Hello all, I've been wondering for years why I get occasional log messages like the following:
07-Dec-2016 21:06:53.783 dnssec: info: validating abuse.ch/SOA: got insecure response; parent indicates it should be secure 07-Dec-2016 21:07:02.984 dnssec: info: validating abuse.ch/SOA: got insecure response; parent indicates it should be secure Note, this is not related to abuse.ch but actually happens frequently to many other signed zones such as arpa and others. I started looking into the abuse.ch case specifically and noticed that if BIND resolver receives a SERVFAIL response from an authoritative name server it will retry without EDNS0 (and therefore without DO-bit) and if this response succeeds then we have an unsigned response and BIND cannot validate it and logs a message as above. See below for some traffic capture details. BIND already knows that the expected response for abuse.ch needs to be signed. So, I wonder if this is a good solution to retry without EDNS0. Maybe, BIND should differ the retry logic depending whether it expects a signed response or not. For signed zones, it should retry with the original request again and maybe then give up, no? The resolver in question runs BIND 9.11.0-P1. Thank you, Daniel No. Time Source Destination Protocol Length Info 28680 2016-12-07 21:06:53.599895 130.59.118.78 208.78.70.4 DNS 112 Standard query 0x8949 A 175.106.143.94.drone.abuse.ch OPT Internet Protocol Version 4, Src: 130.59.118.78, Dst: 208.78.70.4 User Datagram Protocol, Src Port: 36066, Dst Port: 53 Domain Name System (query) [Response In: 28681] Transaction ID: 0x8949 Flags: 0x0000 Standard query 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... .0.. .... = Z: reserved (0) .... .... ...0 .... = Non-authenticated data: Unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries 175.106.143.94.drone.abuse.ch: type A, class IN Name: 175.106.143.94.drone.abuse.ch [Name Length: 29] [Label Count: 7] Type: A (Host Address) (1) Class: IN (0x0001) Additional records <Root>: type OPT Name: <Root> Type: OPT (41) UDP payload size: 4096 Higher bits in extended RCODE: 0x00 EDNS0 version: 0 Z: 0x8000 1... .... .... .... = DO bit: Accepts DNSSEC security RRs .000 0000 0000 0000 = Reserved: 0x0000 Data length: 12 Option: COOKIE No. Time Source Destination Protocol Length Info 28681 2016-12-07 21:06:53.765172 208.78.70.4 130.59.118.78 DNS 93 Standard query response 0x8949 Server failure A 175.106.143.94.drone.abuse.ch 802.1Q Virtual LAN, PRI: 1, CFI: 0, ID: 0 Internet Protocol Version 4, Src: 208.78.70.4, Dst: 130.59.118.78 User Datagram Protocol, Src Port: 53, Dst Port: 36066 Domain Name System (response) [Request In: 28680] [Time: 0.165277000 seconds] Transaction ID: 0x8949 Flags: 0x8002 Standard query response, Server failure 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .0.. .... .... = Authoritative: Server is not an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... 0... .... = Recursion available: Server can't do recursive queries .... .... .0.. .... = Z: reserved (0) .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server .... .... ...0 .... = Non-authenticated data: Unacceptable .... .... .... 0010 = Reply code: Server failure (2) Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries 175.106.143.94.drone.abuse.ch: type A, class IN Name: 175.106.143.94.drone.abuse.ch [Name Length: 29] [Label Count: 7] Type: A (Host Address) (1) Class: IN (0x0001) No. Time Source Destination Protocol Length Info 28682 2016-12-07 21:06:53.765385 130.59.118.78 208.78.70.4 DNS 89 Standard query 0x8388 A 175.106.143.94.drone.abuse.ch Internet Protocol Version 4, Src: 130.59.118.78, Dst: 208.78.70.4 User Datagram Protocol, Src Port: 60678, Dst Port: 53 Domain Name System (query) [Response In: 28683] Transaction ID: 0x8388 Flags: 0x0000 Standard query 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... .0.. .... = Z: reserved (0) .... .... ...0 .... = Non-authenticated data: Unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries 175.106.143.94.drone.abuse.ch: type A, class IN Name: 175.106.143.94.drone.abuse.ch [Name Length: 29] [Label Count: 7] Type: A (Host Address) (1) Class: IN (0x0001) No. Time Source Destination Protocol Length Info 28683 2016-12-07 21:06:53.783538 208.78.70.4 130.59.118.78 DNS 156 Standard query response 0x8388 No such name A 175.106.143.94.drone.abuse.ch SOA ns1.p04.dynect.net 802.1Q Virtual LAN, PRI: 1, CFI: 0, ID: 0 Internet Protocol Version 4, Src: 208.78.70.4, Dst: 130.59.118.78 User Datagram Protocol, Src Port: 53, Dst Port: 60678 Domain Name System (response) [Request In: 28682] [Time: 0.018153000 seconds] Transaction ID: 0x8388 Flags: 0x8403 Standard query response, No such name 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .1.. .... .... = Authoritative: Server is an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... 0... .... = Recursion available: Server can't do recursive queries .... .... .0.. .... = Z: reserved (0) .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server .... .... ...0 .... = Non-authenticated data: Unacceptable .... .... .... 0011 = Reply code: No such name (3) Questions: 1 Answer RRs: 0 Authority RRs: 1 Additional RRs: 0 Queries 175.106.143.94.drone.abuse.ch: type A, class IN Name: 175.106.143.94.drone.abuse.ch [Name Length: 29] [Label Count: 7] Type: A (Host Address) (1) Class: IN (0x0001) Authoritative nameservers abuse.ch: type SOA, class IN, mname ns1.p04.dynect.net Name: abuse.ch Type: SOA (Start Of a zone of Authority) (6) Class: IN (0x0001) Time to live: 1800 Data length: 51 Primary name server: ns1.p04.dynect.net Responsible authority's mailbox: dnsadmin.abuse.ch Serial Number: 2016120100 Refresh Interval: 3600 (1 hour) Retry Interval: 600 (10 minutes) Expire limit: 604800 (7 days) Minimum TTL: 1800 (30 minutes) _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users