Re: Insecure response BIND 9.7.0b2
On Fri, Nov 20, 2009 at 09:27:35AM +1100, Mark Andrews ma...@isc.org wrote a message of 34 lines which said: There are also firewalls that block DNS/UDP responses bigger 512 bytes or block EDNS queries/responses 10 years after the introduction of EDNS. There are also middleware that blocks/drops DNS/UDP responses that are fragmented. This tool may help: http://www.nic.cz/dnssectests/ And this one, too: https://www.dns-oarc.net/oarc/services/replysizetest ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Insecure response BIND 9.7.0b2
Logged: Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980: dlv.isc.org SOA: got insecure response; parent indicates it should be secure What does this mean? -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insecure response BIND 9.7.0b2
On Thu, 19 Nov 2009, David Forrest wrote: Logged: Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980: dlv.isc.org SOA: got insecure response; parent indicates it should be secure What does this mean? This is documented in the ARM. The parent zone says (published DS) that it should have been signed. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insecure response BIND 9.7.0b2
On Thu, 19 Nov 2009, Jeremy C. Reed wrote: On Thu, 19 Nov 2009, David Forrest wrote: Logged: Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980: dlv.isc.org SOA: got insecure response; parent indicates it should be secure What does this mean? This is documented in the ARM. The parent zone says (published DS) that it should have been signed. I mean is it something I can fix in my configs or is it a result of the dlv.isc.org configuration? Can I alter my configuration to eliminate these messages? -- David Forrest St. Louis, Missouri ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insecure response BIND 9.7.0b2
So what are you suggesting? That a dlv.isc.org server went ape and returned an insecure response for (IN,SOA,dlv.isc.org)? Or that the user is under attack with faked responses? I don't think anyone was suggesting anything, just explaining what the message means. Which is that isc.org has a secure delegation (that is, a DS record) for dlv.isc.org, but for some reason a query for dlv.isc.org/SOA got a response with no signatures. Possibly there's a misbehaving middlebox involved. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insecure response BIND 9.7.0b2
In message alpine.lfd.2.01.0911191304100.24...@maplepark.com, David Forrest w rites: Logged: Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980: dlv.isc.org SOA: got insecure response; parent indicates it should be secure What does this mean? It means named fellback to making a plain DNS query due to multiple timeouts, or getting a SERVFAIL response to the EDNS queries, or something stipped out the RRSIGs or there was a attempt to poison the cache. The validator then rejected the answer as it knew it should be getting a secure response. In most cases named will re-do the query and get a good answer unless there is a configuration failure. Unfortunately there are nameservers that don't respond to EDNS queries. There are also firewalls that block DNS/UDP responses bigger 512 bytes or block EDNS queries/responses 10 years after the introduction of EDNS. There are also middleware that blocks/drops DNS/UDP responses that are fragmented. All of these things result in DNS lookups timing out which is indistinguishable from plain packet loss. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users