Tracking down validation failures

Mark Andrews marka at isc.org
Fri Jun 12 01:36:29 UTC 2009


In message <Prayer.1.3.1.0906111834360.6966 at hermes-2.csi.cam.ac.uk>, Chris Thom
pson writes:
> We have recently turned on DNSSEC validation (using dlv.isc.org) in our
> main university-wide recursive nameservers, which are running BIND 9.6.1rc1.
> 
> No-one is actually complaining, but the counts I am seeing for "ValFail"
> on the statistics channel are quite a bit higher than we were seeing
> during testing, running at 0.2% - 0.4% of "ValAttempt" (but the counter
> increases in bursts), and I would be happier knowing what they were
> coming from.
> 
> The advice usually given is to log category "dnssec" at debug level 3,
> but this produces far too much data. Reducing it debug level 2, on the
> other hand, gives almost nothing. I do see a trickle of info-level
> messages:
> 
> 11-Jun-2009 18:12:32.375 info:   validating @15abde10:
>  17.62.212.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:12:32.376 info:   validating @15abde10:
>  17.62.212.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:12:42.258 info:   validating @f3e9cb8:
>  99.188.91.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:12:42.259 info:   validating @f3e9cb8:
>  99.188.91.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:15:08.235 info:   validating @15bed590:
>  97.102.91.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:15:08.236 info:   validating @15bed590:
>  97.102.91.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:15:08.592 info:   validating @15bed590:
>  97.102.91.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:15:08.593 info:   validating @15bed590:
>  97.102.91.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:19:32.048 info:   validating @8af4a40:
>  99.96.79.IN-ADDR.ARPA NSEC: no valid signature found
> 11-Jun-2009 18:19:32.049 info:   validating @8af4a40:
>  99.96.79.IN-ADDR.ARPA NSEC: no valid signature found
> 
> but it's not even obvious what the original query was in these cases.
> (If I could find that out I could try the same query on a quieter
> nameserver with more logging turned on.) There are no messages 
> generated at this level when I force a validation failure to occur 
> ("dig soa advocaat.pro" remains my favourite).
> 
> Any suggestions?
> 
> -- 
> Chris Thompson
> Email: cet1 at cam.ac.uk
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Do you have RIPE's trusted-keys configured into named.conf and are
they up to date? 

http://www.ripe.net/projects/disi/keys/
https://www.ripe.net/projects/disi/keys/ripe-ncc-dnssec-keys-new.txt

Note named won't go to dlv if the answer is within a island of security
identified by a trusted-key in named.conf.

The data currently being returned looks good to me.

This is a referral to a insecure zone.

17.62.212.IN-ADDR.ARPA. 172800  IN      NS      ans2.cw.net.
17.62.212.IN-ADDR.ARPA. 172800  IN      NS      ans1.cw.net.
17.62.212.IN-ADDR.ARPA. 7200    IN      NSEC    170.62.212.in-addr.arpa. NS RRSIG NSEC
17.62.212.IN-ADDR.ARPA. 7200    IN      RRSIG   NSEC 5 5 7200 20090711232326 20090611232326 34470 212.in-addr.arpa. pY89tH87GQjFm4YRAHCx8wY0R14fjN0Qb+wwGCDbJjAC1zezYUT+ltZN J/5akqXTY7vQ/h7u/t8gz7qf1Q1mSE0xngF/3amoZaNHpPNT9BGOeF89 kC4ucFI2e/MnU9lvmEJHVT5Ma0eJ4LRgFlGaeUmSMaPjRBxpOJpNGP/x O/jxf84LTsANHVBew8a7BI9tmg0ozppN
;; Received 338 bytes from 2001:660:3006:1::1:1#53(NS3.NIC.FR) in 548 ms

% date -u +%Y%m%d%H%M%S
20090612011526
% 

Validation interval ok.  20090711232326 > 20090612011526 > 20090611232326
No DS in list of types that exist at 17.62.212.IN-ADDR.ARPA.
Signed with key 34470.

; <<>> DiG 9.3.6-P1 <<>> +dnssec +multi dnskey 212.IN-ADDR.ARPA
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4082
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;212.IN-ADDR.ARPA.	IN DNSKEY

;; ANSWER SECTION:
212.IN-ADDR.ARPA.	2663 IN	DNSKEY 256 3 5 (
				AwEAAbW5cAVaimsuasYP4uwC/Id+/MJce+q+9FwBz4iO
				bkPa5YNFz7qeV+y8BjKI/7nQ/4fh/Xd7tp+5eYT47GEx
				ALl4GBGKoW22k/IpD1nqNuGs4BYvuG/kTfhtTEWyfMbB
				20M17W0vPbHmhLDbdGO0qg1HPQZ0gXYFCofu9OX86OGL
				V+YFEJ+NeWiNHg91xq1svv0sehJp7w==
				) ; key id = 34470
212.IN-ADDR.ARPA.	2663 IN	DNSKEY 256 3 5 (
				AwEAAd2guc91r8v8RRtTcKLIGWPbLNi9HuAmcxNwW+7N
				4KCPxci7GPqgqD/m88qbBDYdm1XMLHSV+lZ+DbifbFpw
				cIu1+vt4dEGB7O9bCuZwQG89HN7IpTRhZQXH3P8O5eCt
				7UJEOm4BWfRD4DKYyuOHGpdWTqyzY0TKGWECXW00X1rQ
				t4MZmBl8Z4r8kLN+X4jWXoQzpygfXw==
				) ; key id = 12075
212.IN-ADDR.ARPA.	2663 IN	DNSKEY 257 3 5 (
				AwEAAb133Y0UxrLtgmsR2LEkSpiiU6JKenlDmp42a6PY
				uic4wxWFhQrfnzZVRcmoBTJZfdOD4pUe+eMsUOHIrheK
				mhc7D7cmDS+ftZZThBd9GawpgiqCRRJYceECPKK8AcCn
				qz3Cryei/+dGpjXyBXiCVZ8Xfn57AOIN6KfG+jdw+uow
				o5qP0XtMI/UU9k4j7Cair7zaieMkvWb4Vo8gPLZ/PGUj
				kGCUO9eXD5jauYapg4AoRZUalnTdp1MRN5rIaHhyRPsm
				KjdfgvLCfep/2fYVOX75t89MnHNC4c8z+gpfgG8OI/1m
				llP2h5KiwCN56fHqiqbF2DW/1baKEzDdM8N002E=
				) ; key id = 27859
212.IN-ADDR.ARPA.	2663 IN	DNSKEY 257 3 5 (
				AwEAAb/ksCZYQWD+Ur6dw5KPoDR1B0FZchfVrLzExIsn
				DdIG9pcyhhJ6UE6FkxCKM4NQSYeG+VSGU5i4t1e1wvic
				M/f5/eAccFoff/Ou608Fp9sOXN0BpW6aDTH2oUIfgaLm
				reuUVHqJt6AiPZ/BJKProI5fwEDVHsqXI8Vp6hwg6r6G
				pQrE6xobebHzoyB743H/tUIdfKhDDx1NtIERV4uFDntZ
				PsHXYoPduGnHhZnKT+ruZu0GcF/vOpK4lXNSRU2gLCuC
				tLqT02vM9N1+ZuARTMyB9jaGcWON/5tbg5x5F9p+q3yE
				2U8e0acrQCauo2KCOMPS33GbII9IRk7b9/FSuAc=
				) ; key id = 31951
212.IN-ADDR.ARPA.	2663 IN	RRSIG DNSKEY 5 3 3600 20090711222509 (
				20090611222509 27859 212.in-addr.arpa.
				CjlFcIUTcavj15cB5bw2MpONTJq9RAKFhVB+ayk9yWWg
				z/9n43BmFTXdFgM04oW4wHxqhLK7hn1Naem/rZEfrHaC
				WWdHoO4IQfInCs2gf+ux+3XrWeG9KBAGRsFk/GhEf0Qk
				37RNdQUIU5nUFFdk/3f9+Cq9oITWNDLUMi59t9JkUbCD
				ynZ0DXgZMRd+cKjIoGGwPuyPRqs518YEpgcvdBhTb587
				126JnPPjPUgi4CW+dqyBku70k6w1SG0aIoUVx4WAmgiR
				gg8aFh0LtLSLwQBh3Qs2lHsv4uXpvypf+14bnVq6Cxx/
				OlYYjHuE+Yw79smkQf4nhKZ526tX/IASuQ== )
212.in-addr.arpa.	2663 IN	RRSIG DNSKEY 5 3 3600 20090711222509 (
				20090611222509 31951 212.in-addr.arpa.
				cvH37/vl3zFKIxsXt4iS7g36mD5NLC6d9Dv9Hy4AepIX
				g0jPIxLR0G4CbImKYvWwikPg8z5snS39aP1pgcXECQyL
				4WSt/4UfaSB8VNfxNzT8gUmLXYnCgnnI8WilUcz0JJ/t
				QdcRqqFkr3rE8Mf/txVHEJKsBKGv+IsvGJk3wR13ZgyW
				jOvvFKu8MMCrhcWrgqMo6NpEssm03opstYD4q5TvWhtr
				ODROWcwniuIiUbFHGSC3tu1vdH1oY7jzE4b459AqGnjX
				5w3NOK7o87SdrDMxGMTgab0tOnwq71bPT0qPtjhh9q6t
				sawULxmzC6q9J0rLG0j+tZAVN5ehfuHyDw== )
212.in-addr.arpa.	2663 IN	RRSIG DNSKEY 5 3 3600 20090711222509 (
				20090611222509 34470 212.in-addr.arpa.
				ctxaYQOTaG7/6QrGBiu3g74zzrRSXr6JHMxmLOO3qQg1
				c5tBmMvuB3I9lOyKVBFMdxSay7z7BRhpEnomPhyhUJcw
				Ql8sN41ec8WGiqhbNEdP0EAo01LwPiNnO7jYk8/QiaFO
				cX4GqjlyP0Iz6RqYZb+250cx4sdTFll3K6ciXlGik71D
				Os6zoYnIG/TWkZ+yWtUW2Jkz )

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 12 11:18:32 2009
;; MSG SIZE  rcvd: 1743

Key 34470 exist and is a ZSK (no KSK flag).

; <<>> DiG 9.3.6-P1 <<>> dlv 212.in-addr.arpa.dlv.isc.org +noadd +noauth
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6757
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 4

;; QUESTION SECTION:
;212.in-addr.arpa.dlv.isc.org.	IN	DLV

;; ANSWER SECTION:
212.in-addr.arpa.dlv.isc.org. 321 IN	DLV	31951 5 1 EAB2F3C835686644F8E4DF510171833BDC9CF751
212.in-addr.arpa.dlv.isc.org. 321 IN	DLV	31951 5 2 BFE9D8548DC61BDB6F31F04BB16E57C6891F79005649DC4D132438E9 84D72FBA
212.in-addr.arpa.dlv.isc.org. 321 IN	DLV	27859 5 1 F34BA83800EF2DD8ABBBC245DE0C76B4A3F70045
212.in-addr.arpa.dlv.isc.org. 321 IN	DLV	27859 5 2 095D78A18FA3675476F4E782E0FA32A54400F4DCD05B3F8639298345 158B79D0

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 12 11:20:24 2009
;; MSG SIZE  rcvd: 364

The KSK's have id's 31951 and 27859.
Both of these exist in the RRset and self sign the DNSKEY RRset.

>From ripe-ncc-dnssec-keys-new.txt we also see matching keys.

"212.in-addr.arpa." 257  3  5
  "AwEAAb133Y0UxrLtgmsR2LEkSpiiU6JKenlD
   mp42a6PYuic4wxWFhQrfnzZVRcmoBTJZfdOD
   4pUe+eMsUOHIrheKmhc7D7cmDS+ftZZThBd9
   GawpgiqCRRJYceECPKK8AcCnqz3Cryei/+dG
   pjXyBXiCVZ8Xfn57AOIN6KfG+jdw+uowo5qP
   0XtMI/UU9k4j7Cair7zaieMkvWb4Vo8gPLZ/
   PGUjkGCUO9eXD5jauYapg4AoRZUalnTdp1MR
   N5rIaHhyRPsmKjdfgvLCfep/2fYVOX75t89M
   nHNC4c8z+gpfgG8OI/1mllP2h5KiwCN56fHq
   iqbF2DW/1baKEzDdM8N002E=";
// Key ID= 27859 (to be deprecated!)

"212.in-addr.arpa." 257  3  5
  "AwEAAb/ksCZYQWD+Ur6dw5KPoDR1B0FZchfV
   rLzExIsnDdIG9pcyhhJ6UE6FkxCKM4NQSYeG
   +VSGU5i4t1e1wvicM/f5/eAccFoff/Ou608F
   p9sOXN0BpW6aDTH2oUIfgaLmreuUVHqJt6Ai
   PZ/BJKProI5fwEDVHsqXI8Vp6hwg6r6GpQrE
   6xobebHzoyB743H/tUIdfKhDDx1NtIERV4uF
   DntZPsHXYoPduGnHhZnKT+ruZu0GcF/vOpK4
   lXNSRU2gLCuCtLqT02vM9N1+ZuARTMyB9jaG
   cWON/5tbg5x5F9p+q3yE2U8e0acrQCauo2KC
   OMPS33GbII9IRk7b9/FSuAc=";
// Key ID= 31951

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list