Hello all,
I've searched the list - and there is a thread from 7 years ago that seems to
match what I am seeing:
https://lists.isc.org/pipermail/bind-users/2013-March/090003.html
I am seeing this on a fresh Debian 10 install, using the Debian bind9 packages
(specifically as of this moment I have: BIND 9.11.5-P4-5.1+deb10u1-Debian
(Extended Support Version) ). I have stayed as close as possible
to the vanilla shipped config. So to that point - DNSSEC validation works fine
out of the box.
I am getting this frequently:
May 30 14:15:33 orbital named[10379]: validating in-addr.arpa/SOA: got
insecure response; parent indicates it should be secure
May 30 14:19:47 orbital named[10379]: validating in-addr.arpa/SOA: got
insecure response; parent indicates it should be secure
May 30 14:19:58 orbital named[10379]: validating in-addr.arpa/SOA: got
insecure response; parent indicates it should be secure
May 30 14:23:12 orbital named[10379]: validating in-addr.arpa/SOA: got
insecure response; parent indicates it should be secure
Absolutely maddening. This box is also my mail server, so it’s constantly
doing reverse lookups, and hence frequently triggering this log...
I have two other boxes (one Debian 9, one Ubuntu (16.04 ?)). Both also run
bind 9.x - distro packages. Neither of those boxes give me the frequent errors
for in-addr.arpa.
I thought this was perhaps an MTU / frag (IPv6 ?) issue ? I can ping 1500
packets with DF from here to other places across the net.
I also ran a tcpdump filtering for the IP/IPv6 addresses of the
[a-f].in-addr-servers.arpa… either I missed something or I’m not seeing it.
Nothing stands out to me there.
No idea if this is red herring, or not, but I notice that b and c instances
give back answers that are 200+ bytes larger than a,d,e,f:
vom@orbital:~$ for i in a b c d e f; do echo -n "$i: "; dig -4 +norecurse
+dnssec @$i.in-addr-servers.arpa in-addr.arpa soa | grep rcvd: ; done
a: ;; MSG SIZE rcvd: 309
b: ;; MSG SIZE rcvd: 547
c: ;; MSG SIZE rcvd: 547
d: ;; MSG SIZE rcvd: 309
e: ;; MSG SIZE rcvd: 313
f: ;; MSG SIZE rcvd: 281
vom@orbital:~$ for i in a b c d e f; do echo -n "$i: "; dig -6 +norecurse
+dnssec @$i.in-addr-servers.arpa in-addr.arpa soa | grep rcvd: ; done
a: ;; MSG SIZE rcvd: 309
b: ;; MSG SIZE rcvd: 547
c: ;; MSG SIZE rcvd: 547
d: ;; MSG SIZE rcvd: 309
e: ;; MSG SIZE rcvd: 313
f: ;; MSG SIZE rcvd: 281
Does anyone know what could be causing this ? I feel like I’m missing a
troubleshooting step. I would love some clue on some specific dig commands I
could run to recreate/diagnose this.
Thanks in advance - this is my “white whale” for this weekend...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users