Re: BIND dnssec issue
In message , Mahdi Adnan writes: > Thank you for your response. > > > Date is correct in all servers as well as RRSIG. > > Mon Nov 7 08:56:03 AST 2016 > Mon Nov 7 05:56:03 UTC 2016 > > > > ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +cd +dnssec dnskey +multi > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2882 > ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: > 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;. IN NS > > ;; ANSWER SECTION: > . 475207 IN NS e.root-servers.net. > . 475207 IN NS l.root-servers.net. > . 475207 IN NS f.root-servers.net. > . 475207 IN NS c.root-servers.net. > . 475207 IN NS d.root-servers.net. > . 475207 IN NS j.root-servers.net. > . 475207 IN NS g.root-servers.net. > . 475207 IN NS i.root-servers.net. > . 475207 IN NS h.root-servers.net. > . 475207 IN NS a.root-servers.net. > . 475207 IN NS b.root-servers.net. > . 475207 IN NS m.root-servers.net. > . 475207 IN NS k.root-servers.net. > . 518400 IN RRSIG NS 8 0 518400 ( > 2016112005 2016110704 39291 . > eKuJRWssJm+Qy4q+R+bKAIfSkxsDSl3y1S8ib/BC6i1c > Uxd36YM/lRLTOvqcjiZu18lsgSC7cpmiyNkQ4ibbqe5z > sgOXAdhXhmeqK8Bo3x3kP8VHWzbU6MOkN+O+LHOFXgx1 > BUlo83LKqsJVMw/mYTLo0RguMGS5L7lLgDSbMUe0ow78 > vg0MdIJo90AeEga084UIF9swAi3JZt5ds+82xkbhmmYT > RrsUknd763IUS04z8lEo60bAlMD3huGboa8Dtagd6lXC > NKXvCbQYQJu6hwMwxC5Kdmj0+cYn7PJJqye7XCSSipUo > Uxa1j/P+TTPmZSR4z6/YmNoM6ynmo2P4mw== ) > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Mon Nov 07 08:57:33 AST 2016 > ;; MSG SIZE rcvd: 525 > > > > > as for the messages, i only got these messages during the period of 4 > minutes from 10:00 PM to 10:04 PM. You need to be checking the records listed in the log messages. As you failed to copy the names no one else can do that. Mark > -- > > Respectfully > Mahdi A. Mahdi > > > From: Mark Andrews > Sent: Monday, November 7, 2016 12:17:21 AM > To: Mahdi Adnan > Cc: bind-users@lists.isc.org > Subject: Re: BIND dnssec issue > > > First check your system clocks and make sure they are correct. > > 'date -u' will show the time in UTC. > > Here in Australia we are 11 hours in front of UTC so > where I run 'date; date -u' I get: > > Mon 7 Nov 2016 07:42:33 EST > Sun 6 Nov 2016 20:42:33 UTC > > 'dig +cd +dnssec' will let you see the RRSIG inception and expiration > times. They are in UTC. Below the RRsig expires at 20161114235959 > and it was create at 2016103100. > > ;; BADCOOKIE, retrying. > > ; <<>> DiG 9.11.0 <<>> +cd +dnssec dnskey . +multi > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43548 > ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ; COOKIE: c393bcde3d692889e9f12574581f9746ca751f3f49a0a1aa (good) > ;; QUESTION SECTION: > ;. IN DNSKEY > > ;; ANSWER SECTION: > . 171135 IN DNSKEY 256 3 8 ( > > AwEAAYbinauHA9oUb4aGNtJIrepyGoYy0OL01rvIhvo3 > > RWN/Ch8p2C4ZEkpvUYkx74r9JpgrOsjKOv+JQdKtT2u8 > > AxGjUoH8x8HdpDiMV7XnpWJo9wAxlFtDtbMnPwRQ3dWs > > T1p5myrGcm7EFJ9j7KmiAEG5hGsevZqcnqMOW9QFkmp/ > > zM0TFYXYWq6AsAof2uZqLUyd+nHIW0TGsaHMzcTNfA8W > > w+OYV7R4bcR/8edCEo6OAh9j48R1hRtuO1e2MQdnkITc > > 9DJljB4Cq1gQKwv/ku7mAvmFuWkRotMZIFN3vDhpmpmy > 7M0C1EHSRAgP+HkblLRQKOPnwI/VksJEU4fmnhk= > ) ; ZSK; alg = RSASHA256 ; key id = 39291 > . 171135 IN DNSKEY 257 3 8 ( > > AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ > > bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh > > /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA > > JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp > > oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 > > LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO > > Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc > LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= > ) ; KSK; alg = RSASHA256 ; key id = 19036 > . 171135 IN RRSIG DNSKEY 8 0 172800 ( > 20161114235959 2016103100 19036 . > > LPuldf5oWFdSHSTPYL5WvrvwJTElxY6LTEw2Cit0JOcV > > AbZG6LLCmlpCJ55Ngf/sdE4UXUPJ/m6CFRYT+aAePvEW > > rjRPGGX64V82oCeCPyAqD4XHd3CIQi3LBYk8ZbEktyvB > > X+VS16rbSEQib7xNYvohtiJ0dRiw/wjr6YVF8xUdYO1v > >
Re: BIND dnssec issue
Thank you for your response. Date is correct in all servers as well as RRSIG. Mon Nov 7 08:56:03 AST 2016 Mon Nov 7 05:56:03 UTC 2016 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +cd +dnssec dnskey +multi ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2882 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 475207 IN NS e.root-servers.net. . 475207 IN NS l.root-servers.net. . 475207 IN NS f.root-servers.net. . 475207 IN NS c.root-servers.net. . 475207 IN NS d.root-servers.net. . 475207 IN NS j.root-servers.net. . 475207 IN NS g.root-servers.net. . 475207 IN NS i.root-servers.net. . 475207 IN NS h.root-servers.net. . 475207 IN NS a.root-servers.net. . 475207 IN NS b.root-servers.net. . 475207 IN NS m.root-servers.net. . 475207 IN NS k.root-servers.net. . 518400 IN RRSIG NS 8 0 518400 ( 2016112005 2016110704 39291 . eKuJRWssJm+Qy4q+R+bKAIfSkxsDSl3y1S8ib/BC6i1c Uxd36YM/lRLTOvqcjiZu18lsgSC7cpmiyNkQ4ibbqe5z sgOXAdhXhmeqK8Bo3x3kP8VHWzbU6MOkN+O+LHOFXgx1 BUlo83LKqsJVMw/mYTLo0RguMGS5L7lLgDSbMUe0ow78 vg0MdIJo90AeEga084UIF9swAi3JZt5ds+82xkbhmmYT RrsUknd763IUS04z8lEo60bAlMD3huGboa8Dtagd6lXC NKXvCbQYQJu6hwMwxC5Kdmj0+cYn7PJJqye7XCSSipUo Uxa1j/P+TTPmZSR4z6/YmNoM6ynmo2P4mw== ) ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Nov 07 08:57:33 AST 2016 ;; MSG SIZE rcvd: 525 as for the messages, i only got these messages during the period of 4 minutes from 10:00 PM to 10:04 PM. -- Respectfully Mahdi A. Mahdi From: Mark Andrews Sent: Monday, November 7, 2016 12:17:21 AM To: Mahdi Adnan Cc: bind-users@lists.isc.org Subject: Re: BIND dnssec issue First check your system clocks and make sure they are correct. 'date -u' will show the time in UTC. Here in Australia we are 11 hours in front of UTC so where I run 'date; date -u' I get: Mon 7 Nov 2016 07:42:33 EST Sun 6 Nov 2016 20:42:33 UTC 'dig +cd +dnssec' will let you see the RRSIG inception and expiration times. They are in UTC. Below the RRsig expires at 20161114235959 and it was create at 2016103100. ;; BADCOOKIE, retrying. ; <<>> DiG 9.11.0 <<>> +cd +dnssec dnskey . +multi ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43548 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: c393bcde3d692889e9f12574581f9746ca751f3f49a0a1aa (good) ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 171135 IN DNSKEY 256 3 8 ( AwEAAYbinauHA9oUb4aGNtJIrepyGoYy0OL01rvIhvo3 RWN/Ch8p2C4ZEkpvUYkx74r9JpgrOsjKOv+JQdKtT2u8 AxGjUoH8x8HdpDiMV7XnpWJo9wAxlFtDtbMnPwRQ3dWs T1p5myrGcm7EFJ9j7KmiAEG5hGsevZqcnqMOW9QFkmp/ zM0TFYXYWq6AsAof2uZqLUyd+nHIW0TGsaHMzcTNfA8W w+OYV7R4bcR/8edCEo6OAh9j48R1hRtuO1e2MQdnkITc 9DJljB4Cq1gQKwv/ku7mAvmFuWkRotMZIFN3vDhpmpmy 7M0C1EHSRAgP+HkblLRQKOPnwI/VksJEU4fmnhk= ) ; ZSK; alg = RSASHA256 ; key id = 39291 . 171135 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; KSK; alg = RSASHA256 ; key id = 19036 . 171135 IN RRSIG DNSKEY 8 0 172800 ( 20161114235959 2016103100 19036 . LPuldf5oWFdSHSTPYL5WvrvwJTElxY6LTEw2Cit0JOcV AbZG6LLCmlpCJ55Ngf/sdE4UXUPJ/m6CFRYT+aAePvEW rjRPGGX64V82oCeCPyAqD4XHd3CIQi3LBYk8ZbEktyvB X+VS16rbSEQib7xNYvohtiJ0dRiw/wjr6YVF8xUdYO1v vXPYOGXISYwW4vDiKAuyLDGuoLRh/F9GZQxBPwv6Bmx8 /JfNCfIygbnZ/8qIZUsFH68DPbAHPBqwR1GP+haAa6vQ PhXwn4p+Vci7rYNzfPzdQfDNWsQ+8ur8xxSdanAZcZRr ytaidLtIQx4DeGANdwmNjnA
Re: BIND dnssec issue
First check your system clocks and make sure they are correct. 'date -u' will show the time in UTC. Here in Australia we are 11 hours in front of UTC so where I run 'date; date -u' I get: Mon 7 Nov 2016 07:42:33 EST Sun 6 Nov 2016 20:42:33 UTC 'dig +cd +dnssec' will let you see the RRSIG inception and expiration times. They are in UTC. Below the RRsig expires at 20161114235959 and it was create at 2016103100. ;; BADCOOKIE, retrying. ; <<>> DiG 9.11.0 <<>> +cd +dnssec dnskey . +multi ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43548 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: c393bcde3d692889e9f12574581f9746ca751f3f49a0a1aa (good) ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 171135 IN DNSKEY 256 3 8 ( AwEAAYbinauHA9oUb4aGNtJIrepyGoYy0OL01rvIhvo3 RWN/Ch8p2C4ZEkpvUYkx74r9JpgrOsjKOv+JQdKtT2u8 AxGjUoH8x8HdpDiMV7XnpWJo9wAxlFtDtbMnPwRQ3dWs T1p5myrGcm7EFJ9j7KmiAEG5hGsevZqcnqMOW9QFkmp/ zM0TFYXYWq6AsAof2uZqLUyd+nHIW0TGsaHMzcTNfA8W w+OYV7R4bcR/8edCEo6OAh9j48R1hRtuO1e2MQdnkITc 9DJljB4Cq1gQKwv/ku7mAvmFuWkRotMZIFN3vDhpmpmy 7M0C1EHSRAgP+HkblLRQKOPnwI/VksJEU4fmnhk= ) ; ZSK; alg = RSASHA256 ; key id = 39291 . 171135 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; KSK; alg = RSASHA256 ; key id = 19036 . 171135 IN RRSIG DNSKEY 8 0 172800 ( 20161114235959 2016103100 19036 . LPuldf5oWFdSHSTPYL5WvrvwJTElxY6LTEw2Cit0JOcV AbZG6LLCmlpCJ55Ngf/sdE4UXUPJ/m6CFRYT+aAePvEW rjRPGGX64V82oCeCPyAqD4XHd3CIQi3LBYk8ZbEktyvB X+VS16rbSEQib7xNYvohtiJ0dRiw/wjr6YVF8xUdYO1v vXPYOGXISYwW4vDiKAuyLDGuoLRh/F9GZQxBPwv6Bmx8 /JfNCfIygbnZ/8qIZUsFH68DPbAHPBqwR1GP+haAa6vQ PhXwn4p+Vci7rYNzfPzdQfDNWsQ+8ur8xxSdanAZcZRr ytaidLtIQx4DeGANdwmNjnAn8ZSg6q8etQ== ) ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Nov 07 07:49:10 EST 2016 ;; MSG SIZE rcvd: 892 As for "got insecure response; parent indicates it should be secure", there are still systems out there that do not response to EDNS queries or only respond to the first EDNS query. To get answers from these systems, especially after a lost packet, named has to ask plain DNS questions and as plain DNS does not have EDNS there is no DO=1 flag one does not DNSSEC records in the responses to those queries. When such answers go through the validator and the zone is signed you will this message logged. Old Microsoft Windows DNS servers exhibit this only answer the first EDNS query issue. You need to as a plain DNS query to get a response after the first EDNS query. When we do EDNS compliance testing we can see these systems as they end up being formerr and timeouts except for plain DNS. bihasitka-nsn.gov. @64.37.122.49 (ns2.chicagowebs.com.): dns=ok edns=formerr,nosoa edns1=formerr,badversion edns@512=timeout ednsopt=timeout edns1opt=timeout do=timeout ednsflags=timeout optlist=timeout signed=timeout ednstcp=formerr hamiltontn.gov. @12.204.222.241 (ns1.hamiltontn.gov.): dns=ok edns=timeout edns1=timeout edns@512=timeout ednsopt=formerr,echoed,nosoa edns1opt=timeout do=timeout ednsflags=timeout optlist=timeout signed=timeout ednstcp=timeout If you have lots of these messages check that you firewall allows through large (> 1500 byte) EDNS responses. Packet loss and bad local firewalls can make named think that it is talking to such a system. Excessive buffer bloat can also cause named to think it is talking to such a system. A big upload / download can make visible the buffer bloat in the routers on you link. Mark In message , Mahdi Adnan writes: > Hello, > > > We have several Bind recursive servers and all of them stop responding to > queries at 1
BIND dnssec issue
Hello, We have several Bind recursive servers and all of them stop responding to queries at 10:00 PM daily for 4 minutes starting from November 1st with the following error in the logs; "SOA: got insecure response; parent indicates it should be secure" "DNSKEY: verify failed due to bad signature (keyid=56467): RRSIG has expired" "dlv.isc.org SOA: got insecure response; parent indicates it should be secure" servers running different versions of BIND (9.9 and 910) but all are up to date. anyone have any idea about this issue ? Thanks -- Respectfully Mahdi A. Mahdi ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users