In message <bl2pr01mb33945caaa8a8216c9ffb830ff...@bl2pr01mb339.prod.exchangelabs.com>, Mahdi Adnan writes: > Thank you for your response. > > > Date is correct in all servers as well as RRSIG. > > Mon Nov 7 08:56:03 AST 2016 > Mon Nov 7 05:56:03 UTC 2016 > > > > ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +cd +dnssec dnskey +multi > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2882 > ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: > 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;. IN NS > > ;; ANSWER SECTION: > . 475207 IN NS e.root-servers.net. > . 475207 IN NS l.root-servers.net. > . 475207 IN NS f.root-servers.net. > . 475207 IN NS c.root-servers.net. > . 475207 IN NS d.root-servers.net. > . 475207 IN NS j.root-servers.net. > . 475207 IN NS g.root-servers.net. > . 475207 IN NS i.root-servers.net. > . 475207 IN NS h.root-servers.net. > . 475207 IN NS a.root-servers.net. > . 475207 IN NS b.root-servers.net. > . 475207 IN NS m.root-servers.net. > . 475207 IN NS k.root-servers.net. > . 518400 IN RRSIG NS 8 0 518400 ( > 20161120050000 20161107040000 39291 . > eKuJRWssJm+Qy4q+R+bKAIfSkxsDSl3y1S8ib/BC6i1c > Uxd36YM/lRLTOvqcjiZu18lsgSC7cpmiyNkQ4ibbqe5z > sgOXAdhXhmeqK8Bo3x3kP8VHWzbU6MOkN+O+LHOFXgx1 > BUlo83LKqsJVMw/mYTLo0RguMGS5L7lLgDSbMUe0ow78 > vg0MdIJo90AeEga084UIF9swAi3JZt5ds+82xkbhmmYT > RrsUknd763IUS04z8lEo60bAlMD3huGboa8Dtagd6lXC > NKXvCbQYQJu6hwMwxC5Kdmj0+cYn7PJJqye7XCSSipUo > Uxa1j/P+TTPmZSR4z6/YmNoM6ynmo2P4mw== ) > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Mon Nov 07 08:57:33 AST 2016 > ;; MSG SIZE rcvd: 525 > > > > > as for the messages, i only got these messages during the period of 4 > minutes from 10:00 PM to 10:04 PM.
You need to be checking the records listed in the log messages. As you failed to copy the names no one else can do that. Mark > -- > > Respectfully > Mahdi A. Mahdi > > ________________________________ > From: Mark Andrews <ma...@isc.org> > Sent: Monday, November 7, 2016 12:17:21 AM > To: Mahdi Adnan > Cc: bind-users@lists.isc.org > Subject: Re: BIND dnssec issue > > > First check your system clocks and make sure they are correct. > > 'date -u' will show the time in UTC. > > Here in Australia we are 11 hours in front of UTC so > where I run 'date; date -u' I get: > > Mon 7 Nov 2016 07:42:33 EST > Sun 6 Nov 2016 20:42:33 UTC > > 'dig +cd +dnssec' will let you see the RRSIG inception and expiration > times. They are in UTC. Below the RRsig expires at 20161114235959 > and it was create at 20161031000000. > > ;; BADCOOKIE, retrying. > > ; <<>> DiG 9.11.0 <<>> +cd +dnssec dnskey . +multi > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43548 > ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ; COOKIE: c393bcde3d692889e9f12574581f9746ca751f3f49a0a1aa (good) > ;; QUESTION SECTION: > ;. IN DNSKEY > > ;; ANSWER SECTION: > . 171135 IN DNSKEY 256 3 8 ( > > AwEAAYbinauHA9oUb4aGNtJIrepyGoYy0OL01rvIhvo3 > > RWN/Ch8p2C4ZEkpvUYkx74r9JpgrOsjKOv+JQdKtT2u8 > > AxGjUoH8x8HdpDiMV7XnpWJo9wAxlFtDtbMnPwRQ3dWs > > T1p5myrGcm7EFJ9j7KmiAEG5hGsevZqcnqMOW9QFkmp/ > > zM0TFYXYWq6AsAof2uZqLUyd+nHIW0TGsaHMzcTNfA8W > > w+OYV7R4bcR/8edCEo6OAh9j48R1hRtuO1e2MQdnkITc > > 9DJljB4Cq1gQKwv/ku7mAvmFuWkRotMZIFN3vDhpmpmy > 7M0C1EHSRAgP+HkblLRQKOPnwI/VksJEU4fmnhk= > ) ; ZSK; alg = RSASHA256 ; key id = 39291 > . 171135 IN DNSKEY 257 3 8 ( > > AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ > > bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh > > /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA > > JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp > > oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 > > LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO > > Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc > LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= > ) ; KSK; alg = RSASHA256 ; key id = 19036 > . 171135 IN RRSIG DNSKEY 8 0 172800 ( > 20161114235959 20161031000000 19036 . > > LPuldf5oWFdSHSTPYL5WvrvwJTElxY6LTEw2Cit0JOcV > > AbZG6LLCmlpCJ55Ngf/sdE4UXUPJ/m6CFRYT+aAePvEW > > rjRPGGX64V82oCeCPyAqD4XHd3CIQi3LBYk8ZbEktyvB > > X+VS16rbSEQib7xNYvohtiJ0dRiw/wjr6YVF8xUdYO1v > > vXPYOGXISYwW4vDiKAuyLDGuoLRh/F9GZQxBPwv6Bmx8 > > /JfNCfIygbnZ/8qIZUsFH68DPbAHPBqwR1GP+haAa6vQ > > PhXwn4p+Vci7rYNzfPzdQfDNWsQ+8ur8xxSdanAZcZRr > ytaidLtIQx4DeGANdwmNjnAn8ZSg6q8etQ== ) > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Mon Nov 07 07:49:10 EST 2016 > ;; MSG SIZE rcvd: 892 > > As for "got insecure response; parent indicates it should be secure", > there are still systems out there that do not response to EDNS > queries or only respond to the first EDNS query. To get answers > from these systems, especially after a lost packet, named has to > ask plain DNS questions and as plain DNS does not have EDNS there > is no DO=1 flag one does not DNSSEC records in the responses to > those queries. When such answers go through the validator and the > zone is signed you will this message logged. > > Old Microsoft Windows DNS servers exhibit this only answer the first > EDNS query issue. You need to as a plain DNS query to get a response > after the first EDNS query. When we do EDNS compliance testing we > can see these systems as they end up being formerr and timeouts > except for plain DNS. > > bihasitka-nsn.gov. @64.37.122.49 (ns2.chicagowebs.com.): dns=ok > edns=formerr,nosoa edns1=formerr,badversion edns@512=timeout > ednsopt=timeout edns1opt=timeout do=timeout ednsflags=timeout > optlist=timeout signed=timeout ednstcp=formerr > > hamiltontn.gov. @12.204.222.241 (ns1.hamiltontn.gov.): dns=ok > edns=timeout edns1=timeout edns@512=timeout ednsopt=formerr,echoed,nosoa > edns1opt=timeout do=timeout ednsflags=timeout optlist=timeout > signed=timeout ednstcp=timeout > > If you have lots of these messages check that you firewall allows > through large (> 1500 byte) EDNS responses. Packet loss and bad > local firewalls can make named think that it is talking to such a > system. Excessive buffer bloat can also cause named to think it > is talking to such a system. A big upload / download can make > visible the buffer bloat in the routers on you link. > > Mark > > In message > <bl2pr01mb3393c454fdce60904e2781cff...@bl2pr01mb339.prod.exchangelabs.com> > , Mahdi Adnan writes: > > Hello, > > > > > > We have several Bind recursive servers and all of them stop responding > to > > queries at 10:00 PM daily for 4 minutes starting from November 1st with > > the following error in the logs; > > > > > > "SOA: got insecure response; parent indicates it should be secure" > > > > "DNSKEY: verify failed due to bad signature (keyid=56467): RRSIG has > > expired" > > > > "dlv.isc.org SOA: got insecure response; parent indicates it should be > > secure" > > > > > > > > servers running different versions of BIND (9.9 and 910) but all are up > > to date. > > > > anyone have any idea about this issue ? > > > > > > Thanks > > -- > > > > Respectfully > > Mahdi A. Mahdi > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users