Z flag is different from 0

Miner, Jonathan W (CSC) (US SSA) jonathan.w.miner at baesystems.com
Thu Dec 2 15:17:02 UTC 2004 

Thanks to everyone for the replies both on and off the list.

I've done some packet captures, and so far all the packets I've seen =
have the Z flag set to zero.  I'll have to escalate this to the folks at =
CheckPoint and see what they have to say.

For now, (as others suggested), I'm going to turn off SmartDefence for =
DNS.

Thanks again!


-----Original Message-----
From:	Mark Andrews [mailto:Mark_Andrews at isc.org]
Sent:	Tue 11/30/2004 04:18 PM
To:	Miner, Jonathan W (CSC) (US SSA)
Cc:	comp-protocols-dns-bind at isc.org
Subject:	Re: Z flag is different from 0=20

> Hi -
>=20
> I'm running ISC's bind 9.3.0 on Solaris 9. I have two servers (master =
=3D
> and secondard), which support a dozen (+/-) domains.  We recently =3D
> upgraded our firewall to CheckPoint with thier SmartDefense product. =
(We =3D
> had been running an older Gauntlet firewall)
>=20
> My issue is that SmartDefense is alerting on our outgoing DNS queries, =
=3D
> saying "Bad DNS Headers, Z flag is different from 0".  I've looked at =
=3D
> RFC2929, which says:
>=20
> --quote--
> 2.1 One Spare Bit?
>=20
>    There have been ancient DNS implementations for which the Z bit =
being
>    on in a query meant that only a response from the primary server =
for
>    a zone is acceptable.  It is believed that current DNS
>    implementations ignore this bit.
>=20
>    Assigning a meaning to the Z bit requires an IETF Standards Action.
> ---------
>=20
> Should I be looking for a way to configure bind to not set the Z flag? =
=3D
> Or is there some other solution to this issue?
>=20
> Thanks in advance.

	BIND 9.3 does not set the final bit.  Are you sure it is not
	triggering on CD?

	dnssec-enable no; // default

07:51:01.130013 192.168.191.236.2498 > 198.6.1.65.53:  16310 [1au] A? =
ftp.uu.net. (39)
                         4500 0043 0a63 0000 4011 286b c0a8 bfec
                         c606 0141 09c2 0035 002f 72bd
						       3fb6 0000
                         0001 0000 0000 0001 0366 7470 0275 7503
                         6e65 7400 0001 0001 0000 2910 0000 0080
                         0000 00

	qr=3D0, opcode=3D0, aa=3D0, tc=3D0, rd=3D0, mbz=3D0, ad=3D0, cd=3D0, =
rcode=3D0
	qr=3D0, opcode=3D0, aa=3D0, tc=3D0, rd=3D0, mbz=3D000 rcode=3D0 (RFC =
1035)

	dnssec-enable yes;

07:58:47.055324 192.168.191.236.2498 > 198.6.1.181.53: [udp sum ok]  =
30669 [1au] A? xx.uu.net. ar: . OPT UDPsize=3D4096 (38) (ttl 64, id =
2712, len 66)
                         4500 0042 0a98 0000 4011 27c3 c0a8 bfec
                         c606 01b5 09c2 0035 002e 4a6f
						       77cd 0010
                         0001 0000 0000 0001 0278 7802 7575 036e
                         6574 0000 0100 0100 0029 1000 0000 8000
                         0000

	qr=3D0, opcode=3D0, aa=3D0, tc=3D0, rd=3D0, mbz=3D0, ad=3D0, cd=3D1, =
rcode=3D0
	qr=3D0, opcode=3D0, aa=3D0, tc=3D0, rd=3D0, mbz=3D001 rcode=3D0 (RFC =
1035)
	(Note CD is set).

	I would be worry about whether your current Firewall is DNSSEC
	aware (knows about AD and CD).

	Note 9.2.x always has DNSSEC enabled.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list