Re: in-addr.arpa insecure?

Fri, 01 Mar 2013 09:51:13 -0800 


On 03/01/2013 09:19 AM, Robert Moskowitz wrote:


On 03/01/2013 08:57 AM, Tony Finch wrote:

Robert Moskowitz <r...@htt-consult.com> wrote:


I got tipped off about this from logwatch report. On my public DNS 
server had

the following:


Feb 26 04:02:04 onlo named[19336]:   validating @0xb2929ee0: 
in-addr.arpa SOA:

got insecure response; parent indicates it should be secure

Looks like something in your setup is dropping RRSIGs, and this is
probably responsible for both your private htt. TLD validation problems
and these in-addr.arpa validation problems. Do you all your servers have
"dnssec-enable yes"? Do you have any non-BIND servers or middleboxes?



All my boxes are Centos 6.3 running RHEL bind 9.8.2.  I have 3. onlo 
is public facing and my main server.  rigel is my internal test box.  
klovia is my new mail server running as a cache server, currently 
forwarding to rigel, but will be switched to onlo when I swap it for 
the current klovia.  onlo and rigel are completely independent and on 
different subnets.  I mention the names as they are all findable via 
DNS; nothing private about that (though I am blocking chaos digs on 
all of them).


All in the global options have the lines:

    dnssec-enable yes;
    dnssec-lookaside auto;

Onlo and rigel have:

    dnssec-validation auto;

and klovia has:

    dnssec-validation yes;


hmmm.  I THOUGHT I had set onlo to also be 'dnssec-validation yes'. 
Probably did that in an earlier test version and when I did the final 
build, I forgot to change that line (auto is the RHEL default 
setting).  And rigel started life as a clone of onlo.


So I will change dnssec-validation to yes, and see what happens.



No change in any behaviour wrt rrsig changing this to yes.  Stopping 
iptables and ip6tables also no change.  rigel and klovia on same subnet, 
so no firewall (Juniper ssg5) interfering.




Anything else I should look for?


Oh, no non-bind servers knowingly in the way.  I pay my ISP for a 
clear IP connection and 64 IPv4 addresses and a /48 IPv6 allocation.  
My firewall is a Juniper SSG5 'branch' firewall with current firmware 
(there was an IPv6 bug in earlier releases that caused outbound 
routing problems) that is just passing port 53; no proxying enabled.



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to