There is no DS record for ise.gov so there is no chain of trust and the answer is treated as insecure. Note "ad" is *not* set in flags of your query.
; <<>> DiG 9.11.0pre-alpha <<>> ds ise.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45170 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ise.gov. IN DS ;; AUTHORITY SECTION: gov. 3463 IN SOA a.usadotgov.net. nstld.verisign-grs.com. 1400670001 3600 900 1814400 3600 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 22 00:21:37 EST 2014 ;; MSG SIZE rcvd: 109 Mark In message <ec464560-51ac-4329-b946-d0f31309c...@surevine.com>, Simon Waters wr ites: > Dear Bind Users, > > BIND 9 logs report: RRSIG has expired for "www.ise.gov" > And "no valid signature found" for "ise.gov A". > > Yet I can still resolve and visit the website http://ise.gov/ > > DNS recursive server has: > dnssec-validation yes; > dnssec-enable yes; > dnssec-accept-expired no; > > Inspection: > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1 <<>> +norec +dnssec @ns1.p > 11.dynect.net ise.gov a > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61417 > ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;ise.gov. IN A > > ;; ANSWER SECTION: > ise.gov. 60 IN A 50.19.98.143 > ise.gov. 60 IN RRSIG A 5 2 60 20140513120652 2014041 > 3120652 45468 ise.gov. VZpvQNUKY6Vt0yxytk7JzK4FGh54SImorcnbvIRKwhGp2nrrHZWgSR > fM RiYtgbD2KSUoIOoaws5uDL1FAmMbbbFbdQBioEmJeCJMLzD1FJKPDBu3 PTtmTqgj7tdEM12ev > pM1v8JwDoN/ZYGwgMxkkOebqqrMQ0ZuprfmZqrf 6Zg= > > ;; AUTHORITY SECTION: > ise.gov. 86400 IN NS ns1.p11.dynect.net. > ise.gov. 86400 IN NS ns4.p11.dynect.net. > ise.gov. 86400 IN NS ns2.p11.dynect.net. > ise.gov. 86400 IN NS ns3.p11.dynect.net. > ise.gov. 86400 IN RRSIG NS 5 2 86400 20140513120652 201 > 40413120652 45468 ise.gov. OJ6es8al+vr2hCU9IrEkIJ+Ly/XK79g/Hlp8vDCYR6qt5VrOA5 > dzC4Nq a0IOOn9Ryo38O021tlcTp9bHhC+sf02SmmbG1oBiRSbL2JaYPD0Cm5bg rLiGB9iE3lDrg > Iz++RytufcKjnloYyCYhfAUvTe5/tmSU5tP0rdes8yw 0rA= > > ;; Query time: 22 msec > ;; SERVER: 208.78.70.11#53(208.78.70.11) > ;; WHEN: Wed May 21 11:40:16 2014 > ;; MSG SIZE rcvd: 472 > > All name servers have the same expiry time for the RRSIG A record, which unle > ss I'm more confused than I realise, is about a week ago. Clocks on all mach > ines under our control are correct to the precision required (they know what > day and year it is). > > DNSviz suggests that SOA record is secure, but not A or MX for ise.gov and th > e date on the SOA RRSIG record is indeed in the future. > > How is BIND deciding it is okay to return the A and MX records, and that this > is not some sort of DNS replay attack? > > > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
