bind10-devel-20120119 recurrent RRSIG query warnings
Spain, Dr. Jeffry A.
spainj at countryday.net
Sat Feb 25 16:32:23 UTC 2012
>> I'm running a bind10-devel-20120119 server configured as a slave and receiving DNSSEC-signed zone data from a
>> bind9.9.0rc4 server. About every four hours, I see ten pairs of log messages like the following in the bind10 server's log:
>>
>> 2012-02-24 03:36:50.926 DEBUG [b10-auth.datasrc] DATASRC_QUERY_PROCESS
>> processing query 'jaspain.net./RRSIG' in the 'IN' class
>> 2012-02-24 03:36:50.927 WARN [b10-auth.datasrc] DATASRC_QUERY_RRSIG
>> unable to answer RRSIG query @@Missing placeholder %1 for 'jaspain.net.'@@
>
>> The warning messages seem to have some improper parameter substitution obscuring their meaning. What is the significance of this, if any? Thanks.
> Sorry for the mess. I believe the 1-line patch copied below should fix it. It's already in the master version and will appear in the next release.
I correlated these warning messages with a packet capture. The queries for jaspain.net RRSIG are originating from resolver2.atlanta.linode.com via both IPv4 and IPv6. There are other queries from li174-113.members.linode.com. My guess is that this is a denial-of-service attack to which bind 9.7.1 was vulnerable (it entered an infinite loop). See http://www.isc.org/software/bind/advisories/cve-2010-0213. Bind10-devel-20120119 apparently is not vulnerable, so good on you. Thanks. Jeff.
More information about the bind10-users
mailing list