Handling of expired RRSIG records - ise.gov

Simon Waters simon.waters at surevine.com
Wed May 21 11:56:32 UTC 2014

Dear Bind Users,

BIND 9 logs report: RRSIG has expired for "www.ise.gov"
And "no valid signature found" for "ise.gov A".

Yet I can still resolve and visit the website http://ise.gov/

DNS recursive server has:
        dnssec-validation yes;
        dnssec-enable yes;
        dnssec-accept-expired no;


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1 <<>> +norec +dnssec @ns1.p11.dynect.net ise.gov a
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61417
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;ise.gov.			IN	A

ise.gov.		60	IN	A
ise.gov.		60	IN	RRSIG	A 5 2 60 20140513120652 20140413120652 45468 ise.gov. VZpvQNUKY6Vt0yxytk7JzK4FGh54SImorcnbvIRKwhGp2nrrHZWgSRfM RiYtgbD2KSUoIOoaws5uDL1FAmMbbbFbdQBioEmJeCJMLzD1FJKPDBu3 PTtmTqgj7tdEM12evpM1v8JwDoN/ZYGwgMxkkOebqqrMQ0ZuprfmZqrf 6Zg=

ise.gov.		86400	IN	NS	ns1.p11.dynect.net.
ise.gov.		86400	IN	NS	ns4.p11.dynect.net.
ise.gov.		86400	IN	NS	ns2.p11.dynect.net.
ise.gov.		86400	IN	NS	ns3.p11.dynect.net.
ise.gov.		86400	IN	RRSIG	NS 5 2 86400 20140513120652 20140413120652 45468 ise.gov. OJ6es8al+vr2hCU9IrEkIJ+Ly/XK79g/Hlp8vDCYR6qt5VrOA5dzC4Nq a0IOOn9Ryo38O021tlcTp9bHhC+sf02SmmbG1oBiRSbL2JaYPD0Cm5bg rLiGB9iE3lDrgIz++RytufcKjnloYyCYhfAUvTe5/tmSU5tP0rdes8yw 0rA=

;; Query time: 22 msec
;; WHEN: Wed May 21 11:40:16 2014
;; MSG SIZE  rcvd: 472

All name servers have the same expiry time for the RRSIG A record, which unless I'm more confused than I realise,  is about a week ago. Clocks on all machines under our control are correct to the precision required (they know what day and year it is).

DNSviz suggests that SOA record is secure, but not A or MX for ise.gov and the date on the SOA RRSIG record is indeed in the future.

How is BIND deciding it is okay to return the A and MX records, and that this is not some sort of DNS replay attack?

More information about the bind-users mailing list