Paul Wouters: Re: [dnssec-deployment] DNS cache issue

Paul Wouters paul at xelerance.com
Thu Nov 22 20:15:42 UTC 2007


On Thu, 22 Nov 2007, Paul Vixie wrote:

> most edns issues are really ip fragmentation issues.  firewalls that allow
> a certain server to send or receive udp/53 but which don't retain IP ID
> state to allow matching fragments, tend break edns.  most of the firewalls
> that do this are software devices running on the same host as the dns
> server.  fairly often the cure is worse than the disease (allow all frags).

I am not running a firewall anywhere on or for nssec.xelerance.com. I'm
pretty sure  you aren't doing weird things at ISC eiher, so what happened
between our two networks? There shouldn't be any issues. There are only
10 hops between us, we go straight from xelerance > xs4all -> above -> isc

Now, logging is definately an issue, as Adam pointed out. I see in /var/log/messages now:

Nov 22 07:00:06 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:10 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:10 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:10 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:11 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:14 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:14 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:14 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:14 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:18 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:19 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:19 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:19 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:23 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:24 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:24 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:24 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:28 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:28 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:28 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:28 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:32 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:32 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:33 nssec named[17813]: no valid DS resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:33 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:37 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:37 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:37 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:38 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:41 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:41 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:42 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:42 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:46 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:46 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:46 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:46 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:50 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:50 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:50 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:50 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:54 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:55 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:55 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:55 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:59 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:00:59 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:00:59 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:00 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:03 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:04 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:04 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:04 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:08 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:08 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:08 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:08 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:12 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:12 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:13 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:13 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:17 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:17 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:17 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:17 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:21 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:21 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:22 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:22 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:26 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:26 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:26 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:26 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:30 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:30 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:31 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:31 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:35 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:35 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:35 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:35 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:39 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:39 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:39 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:39 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:43 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:44 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:44 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:44 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:48 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:48 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:48 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:48 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:53 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:53 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:53 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53
Nov 22 07:01:53 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:57 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.4#53
Nov 22 07:01:57 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-addr.arpa/PTR/IN': 64.8.67.3#53

The full log covers 3-4 entries per second from Nov 22 06:52:45 to Nov 22 07:05:38. That *is* quite
excessive logging.

# grep 14.67.8.64 /var/log/messages | wc -l
672

since Nov 18, I've gotten 7000 messages from named. This is excluded dnssec logging that goes into a
seperate file.

Paul


More information about the bind-workers mailing list