BIND dnssec issue

Mark Andrews marka at isc.org
Sun Nov 6 21:17:21 UTC 2016 

First check your system clocks and make sure they are correct.

'date -u' will show the time in UTC.

Here in Australia we are 11 hours in front of UTC so
where I run 'date; date -u' I get:

Mon  7 Nov 2016 07:42:33 EST
Sun  6 Nov 2016 20:42:33 UTC

'dig +cd +dnssec' will let you see the RRSIG inception and expiration
times. They are in UTC.  Below the RRsig expires at 20161114235959
and it was create at 20161031000000.

;; BADCOOKIE, retrying.

; <<>> DiG 9.11.0 <<>> +cd +dnssec dnskey . +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43548
;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: c393bcde3d692889e9f12574581f9746ca751f3f49a0a1aa (good)
;; QUESTION SECTION:
;.			IN DNSKEY

;; ANSWER SECTION:
.			171135 IN DNSKEY 256 3 8 (
				AwEAAYbinauHA9oUb4aGNtJIrepyGoYy0OL01rvIhvo3
				RWN/Ch8p2C4ZEkpvUYkx74r9JpgrOsjKOv+JQdKtT2u8
				AxGjUoH8x8HdpDiMV7XnpWJo9wAxlFtDtbMnPwRQ3dWs
				T1p5myrGcm7EFJ9j7KmiAEG5hGsevZqcnqMOW9QFkmp/
				zM0TFYXYWq6AsAof2uZqLUyd+nHIW0TGsaHMzcTNfA8W
				w+OYV7R4bcR/8edCEo6OAh9j48R1hRtuO1e2MQdnkITc
				9DJljB4Cq1gQKwv/ku7mAvmFuWkRotMZIFN3vDhpmpmy
				7M0C1EHSRAgP+HkblLRQKOPnwI/VksJEU4fmnhk=
				) ; ZSK; alg = RSASHA256 ; key id = 39291
.			171135 IN DNSKEY 257 3 8 (
				AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
				bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
				/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
				JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
				oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
				LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
				Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
				LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
				) ; KSK; alg = RSASHA256 ; key id = 19036
.			171135 IN RRSIG	DNSKEY 8 0 172800 (
				20161114235959 20161031000000 19036 .
				LPuldf5oWFdSHSTPYL5WvrvwJTElxY6LTEw2Cit0JOcV
				AbZG6LLCmlpCJ55Ngf/sdE4UXUPJ/m6CFRYT+aAePvEW
				rjRPGGX64V82oCeCPyAqD4XHd3CIQi3LBYk8ZbEktyvB
				X+VS16rbSEQib7xNYvohtiJ0dRiw/wjr6YVF8xUdYO1v
				vXPYOGXISYwW4vDiKAuyLDGuoLRh/F9GZQxBPwv6Bmx8
				/JfNCfIygbnZ/8qIZUsFH68DPbAHPBqwR1GP+haAa6vQ
				PhXwn4p+Vci7rYNzfPzdQfDNWsQ+8ur8xxSdanAZcZRr
				ytaidLtIQx4DeGANdwmNjnAn8ZSg6q8etQ== )

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 07 07:49:10 EST 2016
;; MSG SIZE  rcvd: 892

As for "got insecure response; parent indicates it should be secure",
there are still systems out there that do not response to EDNS
queries or only respond to the first EDNS query.  To get answers
from these systems, especially after a lost packet, named has to
ask plain DNS questions and as plain DNS does not have EDNS there
is no DO=1 flag one does not DNSSEC records in the responses to
those queries.  When such answers go through the validator and the
zone is signed you will this message logged.

Old Microsoft Windows DNS servers exhibit this only answer the first
EDNS query issue.  You need to as a plain DNS query to get a response
after the first EDNS query.  When we do EDNS compliance testing we
can see these systems as they end up being formerr and timeouts
except for plain DNS.

bihasitka-nsn.gov. @64.37.122.49 (ns2.chicagowebs.com.): dns=ok
edns=formerr,nosoa edns1=formerr,badversion edns at 512=timeout
ednsopt=timeout edns1opt=timeout do=timeout ednsflags=timeout
optlist=timeout signed=timeout ednstcp=formerr

hamiltontn.gov. @12.204.222.241 (ns1.hamiltontn.gov.): dns=ok
edns=timeout edns1=timeout edns at 512=timeout ednsopt=formerr,echoed,nosoa
edns1opt=timeout do=timeout ednsflags=timeout optlist=timeout
signed=timeout ednstcp=timeout

If you have lots of these messages check that you firewall allows
through large (> 1500 byte) EDNS responses.  Packet loss and bad
local firewalls can make named think that it is talking to such a
system.  Excessive buffer bloat can also cause named to think it
is talking to such a system.  A big upload / download can make
visible the buffer bloat in the routers on you link.

Mark

In message <BL2PR01MB3393C454FDCE60904E2781CFFA40 at BL2PR01MB339.prod.exchangelabs.com>, Mahdi Adnan writes:
> Hello,
>
>
> We have several Bind recursive servers and all of them stop responding to
> queries at 10:00 PM daily for 4 minutes starting from November 1st with
> the following error in the logs;
>
>
> "SOA: got insecure response; parent indicates it should be secure"
>
> "DNSKEY: verify failed due to bad signature (keyid=56467): RRSIG has
> expired"
>
> "dlv.isc.org SOA: got insecure response; parent indicates it should be
> secure"
>
>
>
> servers running different versions of BIND (9.9 and 910) but all are up
> to date.
>
> anyone have any idea about this issue ?
>
>
> Thanks
> --
>
> Respectfully
> Mahdi A. Mahdi

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list