Paul Wouters: Re: [dnssec-deployment] DNS cache issue

Mark Andrews Mark_Andrews at isc.org
Thu Nov 22 23:11:42 UTC 2007


> On Thu, 22 Nov 2007, Paul Vixie wrote:
> 
> > most edns issues are really ip fragmentation issues.  firewalls that allow
> > a certain server to send or receive udp/53 but which don't retain IP ID
> > state to allow matching fragments, tend break edns.  most of the firewalls
> > that do this are software devices running on the same host as the dns
> > server.  fairly often the cure is worse than the disease (allow all frags).
> 
> I am not running a firewall anywhere on or for nssec.xelerance.com. I'm
> pretty sure  you aren't doing weird things at ISC eiher, so what happened
> between our two networks? There shouldn't be any issues. There are only
> 10 hops between us, we go straight from xelerance > xs4all -> above -> isc
> 
> Now, logging is definately an issue, as Adam pointed out. I see in /var/log/m
> essages now:
> 
> Nov 22 07:00:06 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:10 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:10 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:10 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:11 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:14 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:14 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:14 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:14 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:18 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:19 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:19 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:19 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:23 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:24 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:24 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:24 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:28 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:28 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:28 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:28 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:32 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:32 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:33 nssec named[17813]: no valid DS resolving '14.67.8.64.in-addr
> .arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:33 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:37 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:37 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:37 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:38 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:41 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:41 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:42 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:42 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:46 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:46 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:46 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:46 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:50 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:50 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:50 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:50 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:54 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:55 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:55 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:55 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:59 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:00:59 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:00:59 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:00 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:03 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:04 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:04 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:04 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:08 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:08 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:08 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:08 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:12 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:12 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:13 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:13 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:17 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:17 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:17 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:17 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:21 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:21 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:22 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:22 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:26 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:26 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:26 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:26 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:30 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:30 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:31 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:31 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:35 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:35 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:35 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:35 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:39 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:39 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:39 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:39 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:43 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:44 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:44 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:44 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:48 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:48 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:48 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:48 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:53 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:53 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:53 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> Nov 22 07:01:53 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:57 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.4#53
> Nov 22 07:01:57 nssec named[17813]: no valid RRSIG resolving '14.67.8.64.in-a
> ddr.arpa/PTR/IN': 64.8.67.3#53
> 
> The full log covers 3-4 entries per second from Nov 22 06:52:45 to Nov 22 07:
> 05:38. That *is* quite
> excessive logging.
> 
> # grep 14.67.8.64 /var/log/messages | wc -l
> 672
> 
> since Nov 18, I've gotten 7000 messages from named. This is excluded dnssec l
> ogging that goes into a
> seperate file.
> 
> Paul

	You can't validate what's not there.

; <<>> DiG 9.3.4-P1 <<>> 14.67.8.64.in-addr.arpa +dnssec +norec @64.8.67.4
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40523
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;14.67.8.64.in-addr.arpa.	IN	A

;; AUTHORITY SECTION:
67.8.64.in-addr.arpa.	3600	IN	SOA	nsmf1.gaylord.com. root.nsmf1.gaylord.com. 2007090601 1200 600 1209600 3600

;; Query time: 239 msec
;; SERVER: 64.8.67.4#53(64.8.67.4)
;; WHEN: Fri Nov 23 10:07:38 2007
;; MSG SIZE  rcvd: 110


; <<>> DiG 9.3.4-P1 <<>> 14.67.8.64.in-addr.arpa +dnssec +norec @64.8.67.3
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31711
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;14.67.8.64.in-addr.arpa.	IN	A

;; AUTHORITY SECTION:
67.8.64.in-addr.arpa.	3600	IN	SOA	nsmf1.gaylord.com. root.nsmf1.gaylord.com. 2007090601 1200 600 1209600 3600

;; Query time: 238 msec
;; SERVER: 64.8.67.3#53(64.8.67.3)
;; WHEN: Fri Nov 23 10:08:21 2007
;; MSG SIZE  rcvd: 110

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-workers mailing list