Re: DNSSEC problems

To: Matthias Scheler <tron%zhadum.org.uk@localhost>
Subject: Re: DNSSEC problems
From: "Jeremy C. Reed" <reed%reedmedia.net@localhost>
Date: Sat, 22 Jan 2011 08:33:14 -0600 (CST)

On Sat, 22 Jan 2011, Matthias Scheler wrote:

> Jan 22 09:32:42 colwyn named[9658]:  validating @0x7f7ff6be2000: 
> dlv.isc.org SOA: got insecure response; parent indicates it should be 
> secure

For some reason, a query for dlv.isc.org's SOA got a response that was 
not signed. Some misconfigured firewalls block DNS on UDP responses over 
512 bytes. Some broken firewalls block EDNS. Some nameservers don't 
respond to EDNS. Some devices may block or drop fragmented responses. 
Some of these may cause timing problems. After multiple timeouts, it may 
use a non-DNSSEC query. Or maybe there was a SERVFAIL from a EDNS query 
(due to broken name server) or maybe something in the middle removed the 
RRSIG records. Or maybe it was a real attempt of poisoning or the zone 
really was temporarily broken (but probably not).  (Disclosure: I worked 
for the owner of that zone.)

> Any idea what is going wrong here? 2001:8b0::2021 is one of the recursive
> resolves provided by my ISP.

Maybe test it with

        dig @2001:8b0::2021 +short rs.dns-oarc.net txt      

See https://www.dns-oarc.net/oarc/services/replysizetest

For example, one of my ISP's resolvers results in:

"68.238.96.37 DNS reply size limit is at least 490"
"68.238.96.37 lacks EDNS, defaults to 512"

(I do not use them!)

Follow-Ups:
- Re: DNSSEC problems
  - From: Jonathan A. Kollasch
- Re: DNSSEC problems
  - From: Jeremy C. Reed
- Re: DNSSEC problems
  - From: Matthias Scheler

References:
- DNSSEC problems
  - From: Matthias Scheler

Prev by Date: DNSSEC problems
Next by Date: (Possibly critical) bug in our IPv6 fragment handling?
Previous by Thread: DNSSEC problems
Next by Thread: Re: DNSSEC problems
Indexes:

Home | Main Index | Thread Index | Old Index