Robert Moskowitz rgm at
Fri Mar 1 14:39:21 UTC 2013

On 03/01/2013 09:22 AM, Michael W. Lucas wrote:
> On Fri, Mar 01, 2013 at 09:19:42AM -0500, Robert Moskowitz wrote:
>> On 03/01/2013 08:57 AM, Tony Finch wrote:
>>> Robert Moskowitz <rgm at> wrote:
>>>> I got tipped off about this from logwatch report. On my public DNS server had
>>>> the following:
>>>> Feb 26 04:02:04 onlo named[19336]:   validating @0xb2929ee0: SOA:
>>>> got insecure response; parent indicates it should be secure
>>> Looks like something in your setup is dropping RRSIGs, and this is
>>> probably responsible for both your private htt. TLD validation problems
>>> and these validation problems. Do you all your servers have
>>> "dnssec-enable yes"? Do you have any non-BIND servers or middleboxes?
>> All my boxes are Centos 6.3 running RHEL bind 9.8.2.  I have 3. onlo is
>> public facing and my main server.  rigel is my internal test box.
>> klovia is my new mail server running as a cache server, currently
>> forwarding to rigel, but will be switched to onlo when I swap it for the
>> current klovia.  onlo and rigel are completely independent and on
>> different subnets.  I mention the names as they are all findable via
>> DNS; nothing private about that (though I am blocking chaos digs on all
>> of them).
>> All in the global options have the lines:
>>       dnssec-enable yes;
>>       dnssec-lookaside auto;
>> Onlo and rigel have:
>>       dnssec-validation auto;
>> and klovia has:
>>       dnssec-validation yes;
>> hmmm.  I THOUGHT I had set onlo to also be 'dnssec-validation yes'.
>> Probably did that in an earlier test version and when I did the final
>> build, I forgot to change that line (auto is the RHEL default setting).
>> And rigel started life as a clone of onlo.
>> So I will change dnssec-validation to yes, and see what happens.
>> Anything else I should look for?
>> Oh, no non-bind servers knowingly in the way.  I pay my ISP for a clear
>> IP connection and 64 IPv4 addresses and a /48 IPv6 allocation.  My
>> firewall is a Juniper SSG5 'branch' firewall with current firmware
>> (there was an IPv6 bug in earlier releases that caused outbound routing
>> problems) that is just passing port 53; no proxying enabled.
> You might have been here, but I feel obliged to throw this out: reply
> size problem?

Well something is south.  Running this on onlo:

dig +short txt
;; Truncated, retrying in TCP mode.
"2607:f4b8:3:0:9254:5400:0:148 DNS reply size limit is at least 4091"
"2607:f4b8:3:0:9254:5400:0:148 sent EDNS buffer size 4096"
"Tested at 2013-03-01 14:34:28 UTC"

But running it from this notebook I get:

dig @onlo +short txt
"2607:f4b8:3:0:9254:5400:0:148 sent EDNS buffer size 4096"
"Tested at 2013-03-01 14:37:18 UTC"
"2607:f4b8:3:0:9254:5400:0:148 DNS reply size limit is at least 2495"

So why when run from the DNS server it truncates, but when same server 
processes the request from a client it does not?  Or is it, and just not 
telling the client?

More information about the bind-users mailing list