Path: csiph.com!newsfeed.xs4all.nl!newsfeed9.news.xs4all.nl!feeder.usenetexpress.com!tr2.eu1.usenetexpress.com!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: vom513 <vom513@gmail.com>
Newsgroups: comp.protocols.dns.bind
Subject: Re: Constant errors concerning in-addr.arpa SOA (insecure response)
Date: Sat, 30 May 2020 23:58:12 -0400
Lines: 36
Approved: bind-users@lists.isc.org
Message-ID: <mailman.463.1590897482.942.bind-users@lists.isc.org>
References: <854199C1-8834-482D-9E9A-CF09A20C4BC9@gmail.com> <05FF1329-0454-4EBC-876B-C5F0847F8119@gmail.com>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: usenet.stanford.edu 1590897505 26618 149.20.1.60 (31 May 2020 03:58:25 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bind-users@lists.isc.org
Return-Path: <vom513@gmail.com>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=538ipitAWQdXB5XHTzVsBjHkgfnYjXIfDPfsQdk0XOc=; b=cMnC6e9cnhpWoewn3OH0r9U/f8BkTHvEOMl5i6JXdYttzB7Qb6/THiWjjtpit5DMjz ejFkHrGXvDOaEk3yvF7EZwSfC9Z8hyZC9gVkGh6QObDq46KONQkqBfcdBvBTb2dGYV9V p3Om4mmpIRFKD3RtY7axg+ZerSxQoICCecFderTzMgDg7Zow+OIzVWoI81BRVI/PC0h9 LBkkIIYTtJYUBeYIps5hnCJOjj+lTe2wtQPzCS3qXWnu8Sg/MSUtym0A0D1ixoqVLQ8F TYv0Q/bP3V9QkMpydZ8wSaL9NvLuZPH7cY3iPgt86ROiDDJQxmRT3f8hdco6Ed74dbKJ E8Ew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=538ipitAWQdXB5XHTzVsBjHkgfnYjXIfDPfsQdk0XOc=; b=iFAww5Prg/ABTQv9RMIAJCOgNA3J2awnh9olm01OU/comhrfsWYM0nrnwIsMJPUPYR zPn0nixUCotZHa2jRAFfO+Fer26RkzLh7DR04IQc0KpvjdxWNUOo6XCLehBCoc/1AazP U1vfvuSguvHyFIYF17Us/WF3uw7/GvzF72QDkZim2qSR1ReCvQf0WE0m24VxTlmSRKpu 580dw9+WDgnXm6ST3yWTsrl/qNz/gofBvg3ZpqNty/HbnbVdwNvSnyKAjwyUR92nhP2w MpYP3PPXNJDVvhBaQlx5d2lY1BbsCCQZ8vXeA+UxBe+IzURPdzX1YkaOpW7CdjEW2B+g fJRg==
X-Gm-Message-State: AOAM531/TZHchBBXXOBijI7kGld2VcIxq9mwO++RmhX1iBd7zY/QbmzF jFQ957CFH06TX9IT6S+2CSsMAlGNiJU=
X-Google-Smtp-Source: ABdhPJxwKvJvycl4nWjaDChLgrCbD0nsChIXgrGy9Xmz7sa6CzWMX1kYcJq4dyoOFDDiWRb6ZWl1uw==
X-Received: by 2002:a05:620a:15e8:: with SMTP id p8mr4180793qkm.333.1590897495230; Sat, 30 May 2020 20:58:15 -0700 (PDT)
In-Reply-To: <854199C1-8834-482D-9E9A-CF09A20C4BC9@gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users/>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID: <05FF1329-0454-4EBC-876B-C5F0847F8119@gmail.com>
X-Mailman-Original-References: <854199C1-8834-482D-9E9A-CF09A20C4BC9@gmail.com>
Xref: csiph.com comp.protocols.dns.bind:15796

Sorry to self reply - I *think* I figured this out.  Looks like the =
messages I was seeing (at least to my eyes) make this seem like a true =
failure in the chain of recursion/validation.  Looks like it=E2=80=99s =
more benign - misconfigured auth servers for various in-addr.arpa zones =
hading out information erroneously (i.e. NOT what they were asked / have =
been delegated).

I was able to do this on one of my =E2=80=9Cclean=E2=80=9D servers that =
I hadn=E2=80=99t observed the log messages on:

while true; do nmap -n -iR 10 -sL | grep "^Nmap scan" | awk '{print $5}' =
| while read ip; do dig -x $ip; done; sleep 5; done

I=E2=80=99m just using nmap to generate 10 random IPs, I=E2=80=99m not =
=E2=80=9Cscanning=E2=80=9D anything=E2=80=A6

That command managed to trigger the log message on my =E2=80=9Cclean=E2=80=
=9D machine.  I think part of the issue is my mail server is simply much =
busier looking up rDNS as it gets SMTP connections, and is therefore =
more likely to trigger this log.

I don=E2=80=99t mean to pick on this network, but the following =
record/query seems to trigger this every time:

dig -x 106.62.177.136

And to see what caused it:

dig +trace -x 106.62.177.136

Notice the =E2=80=9CIN-ADDR.ARPA=E2=80=9D they give out (helpfully in =
all CAPS :)).

Sorry for the noise with this thread.  If anyone has a more in-depth =
explanation of bind=E2=80=99s behavior in this scenario I=E2=80=99d love =
to hear it because I don=E2=80=99t feel like I 100% understand it...=