In message <jubkum$qve$1...@dough.gmane.org>, "Brian J. Murrell" writes: > On 12-07-20 08:34 AM, Brian J. Murrell wrote: > >=20 > > The problem here seems to be fragmented UDP. > > I seem to have misdiagnosed this due to tcpdump peculiarities. I only > initially saw/suspected the problem since my capture for port 53 > packets was including (only the first) ipv4 fragments. When adding a > capture specifically to get all ipv4 fragments in addition to my port > 53 packets, I do see all of the fragments. > > So back to the drawing board. > > In my previous posting, I was able to demonstrate that I do get some > queries authenticated, but others (corresponding to the errors in my > logs) are not. For example: > > Jul 20 08:59:37 linux named[17472]: validating @0xf48d01b0: 119.in-addr= > =2Earpa SOA: no valid signature found > > and sure enough: > > # dig +dnssec @localhost 119.in-addr.arpa SOA > > ; <<>> DiG 9.9.1-P1 <<>> +dnssec @localhost 119.in-addr.arpa SOA > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49713 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 14 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;119.in-addr.arpa. IN SOA > > ;; ANSWER SECTION: > 119.in-addr.arpa. 172800 IN SOA ns1.apnic.net. read-txt-r= > ecord-of-zone-first-dns-admin.apnic.net. 3006082431 7200 1800 604800 1728= > 00 > 119.in-addr.arpa. 172800 IN RRSIG SOA 5 3 172800 2012081905= > 5026 20120720045026 31291 119.in-addr.arpa. DxSB8J+SsHzLRv/qiFdQOLQ4eYEgC= > m6lUGr5/qoMje7iY9OIaaXmH/WM GwbTDdT7YNXfkZ7ZfpEnE5N9OeNW6Wghi8Wcerpy3OmEY= > MTWc1ZNgH70 KC8Rhth23mCkv+IdCEsirVKdgTgLYsRlPFMbp6WQveMQRyJwvGJQm4QI Ejk=3D= > > > ;; AUTHORITY SECTION: > 119.in-addr.arpa. 78212 IN NS ns1.apnic.net. > 119.in-addr.arpa. 78212 IN NS sec1.authdns.ripe.net. > 119.in-addr.arpa. 78212 IN NS ns2.lacnic.net. > 119.in-addr.arpa. 78212 IN NS ns4.apnic.net. > 119.in-addr.arpa. 78212 IN NS ns3.apnic.net. > 119.in-addr.arpa. 78212 IN NS apnic1.dnsnode.net. > 119.in-addr.arpa. 78212 IN NS tinnie.arin.net. > > ;; ADDITIONAL SECTION: > ns1.apnic.net. 167 IN A 202.12.29.25 > ns1.apnic.net. 164129 IN AAAA 2001:dc0:2001:0:4608::25 > ns2.lacnic.net. 82967 IN A 200.3.13.11 > ns2.lacnic.net. 164257 IN AAAA 2001:13c7:7002:3000::11 > ns3.apnic.net. 167 IN A 202.12.28.131 > ns3.apnic.net. 164129 IN AAAA 2001:dc0:1:0:4777::131 > ns4.apnic.net. 167 IN A 202.12.31.140 > ns4.apnic.net. 164129 IN AAAA 2001:dc0:4001:1:0:1836:0:= > 140 > sec1.authdns.ripe.net. 167 IN A 193.0.9.3 > apnic1.dnsnode.net. 3767 IN A 194.146.106.106 > tinnie.arin.net. 35918 IN A 199.212.0.53 > tinnie.arin.net. 35918 IN AAAA 2001:500:13::c7d4:35 > sec1.authdns.ripe.net. 167 IN RRSIG A 5 4 3600 20120819100246= > 20120720090246 16848 ripe.net. PnInozslOygv30AuohnYIzlCkeShxybKYeZ4114kp= > ClfsMB/t3liXNmw in7Ha8Mh1mOZFtv2lvYDNlnrZgO65xXkUwsH2iz1jCMFU6ZjwGhqVhaX = > PpN6T6BXDHSohpFkVlx0yu9J7BcPMuCD6FJB5yLF4V0UUkJoPOXFAKBa mto=3D > > ;; Query time: 239 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Fri Jul 20 09:02:18 2012 > ;; MSG SIZE rcvd: 892 > > no "ad" bit set. > > But why? The NS RRset is the delegation records and as such has no RRSIGs. If you turn on minimal-responses the NS rrset won't be added and AD won't be cleared. AD is only set to 1 if all the records in the answer and authority sections are marked as secure.
> Cheers, > b. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users