Z flag is different from 0
Miner, Jonathan W (CSC) (US SSA)
jonathan.w.miner at baesystems.com
Thu Dec 2 15:17:02 UTC 2004
Thanks to everyone for the replies both on and off the list.
I've done some packet captures, and so far all the packets I've seen =
have the Z flag set to zero. I'll have to escalate this to the folks at =
CheckPoint and see what they have to say.
For now, (as others suggested), I'm going to turn off SmartDefence for =
From: Mark Andrews [mailto:Mark_Andrews at isc.org]
Sent: Tue 11/30/2004 04:18 PM
To: Miner, Jonathan W (CSC) (US SSA)
Cc: comp-protocols-dns-bind at isc.org
Subject: Re: Z flag is different from 0=20
> Hi -
> I'm running ISC's bind 9.3.0 on Solaris 9. I have two servers (master =
> and secondard), which support a dozen (+/-) domains. We recently =3D
> upgraded our firewall to CheckPoint with thier SmartDefense product. =
> had been running an older Gauntlet firewall)
> My issue is that SmartDefense is alerting on our outgoing DNS queries, =
> saying "Bad DNS Headers, Z flag is different from 0". I've looked at =
> RFC2929, which says:
> 2.1 One Spare Bit?
> There have been ancient DNS implementations for which the Z bit =
> on in a query meant that only a response from the primary server =
> a zone is acceptable. It is believed that current DNS
> implementations ignore this bit.
> Assigning a meaning to the Z bit requires an IETF Standards Action.
> Should I be looking for a way to configure bind to not set the Z flag? =
> Or is there some other solution to this issue?
> Thanks in advance.
BIND 9.3 does not set the final bit. Are you sure it is not
triggering on CD?
dnssec-enable no; // default
07:51:01.130013 192.168.191.236.2498 > 220.127.116.11.53: 16310 [1au] A? =
4500 0043 0a63 0000 4011 286b c0a8 bfec
c606 0141 09c2 0035 002f 72bd
0001 0000 0000 0001 0366 7470 0275 7503
6e65 7400 0001 0001 0000 2910 0000 0080
qr=3D0, opcode=3D0, aa=3D0, tc=3D0, rd=3D0, mbz=3D0, ad=3D0, cd=3D0, =
qr=3D0, opcode=3D0, aa=3D0, tc=3D0, rd=3D0, mbz=3D000 rcode=3D0 (RFC =
07:58:47.055324 192.168.191.236.2498 > 18.104.22.168.53: [udp sum ok] =
30669 [1au] A? xx.uu.net. ar: . OPT UDPsize=3D4096 (38) (ttl 64, id =
2712, len 66)
4500 0042 0a98 0000 4011 27c3 c0a8 bfec
c606 01b5 09c2 0035 002e 4a6f
0001 0000 0000 0001 0278 7802 7575 036e
6574 0000 0100 0100 0029 1000 0000 8000
qr=3D0, opcode=3D0, aa=3D0, tc=3D0, rd=3D0, mbz=3D0, ad=3D0, cd=3D1, =
qr=3D0, opcode=3D0, aa=3D0, tc=3D0, rd=3D0, mbz=3D001 rcode=3D0 (RFC =
(Note CD is set).
I would be worry about whether your current Firewall is DNSSEC
aware (knows about AD and CD).
Note 9.2.x always has DNSSEC enabled.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users