John Thurston <john.thurs...@alaska.gov> wrote:
> On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am
> writing "category dnssec" to a log file at "severity info;" When I look
in
> the resulting log file, I'm guessing that lines like this:
> validating com/SOA: got insecure response; parent indicates it should be
> secure
> Are an indication I have a problem I should investigate.
Maybe.
It could be that DNSSEC is simply defending you against attackers who are
trying to race insecure answers to your queries in the belief that "nobody
validates"
If it were systematic (every query, every query to some servers...) then you
should suspect that there is a on-path attacker modifying the responses.
That's unlikely in general, but it's why we have DNSSEC.
It could also be the result of corrupted packets that survive the UDP
checksum, or which go through a middle box that "fixes" that. Some satellite
systems do that. I imagine that Alaska might have at least one satellite link.
It doesn't sound like it's systematic, so I think they are off-path
attackers, and it looks like it's queries on .com?
Most likely, there is little you can do.
signature.asc
Description: PGP signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
