 256 3 5 (
AwEAAd2guc91r8v8RRtTcKLIGWPbLNi9HuAmcxNwW+7N
4KCPxci7GPqgqD/m88qbBDYdm1XMLHSV+lZ+DbifbFpw
cIu1+vt4dEGB7O9bCuZwQG89HN7IpTRhZQXH3P8O5eCt
7UJEOm4BWfRD4DKYyuOHGpdWTqyzY0TKGWECXW00X1rQ
t4MZmBl8Z4r8kLN+X4jWXoQzpygfXw==
) ; key id = 12075
212.IN-ADDR.ARPA. 2663 IN DNSKEY 257 3 5 (
AwEAAb133Y0UxrLtgmsR2LEkSpiiU6JKenlDmp42a6PY
uic4wxWFhQrfnzZVRcmoBTJZfdOD4pUe+eMsUOHIrheK
mhc7D7cmDS+ftZZThBd9GawpgiqCRRJYceECPKK8AcCn
qz3Cryei/+dGpjXyBXiCVZ8Xfn57AOIN6KfG+jdw+uow
o5qP0XtMI/UU9k4j7Cair7zaieMkvWb4Vo8gPLZ/PGUj
kGCUO9eXD5jauYapg4AoRZUalnTdp1MRN5rIaHhyRPsm
KjdfgvLCfep/2fYVOX75t89MnHNC4c8z+gpfgG8OI/1m
llP2h5KiwCN56fHqiqbF2DW/1baKEzDdM8N002E=
) ; key id = 27859
212.IN-ADDR.ARPA. 2663 IN DNSKEY 257 3 5 (
AwEAAb/ksCZYQWD+Ur6dw5KPoDR1B0FZchfVrLzExIsn
DdIG9pcyhhJ6UE6FkxCKM4NQSYeG+VSGU5i4t1e1wvic
M/f5/eAccFoff/Ou608Fp9sOXN0BpW6aDTH2oUIfgaLm
reuUVHqJt6AiPZ/BJKProI5fwEDVHsqXI8Vp6hwg6r6G
pQrE6xobebHzoyB743H/tUIdfKhDDx1NtIERV4uFDntZ
PsHXYoPduGnHhZnKT+ruZu0GcF/vOpK4lXNSRU2gLCuC
tLqT02vM9N1+ZuARTMyB9jaGcWON/5tbg5x5F9p+q3yE
2U8e0acrQCauo2KCOMPS33GbII9IRk7b9/FSuAc=
) ; key id = 31951
212.IN-ADDR.ARPA. 2663 IN RRSIG DNSKEY 5 3 3600 20090711222509 (
20090611222509 27859 212.in-addr.arpa.
CjlFcIUTcavj15cB5bw2MpONTJq9RAKFhVB+ayk9yWWg
z/9n43BmFTXdFgM04oW4wHxqhLK7hn1Naem/rZEfrHaC
WWdHoO4IQfInCs2gf+ux+3XrWeG9KBAGRsFk/GhEf0Qk
37RNdQUIU5nUFFdk/3f9+Cq9oITWNDLUMi59t9JkUbCD
ynZ0DXgZMRd+cKjIoGGwPuyPRqs518YEpgcvdBhTb587
126JnPPjPUgi4CW+dqyBku70k6w1SG0aIoUVx4WAmgiR
gg8aFh0LtLSLwQBh3Qs2lHsv4uXpvypf+14bnVq6Cxx/
OlYYjHuE+Yw79smkQf4nhKZ526tX/IASuQ== )
212.in-addr.arpa. 2663 IN RRSIG DNSKEY 5 3 3600 20090711222509 (
20090611222509 31951 212.in-addr.arpa.
cvH37/vl3zFKIxsXt4iS7g36mD5NLC6d9Dv9Hy4AepIX
g0jPIxLR0G4CbImKYvWwikPg8z5snS39aP1pgcXECQyL
4WSt/4UfaSB8VNfxNzT8gUmLXYnCgnnI8WilUcz0JJ/t
QdcRqqFkr3rE8Mf/txVHEJKsBKGv+IsvGJk3wR13ZgyW
jOvvFKu8MMCrhcWrgqMo6NpEssm03opstYD4q5TvWhtr
ODROWcwniuIiUbFHGSC3tu1vdH1oY7jzE4b459AqGnjX
5w3NOK7o87SdrDMxGMTgab0tOnwq71bPT0qPtjhh9q6t
sawULxmzC6q9J0rLG0j+tZAVN5ehfuHyDw== )
212.in-addr.arpa. 2663 IN RRSIG DNSKEY 5 3 3600 20090711222509 (
20090611222509 34470 212.in-addr.arpa.
ctxaYQOTaG7/6QrGBiu3g74zzrRSXr6JHMxmLOO3qQg1
c5tBmMvuB3I9lOyKVBFMdxSay7z7BRhpEnomPhyhUJcw
Ql8sN41ec8WGiqhbNEdP0EAo01LwPiNnO7jYk8/QiaFO
cX4GqjlyP0Iz6RqYZb+250cx4sdTFll3K6ciXlGik71D
Os6zoYnIG/TWkZ+yWtUW2Jkz )
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 12 11:18:32 2009
;; MSG SIZE rcvd: 1743
Key 34470 exist and is a ZSK (no KSK flag).
; <<>> DiG 9.3.6-P1 <<>> dlv 212.in-addr.arpa.dlv.isc.org +noadd +noauth
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6757
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 4
;; QUESTION SECTION:
;212.in-addr.arpa.dlv.isc.org. IN DLV
;; ANSWER SECTION:
212.in-addr.arpa.dlv.isc.org. 321 IN DLV 31951 5 1 EAB2F3C835686644F8E4DF510171833BDC9CF751
212.in-addr.arpa.dlv.isc.org. 321 IN DLV 31951 5 2 BFE9D8548DC61BDB6F31F04BB16E57C6891F79005649DC4D132438E9 84D72FBA
212.in-addr.arpa.dlv.isc.org. 321 IN DLV 27859 5 1 F34BA83800EF2DD8ABBBC245DE0C76B4A3F70045
212.in-addr.arpa.dlv.isc.org. 321 IN DLV 27859 5 2 095D78A18FA3675476F4E782E0FA32A54400F4DCD05B3F8639298345 158B79D0
;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 12 11:20:24 2009
;; MSG SIZE rcvd: 364
The KSK's have id's 31951 and 27859.
Both of these exist in the RRset and self sign the DNSKEY RRset.
>From ripe-ncc-dnssec-keys-new.txt we also see matching keys.
"212.in-addr.arpa." 257 3 5
"AwEAAb133Y0UxrLtgmsR2LEkSpiiU6JKenlD
mp42a6PYuic4wxWFhQrfnzZVRcmoBTJZfdOD
4pUe+eMsUOHIrheKmhc7D7cmDS+ftZZThBd9
GawpgiqCRRJYceECPKK8AcCnqz3Cryei/+dG
pjXyBXiCVZ8Xfn57AOIN6KfG+jdw+uowo5qP
0XtMI/UU9k4j7Cair7zaieMkvWb4Vo8gPLZ/
PGUjkGCUO9eXD5jauYapg4AoRZUalnTdp1MR
N5rIaHhyRPsmKjdfgvLCfep/2fYVOX75t89M
nHNC4c8z+gpfgG8OI/1mllP2h5KiwCN56fHq
iqbF2DW/1baKEzDdM8N002E=";
// Key ID= 27859 (to be deprecated!)
"212.in-addr.arpa." 257 3 5
"AwEAAb/ksCZYQWD+Ur6dw5KPoDR1B0FZchfV
rLzExIsnDdIG9pcyhhJ6UE6FkxCKM4NQSYeG
+VSGU5i4t1e1wvicM/f5/eAccFoff/Ou608F
p9sOXN0BpW6aDTH2oUIfgaLmreuUVHqJt6Ai
PZ/BJKProI5fwEDVHsqXI8Vp6hwg6r6GpQrE
6xobebHzoyB743H/tUIdfKhDDx1NtIERV4uF
DntZPsHXYoPduGnHhZnKT+ruZu0GcF/vOpK4
lXNSRU2gLCuCtLqT02vM9N1+ZuARTMyB9jaG
cWON/5tbg5x5F9p+q3yE2U8e0acrQCauo2KC
OMPS33GbII9IRk7b9/FSuAc=";
// Key ID= 31951
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list