Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15795
| Path | csiph.com!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail |
|---|---|
| From | vom513 <vom513@gmail.com> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | Constant errors concerning in-addr.arpa SOA (insecure response) |
| Date | Sat, 30 May 2020 15:27:45 -0400 |
| Lines | 68 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.462.1590866854.942.bind-users@lists.isc.org> (permalink) |
| References | <854199C1-8834-482D-9E9A-CF09A20C4BC9@gmail.com> |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) |
| Content-Type | text/plain; charset=utf-8 |
| Content-Transfer-Encoding | quoted-printable |
| X-Trace | usenet.stanford.edu 1590866877 6493 149.20.1.60 (30 May 2020 19:27:57 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | bind-users@lists.isc.org |
| Return-Path | <vom513@gmail.com> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=P402JmR4Q38iHKMSCJ+cbHHsTcMSy72cxju7okKvHHo=; b=VE1yKdMjcIuvEPvdNUxqvc7PVqn8y/lMuWIdG1BZ9L+g2W8+kJ+VvEOnAyusH4bgqG 60GeeRG5fxEShnTRVpntOon7bZ+ugO3cLs/7AD93gVaPoXRMfvbYKr6F10FSGgX+/8no Q7S/6BegVfjToVClhTw5S7E9T13DjgwRxeht0Olqs3xRKba/hmFisJohWSyUlG9daIhP v2OQh3W+vJnH1FbEamML+UU71jzZbtIQZcIf48/9mtpXseuzQ6KJxTd0zE/BvLlV5rBF HlD6Yo2rq+PvtgrFW6A06SGTuO0ie/VUSHOXyftTkVUIQWvcpiiITrS3f11rF03Jh1SU JwAQ== |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=P402JmR4Q38iHKMSCJ+cbHHsTcMSy72cxju7okKvHHo=; b=qi2vVZHUo9wrLa/9LlFVXSTdRHtUfwOcDTXp7n6oFmo+3NoQQpF8pz9jVOhWY9iSz0 xY0mis+5PJk54uZl02w7qMiPcJX/xGqIzoCcC2o3O+W+RkQywuyqwH/Ok1AJbqIP7qiG 7Ao8dq5hia4M6bzkhX2nx+q3ELbC6SpGtGHnudygq12sAReH5RP5UZ6DWtrt8A6eSncw 9unZZx5cZVBvBjOjhOxGX/wm0sCAI7Mf0p2YE4w5VwxBQGnh8CyTc5iZl+ujwxZZkxup I8pQfZ2iBqThDCrXFYLGXYYv3m6N5taX9H9FRPBl2tfzj3spm0CVJiK0QnXEbU1etk8s swAw== |
| X-Gm-Message-State | AOAM533FMdtZFt/1IhstNMvwLHfkSFBiDRsmxShSl41No5v2CV1+AtyF zzwBtQx4TElRt5/7gN5K7rRouDeYhN0= |
| X-Google-Smtp-Source | ABdhPJxRzZb87AMjVj7yWs81RJpYJY17fN31SxmtfHU/FrVVD+v6S5GOog7e+EBfIo/6fwtwUEKRsg== |
| X-Received | by 2002:ac8:306d:: with SMTP id g42mr14625460qte.18.1590866868241; Sat, 30 May 2020 12:27:48 -0700 (PDT) |
| X-Mailer | Apple Mail (2.3608.80.23.2.2) |
| X-Spam-Status | No, score=0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.2 |
| X-Spam-Checker-Version | SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.29 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users/> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <854199C1-8834-482D-9E9A-CF09A20C4BC9@gmail.com> |
| Xref | csiph.com comp.protocols.dns.bind:15795 |
Show key headers only | View raw
Hello all, I've searched the list - and there is a thread from 7 years ago that seems to match what I am seeing: https://lists.isc.org/pipermail/bind-users/2013-March/090003.html I am seeing this on a fresh Debian 10 install, using the Debian bind9 packages (specifically as of this moment I have: BIND 9.11.5-P4-5.1+deb10u1-Debian (Extended Support Version) <id:998753c>). I have stayed as close as possible to the vanilla shipped config. So to that point - DNSSEC validation works fine out of the box. I am getting this frequently: May 30 14:15:33 orbital named[10379]: validating in-addr.arpa/SOA: got insecure response; parent indicates it should be secure May 30 14:19:47 orbital named[10379]: validating in-addr.arpa/SOA: got insecure response; parent indicates it should be secure May 30 14:19:58 orbital named[10379]: validating in-addr.arpa/SOA: got insecure response; parent indicates it should be secure May 30 14:23:12 orbital named[10379]: validating in-addr.arpa/SOA: got insecure response; parent indicates it should be secure Absolutely maddening. This box is also my mail server, so it’s constantly doing reverse lookups, and hence frequently triggering this log... I have two other boxes (one Debian 9, one Ubuntu (16.04 ?)). Both also run bind 9.x - distro packages. Neither of those boxes give me the frequent errors for in-addr.arpa. I thought this was perhaps an MTU / frag (IPv6 ?) issue ? I can ping 1500 packets with DF from here to other places across the net. I also ran a tcpdump filtering for the IP/IPv6 addresses of the [a-f].in-addr-servers.arpa… either I missed something or I’m not seeing it. Nothing stands out to me there. No idea if this is red herring, or not, but I notice that b and c instances give back answers that are 200+ bytes larger than a,d,e,f: vom@orbital:~$ for i in a b c d e f; do echo -n "$i: "; dig -4 +norecurse +dnssec @$i.in-addr-servers.arpa in-addr.arpa soa | grep rcvd: ; done a: ;; MSG SIZE rcvd: 309 b: ;; MSG SIZE rcvd: 547 c: ;; MSG SIZE rcvd: 547 d: ;; MSG SIZE rcvd: 309 e: ;; MSG SIZE rcvd: 313 f: ;; MSG SIZE rcvd: 281 vom@orbital:~$ for i in a b c d e f; do echo -n "$i: "; dig -6 +norecurse +dnssec @$i.in-addr-servers.arpa in-addr.arpa soa | grep rcvd: ; done a: ;; MSG SIZE rcvd: 309 b: ;; MSG SIZE rcvd: 547 c: ;; MSG SIZE rcvd: 547 d: ;; MSG SIZE rcvd: 309 e: ;; MSG SIZE rcvd: 313 f: ;; MSG SIZE rcvd: 281 Does anyone know what could be causing this ? I feel like I’m missing a troubleshooting step. I would love some clue on some specific dig commands I could run to recreate/diagnose this. Thanks in advance - this is my “white whale” for this weekend...
Back to comp.protocols.dns.bind | Previous | Next | Find similar
Constant errors concerning in-addr.arpa SOA (insecure response) vom513 <vom513@gmail.com> - 2020-05-30 15:27 -0400
csiph-web