Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Insecure response BIND 9.7.0b2

43 views
Skip to first unread message

David Forrest

unread,
Nov 19, 2009, 2:08:41 PM11/19/09
to bind-...@lists.isc.org
Logged:
Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980:
dlv.isc.org SOA: got insecure response; parent indicates it should be
secure

What does this mean?

--
David Forrest
St. Louis, Missouri

Jeremy C. Reed

unread,
Nov 19, 2009, 2:29:16 PM11/19/09
to David Forrest, bind-...@lists.isc.org
On Thu, 19 Nov 2009, David Forrest wrote:

> Logged: Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980:
> dlv.isc.org SOA: got insecure response; parent indicates it should be secure
>
> What does this mean?

This is documented in the ARM. The parent zone says (published DS) that
it should have been signed.

David Forrest

unread,
Nov 19, 2009, 2:40:24 PM11/19/09
to bind-...@lists.isc.org

I mean is it something I can fix in my configs or is it a result of the
dlv.isc.org configuration? Can I alter my configuration to eliminate these messages?

Chris Thompson

unread,
Nov 19, 2009, 3:01:13 PM11/19/09
to Jeremy C. Reed, bind-...@lists.isc.org
On Nov 19 2009, Jeremy C. Reed wrote:

>On Thu, 19 Nov 2009, David Forrest wrote:
>
>> Logged: Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980:
>> dlv.isc.org SOA: got insecure response; parent indicates it should be secure
>>
>> What does this mean?
>
>This is documented in the ARM. The parent zone says (published DS) that
>it should have been signed.

So what are you suggesting? That a dlv.isc.org server went ape and
returned an insecure response for (IN,SOA,dlv.isc.org)? Or that the
user is under attack with faked responses?

You did realise that this is one *your* zones it is complaining about?

--
Chris Thompson
Email: ce...@cam.ac.uk

Evan Hunt

unread,
Nov 19, 2009, 4:51:01 PM11/19/09
to Chris Thompson, bind-...@lists.isc.org
> So what are you suggesting? That a dlv.isc.org server went ape and
> returned an insecure response for (IN,SOA,dlv.isc.org)? Or that the
> user is under attack with faked responses?

I don't think anyone was suggesting anything, just explaining what the
message means. Which is that isc.org has a secure delegation (that is,
a DS record) for dlv.isc.org, but for some reason a query for
dlv.isc.org/SOA got a response with no signatures. Possibly
there's a misbehaving middlebox involved.

--
Evan Hunt -- ea...@isc.org
Internet Systems Consortium, Inc.

Mark Andrews

unread,
Nov 19, 2009, 5:27:35 PM11/19/09
to David Forrest, bind-...@lists.isc.org

In message <alpine.LFD.2.01.0...@maplepark.com>, David Forrest w
rites:

> Logged:
> Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980:
> dlv.isc.org SOA: got insecure response; parent indicates it should be
> secure
>
> What does this mean?

It means named fellback to making a plain DNS query due to multiple
timeouts, or getting a SERVFAIL response to the EDNS queries, or
something stipped out the RRSIGs or there was a attempt to poison
the cache. The validator then rejected the answer as it knew it
should be getting a secure response. In most cases named will re-do
the query and get a good answer unless there is a configuration failure.

Unfortunately there are nameservers that don't respond to EDNS
queries. There are also firewalls that block DNS/UDP responses
bigger 512 bytes or block EDNS queries/responses 10 years after the
introduction of EDNS. There are also middleware that blocks/drops
DNS/UDP responses that are fragmented. All of these things result
in DNS lookups timing out which is indistinguishable from plain
packet loss.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Stephane Bortzmeyer

unread,
Nov 20, 2009, 10:58:17 AM11/20/09
to David Forrest, bind-...@lists.isc.org
On Fri, Nov 20, 2009 at 09:27:35AM +1100,
Mark Andrews <ma...@isc.org> wrote
a message of 34 lines which said:

> There are also firewalls that block DNS/UDP responses bigger 512
> bytes or block EDNS queries/responses 10 years after the
> introduction of EDNS. There are also middleware that blocks/drops
> DNS/UDP responses that are fragmented.

This tool may help:

http://www.nic.cz/dnssectests/

And this one, too:

https://www.dns-oarc.net/oarc/services/replysizetest

Taylor, Gord

unread,
Nov 20, 2009, 1:14:05 PM11/20/09
to bind-...@lists.isc.org

The company I work for uses a vendor solution which implements BIND
under the hood, though it's abstracted with a GUI interface. Knowing
which bugs may exist in the current release of BIND would be nice to
know; for example, if it's a feature of BIND we use, we may want to know
about bugs before upgrading vendor product which makes use of that
particular version (or even just to quickly identify if the problem we
experience is a known issue). So, I've considered joining the BIND Forum
as an Individual, but I'm not a coder, so I don't know what level of
abstraction is provided by the bug reports, etc

Can anyone provide feedback or personal experience on whether they've
found membership worthwhile or not, and what aspects were beneficial (or
not as beneficial as you'd hoped)?

Thanks in advance for any responses...

Gord Taylor (CISSP, GCIH, GEEK) | Senior Network Analyst, Internet
Technologies | Royal Bank of Canada
_______________________________________________________________________

This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations.
Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.

Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent.
Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite.
Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier électronique ou par un autre moyen.

Doug Barton

unread,
Nov 20, 2009, 4:14:30 PM11/20/09
to Taylor, Gord, bind-...@lists.isc.org
Taylor, Gord wrote:
>
> The company I work for uses a vendor solution which implements BIND
> under the hood, though it's abstracted with a GUI interface. Knowing
> which bugs may exist in the current release of BIND would be nice to
> know; for example, if it's a feature of BIND we use, we may want to know
> about bugs before upgrading vendor product which makes use of that
> particular version (or even just to quickly identify if the problem we
> experience is a known issue). So, I've considered joining the BIND Forum
> as an Individual, but I'm not a coder, so I don't know what level of
> abstraction is provided by the bug reports, etc
>
> Can anyone provide feedback or personal experience on whether they've
> found membership worthwhile or not, and what aspects were beneficial (or
> not as beneficial as you'd hoped)?

Speaking as a vendor member of the BIND Forum (on behalf of the
FreeBSD project) we have found membership to be extremely beneficial.
My goals are similar to yours in the sense that I want to make sure
that upcoming releases of BIND will work in our systems. Additionally,
early advisories on vulnerabilities and upcoming release dates for
fixes has been very valuable in terms of advanced planning, resource
allocation, etc. If you feel comfortable with the advisories posted to
the bind-announce list you should not have any problems dealing with
the advisories sent to Forum members.

I would highly recommend someone in your position becoming a member.


hope this helps,

Doug

--

Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/

0 new messages