named validating @0x...: ... SOA: no valid signature found

Mark Andrews marka at isc.org
Wed May 2 13:29:30 UTC 2012


In message <jnrabn$olm$1 at dough.gmane.org>, "Brian J. Murrell" writes:
> Not having dipped my toe into DNSSEC yet (yes, I know, but time is
> always so scarce)...
> 
> So I am seeing a bunch of this sort of thing in my BIND logs now:
> 
> 04:02:18 named validating @0xb0f58988: 124.in-addr.arpa SOA: no valid sig=
> nature found
> 04:02:18 named validating @0xb0f58988: 124.in-addr.arpa NSEC: no valid si=
> gnature found
> 04:02:18 named validating @0xb0f58988: 227.124.in-addr.arpa NSEC: no vali=
> d signature found
> 04:03:30 named validating @0xb0f58988: net SOA: no valid signature found
> 04:03:30 named validating @0xb0f58988: a1rt98bs5qgc9nfi51s9hci47uljg6jh.n=
> et NSEC3: no valid signature found
> 04:03:30 named validating @0xb0f58988: 5VI63OJ105LD6R767I45IDJR5Q55T1R1.n=
> et NSEC3: no valid signature found
> 04:03:30 named validating @0xb0f58988: EEE0K4ONQCCHCJQTQ5VJD52NKJTEHAJN.n=
> et NSEC3: no valid signature found
> 04:03:30 named validating @0xb0f4d8c0: uk SOA: no valid signature found
> 04:03:30 named validating @0xb21ea7c0: u1fmklfv3rdcnamdc64sekgcdp05bbiu.u=
> k NSEC3: no valid signature found
> 04:03:30 named validating @0xb0f67990: pl SOA: no valid signature found
> 04:03:30 named validating @0xb18914a0: RVLFSE0643QVHS3RI8VPKGANFBCJVJ06.p=
> l NSEC3: no valid signature found
> 04:03:31 named validating @0xb0f949d0: GSV9U2BOSCL9B9TQAL1UAV4BNVI9EVUE.p=
> l NSEC3: no valid signature found
> 04:03:31 named validating @0xb21cc520: org SOA: no valid signature found
> 04:03:31 named validating @0xb18f2c08: org SOA: no valid signature found
> 04:03:31 named validating @0xb21ea7c0: fk47636n6psb8mv7rdu6tpdhas69cbjp.o=
> rg NSEC3: no valid signature found
> 04:03:31 named validating @0xb0fe6528: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.o=
> rg NSEC3: no valid signature found
> 04:03:31 named validating @0xb0f61960: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.o=
> rg NSEC3: no valid signature found
> 04:03:31 named validating @0xb21cc520: 4rkhv4s4situ82j70sp5tq5utm12o2t8.o=
> rg NSEC3: no valid signature found
> 04:03:31 named validating @0xb18f2c08: ic8a82pge1m0qdob5sce1e3613hqr7br.o=
> rg NSEC3: no valid signature found
> 04:03:31 named validating @0xb0f949d0: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.o=
> rg NSEC3: no valid signature found
> 04:03:31 named validating @0xb0f949d0: vai6s58iqmjmin7ju8mq61aju3q4ms5h.o=
> rg NSEC3: no valid signature found
> 04:03:31 named validating @0xb0f949d0: org SOA: no valid signature found
> 04:03:31 named validating @0xb18914a0: vai6s58iqmjmin7ju8mq61aju3q4ms5h.o=
> rg NSEC3: no valid signature found
> 04:03:31 named validating @0xb21e1518: vai6s58iqmjmin7ju8mq61aju3q4ms5h.o=
> rg NSEC3: no valid signature found
> 04:09:43 named validating @0xb0f58988: 117.in-addr.arpa SOA: no valid sig=
> nature found
> 04:09:43 named validating @0xb0f58988: 117.in-addr.arpa NSEC: no valid si=
> gnature found
> 04:09:43 named validating @0xb0f58988: 240.117.in-addr.arpa NSEC: no vali=
> d signature found
> 04:13:52 named validating @0xb0f58988: 27.in-addr.arpa SOA: no valid sign=
> ature found
> 04:13:52 named validating @0xb0f58988: 22.115.27.in-addr.arpa NSEC: no va=
> lid signature found
> 04:13:52 named validating @0xb0f58988: 99.114.27.in-addr.arpa NSEC: no va=
> lid signature found
> 04:15:16 named validating @0xb0f58988: 117.in-addr.arpa SOA: no valid sig=
> nature found
> 04:15:16 named validating @0xb0f58988: 117.in-addr.arpa NSEC: no valid si=
> gnature found
> 04:15:16 named validating @0xb0f58988: 99.20.117.in-addr.arpa NSEC: no va=
> lid signature found
> 04:15:48 named validating @0xb0f58988: org SOA: no valid signature found
> 04:15:48 named validating @0xb0f58988: h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.o=
> rg NSEC3: no valid signature found
> 04:15:48 named validating @0xb0f58988: osfek8jf3dv7trcfcuheumjh9bpmjkeq.o=
> rg NSEC3: no valid signature found
> 04:15:48 named validating @0xb0f58988: vai6s58iqmjmin7ju8mq61aju3q4ms5h.o=
> rg NSEC3: no valid signature found
> 
> And am wondering what they are really telling me.  Are they all
> different flavours of "zone is not signed" or are they more like
> "zone is supposed to be signed but there are problems with it"?
> 
> Cheers,
> b.

The zones are signed.  Possible reason are:

* a firewall blocking EDNS queries.
* using a non DNSSEC enabled forwarder so you don't get signatures.
* a firewall blocking fragmented UDP and named falling back to
  plain DNS.
* other packet loss causing named to fallback to plain DNS.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list