In message <prayer.1.3.1.0906111834360.6...@hermes-2.csi.cam.ac.uk>, Chris Thom pson writes: > We have recently turned on DNSSEC validation (using dlv.isc.org) in our > main university-wide recursive nameservers, which are running BIND 9.6.1rc1. > > No-one is actually complaining, but the counts I am seeing for "ValFail" > on the statistics channel are quite a bit higher than we were seeing > during testing, running at 0.2% - 0.4% of "ValAttempt" (but the counter > increases in bursts), and I would be happier knowing what they were > coming from. > > The advice usually given is to log category "dnssec" at debug level 3, > but this produces far too much data. Reducing it debug level 2, on the > other hand, gives almost nothing. I do see a trickle of info-level > messages: > > 11-Jun-2009 18:12:32.375 info: validating @15abde10: > 17.62.212.IN-ADDR.ARPA NSEC: no valid signature found > 11-Jun-2009 18:12:32.376 info: validating @15abde10: > 17.62.212.IN-ADDR.ARPA NSEC: no valid signature found > 11-Jun-2009 18:12:42.258 info: validating @f3e9cb8: > 99.188.91.IN-ADDR.ARPA NSEC: no valid signature found > 11-Jun-2009 18:12:42.259 info: validating @f3e9cb8: > 99.188.91.IN-ADDR.ARPA NSEC: no valid signature found > 11-Jun-2009 18:15:08.235 info: validating @15bed590: > 97.102.91.IN-ADDR.ARPA NSEC: no valid signature found > 11-Jun-2009 18:15:08.236 info: validating @15bed590: > 97.102.91.IN-ADDR.ARPA NSEC: no valid signature found > 11-Jun-2009 18:15:08.592 info: validating @15bed590: > 97.102.91.IN-ADDR.ARPA NSEC: no valid signature found > 11-Jun-2009 18:15:08.593 info: validating @15bed590: > 97.102.91.IN-ADDR.ARPA NSEC: no valid signature found > 11-Jun-2009 18:19:32.048 info: validating @8af4a40: > 99.96.79.IN-ADDR.ARPA NSEC: no valid signature found > 11-Jun-2009 18:19:32.049 info: validating @8af4a40: > 99.96.79.IN-ADDR.ARPA NSEC: no valid signature found > > but it's not even obvious what the original query was in these cases. > (If I could find that out I could try the same query on a quieter > nameserver with more logging turned on.) There are no messages > generated at this level when I force a validation failure to occur > ("dig soa advocaat.pro" remains my favourite). > > Any suggestions? > > -- > Chris Thompson > Email: c...@cam.ac.uk > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
Do you have RIPE's trusted-keys configured into named.conf and are they up to date? http://www.ripe.net/projects/disi/keys/ https://www.ripe.net/projects/disi/keys/ripe-ncc-dnssec-keys-new.txt Note named won't go to dlv if the answer is within a island of security identified by a trusted-key in named.conf. The data currently being returned looks good to me. This is a referral to a insecure zone. 17.62.212.IN-ADDR.ARPA. 172800 IN NS ans2.cw.net. 17.62.212.IN-ADDR.ARPA. 172800 IN NS ans1.cw.net. 17.62.212.IN-ADDR.ARPA. 7200 IN NSEC 170.62.212.in-addr.arpa. NS RRSIG NSEC 17.62.212.IN-ADDR.ARPA. 7200 IN RRSIG NSEC 5 5 7200 20090711232326 20090611232326 34470 212.in-addr.arpa. pY89tH87GQjFm4YRAHCx8wY0R14fjN0Qb+wwGCDbJjAC1zezYUT+ltZN J/5akqXTY7vQ/h7u/t8gz7qf1Q1mSE0xngF/3amoZaNHpPNT9BGOeF89 kC4ucFI2e/MnU9lvmEJHVT5Ma0eJ4LRgFlGaeUmSMaPjRBxpOJpNGP/x O/jxf84LTsANHVBew8a7BI9tmg0ozppN ;; Received 338 bytes from 2001:660:3006:1::1:1#53(NS3.NIC.FR) in 548 ms % date -u +%Y%m%d%H%M%S 20090612011526 % Validation interval ok. 20090711232326 > 20090612011526 > 20090611232326 No DS in list of types that exist at 17.62.212.IN-ADDR.ARPA. Signed with key 34470. ; <<>> DiG 9.3.6-P1 <<>> +dnssec +multi dnskey 212.IN-ADDR.ARPA ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4082 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;212.IN-ADDR.ARPA. IN DNSKEY ;; ANSWER SECTION: 212.IN-ADDR.ARPA. 2663 IN DNSKEY 256 3 5 ( AwEAAbW5cAVaimsuasYP4uwC/Id+/MJce+q+9FwBz4iO bkPa5YNFz7qeV+y8BjKI/7nQ/4fh/Xd7tp+5eYT47GEx ALl4GBGKoW22k/IpD1nqNuGs4BYvuG/kTfhtTEWyfMbB 20M17W0vPbHmhLDbdGO0qg1HPQZ0gXYFCofu9OX86OGL V+YFEJ+NeWiNHg91xq1svv0sehJp7w== ) ; key id = 34470 212.IN-ADDR.ARPA. 2663 IN DNSKEY 256 3 5 ( AwEAAd2guc91r8v8RRtTcKLIGWPbLNi9HuAmcxNwW+7N 4KCPxci7GPqgqD/m88qbBDYdm1XMLHSV+lZ+DbifbFpw cIu1+vt4dEGB7O9bCuZwQG89HN7IpTRhZQXH3P8O5eCt 7UJEOm4BWfRD4DKYyuOHGpdWTqyzY0TKGWECXW00X1rQ t4MZmBl8Z4r8kLN+X4jWXoQzpygfXw== ) ; key id = 12075 212.IN-ADDR.ARPA. 2663 IN DNSKEY 257 3 5 ( AwEAAb133Y0UxrLtgmsR2LEkSpiiU6JKenlDmp42a6PY uic4wxWFhQrfnzZVRcmoBTJZfdOD4pUe+eMsUOHIrheK mhc7D7cmDS+ftZZThBd9GawpgiqCRRJYceECPKK8AcCn qz3Cryei/+dGpjXyBXiCVZ8Xfn57AOIN6KfG+jdw+uow o5qP0XtMI/UU9k4j7Cair7zaieMkvWb4Vo8gPLZ/PGUj kGCUO9eXD5jauYapg4AoRZUalnTdp1MRN5rIaHhyRPsm KjdfgvLCfep/2fYVOX75t89MnHNC4c8z+gpfgG8OI/1m llP2h5KiwCN56fHqiqbF2DW/1baKEzDdM8N002E= ) ; key id = 27859 212.IN-ADDR.ARPA. 2663 IN DNSKEY 257 3 5 ( AwEAAb/ksCZYQWD+Ur6dw5KPoDR1B0FZchfVrLzExIsn DdIG9pcyhhJ6UE6FkxCKM4NQSYeG+VSGU5i4t1e1wvic M/f5/eAccFoff/Ou608Fp9sOXN0BpW6aDTH2oUIfgaLm reuUVHqJt6AiPZ/BJKProI5fwEDVHsqXI8Vp6hwg6r6G pQrE6xobebHzoyB743H/tUIdfKhDDx1NtIERV4uFDntZ PsHXYoPduGnHhZnKT+ruZu0GcF/vOpK4lXNSRU2gLCuC tLqT02vM9N1+ZuARTMyB9jaGcWON/5tbg5x5F9p+q3yE 2U8e0acrQCauo2KCOMPS33GbII9IRk7b9/FSuAc= ) ; key id = 31951 212.IN-ADDR.ARPA. 2663 IN RRSIG DNSKEY 5 3 3600 20090711222509 ( 20090611222509 27859 212.in-addr.arpa. CjlFcIUTcavj15cB5bw2MpONTJq9RAKFhVB+ayk9yWWg z/9n43BmFTXdFgM04oW4wHxqhLK7hn1Naem/rZEfrHaC WWdHoO4IQfInCs2gf+ux+3XrWeG9KBAGRsFk/GhEf0Qk 37RNdQUIU5nUFFdk/3f9+Cq9oITWNDLUMi59t9JkUbCD ynZ0DXgZMRd+cKjIoGGwPuyPRqs518YEpgcvdBhTb587 126JnPPjPUgi4CW+dqyBku70k6w1SG0aIoUVx4WAmgiR gg8aFh0LtLSLwQBh3Qs2lHsv4uXpvypf+14bnVq6Cxx/ OlYYjHuE+Yw79smkQf4nhKZ526tX/IASuQ== ) 212.in-addr.arpa. 2663 IN RRSIG DNSKEY 5 3 3600 20090711222509 ( 20090611222509 31951 212.in-addr.arpa. cvH37/vl3zFKIxsXt4iS7g36mD5NLC6d9Dv9Hy4AepIX g0jPIxLR0G4CbImKYvWwikPg8z5snS39aP1pgcXECQyL 4WSt/4UfaSB8VNfxNzT8gUmLXYnCgnnI8WilUcz0JJ/t QdcRqqFkr3rE8Mf/txVHEJKsBKGv+IsvGJk3wR13ZgyW jOvvFKu8MMCrhcWrgqMo6NpEssm03opstYD4q5TvWhtr ODROWcwniuIiUbFHGSC3tu1vdH1oY7jzE4b459AqGnjX 5w3NOK7o87SdrDMxGMTgab0tOnwq71bPT0qPtjhh9q6t sawULxmzC6q9J0rLG0j+tZAVN5ehfuHyDw== ) 212.in-addr.arpa. 2663 IN RRSIG DNSKEY 5 3 3600 20090711222509 ( 20090611222509 34470 212.in-addr.arpa. ctxaYQOTaG7/6QrGBiu3g74zzrRSXr6JHMxmLOO3qQg1 c5tBmMvuB3I9lOyKVBFMdxSay7z7BRhpEnomPhyhUJcw Ql8sN41ec8WGiqhbNEdP0EAo01LwPiNnO7jYk8/QiaFO cX4GqjlyP0Iz6RqYZb+250cx4sdTFll3K6ciXlGik71D Os6zoYnIG/TWkZ+yWtUW2Jkz ) ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jun 12 11:18:32 2009 ;; MSG SIZE rcvd: 1743 Key 34470 exist and is a ZSK (no KSK flag). ; <<>> DiG 9.3.6-P1 <<>> dlv 212.in-addr.arpa.dlv.isc.org +noadd +noauth ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6757 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 4 ;; QUESTION SECTION: ;212.in-addr.arpa.dlv.isc.org. IN DLV ;; ANSWER SECTION: 212.in-addr.arpa.dlv.isc.org. 321 IN DLV 31951 5 1 EAB2F3C835686644F8E4DF510171833BDC9CF751 212.in-addr.arpa.dlv.isc.org. 321 IN DLV 31951 5 2 BFE9D8548DC61BDB6F31F04BB16E57C6891F79005649DC4D132438E9 84D72FBA 212.in-addr.arpa.dlv.isc.org. 321 IN DLV 27859 5 1 F34BA83800EF2DD8ABBBC245DE0C76B4A3F70045 212.in-addr.arpa.dlv.isc.org. 321 IN DLV 27859 5 2 095D78A18FA3675476F4E782E0FA32A54400F4DCD05B3F8639298345 158B79D0 ;; Query time: 6 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jun 12 11:20:24 2009 ;; MSG SIZE rcvd: 364 The KSK's have id's 31951 and 27859. Both of these exist in the RRset and self sign the DNSKEY RRset. >From ripe-ncc-dnssec-keys-new.txt we also see matching keys. "212.in-addr.arpa." 257 3 5 "AwEAAb133Y0UxrLtgmsR2LEkSpiiU6JKenlD mp42a6PYuic4wxWFhQrfnzZVRcmoBTJZfdOD 4pUe+eMsUOHIrheKmhc7D7cmDS+ftZZThBd9 GawpgiqCRRJYceECPKK8AcCnqz3Cryei/+dG pjXyBXiCVZ8Xfn57AOIN6KfG+jdw+uowo5qP 0XtMI/UU9k4j7Cair7zaieMkvWb4Vo8gPLZ/ PGUjkGCUO9eXD5jauYapg4AoRZUalnTdp1MR N5rIaHhyRPsmKjdfgvLCfep/2fYVOX75t89M nHNC4c8z+gpfgG8OI/1mllP2h5KiwCN56fHq iqbF2DW/1baKEzDdM8N002E="; // Key ID= 27859 (to be deprecated!) "212.in-addr.arpa." 257 3 5 "AwEAAb/ksCZYQWD+Ur6dw5KPoDR1B0FZchfV rLzExIsnDdIG9pcyhhJ6UE6FkxCKM4NQSYeG +VSGU5i4t1e1wvicM/f5/eAccFoff/Ou608F p9sOXN0BpW6aDTH2oUIfgaLmreuUVHqJt6Ai PZ/BJKProI5fwEDVHsqXI8Vp6hwg6r6GpQrE 6xobebHzoyB743H/tUIdfKhDDx1NtIERV4uF DntZPsHXYoPduGnHhZnKT+ruZu0GcF/vOpK4 lXNSRU2gLCuCtLqT02vM9N1+ZuARTMyB9jaG cWON/5tbg5x5F9p+q3yE2U8e0acrQCauo2KC OMPS33GbII9IRk7b9/FSuAc="; // Key ID= 31951 Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users