BIND9 DNSSEC: should I care about occasional "insecure" log messages

bind dnssec
5,387

The goal of DNSSEC is to add authenticity and integrity to query responses. DNSSEC can't tell you if your query responses are being intercepted, but it can tell you if the responses have been corrupted, tampered with, or are missing their signatures entirely. The messages you are seeing are notifying you of DNSSEC issues with the received responses (lack of signature, invalid signature, etc). If you are validating DNSSEC, these replies will be discarded.

The majority of DNSSEC validation issues are due to misconfiguration.

If they host in question is "important" and you suspect simple misconfiguration by the zone operator you can bypass validation specifically for those zones. That seems to be Google's official policy: https://developers.google.com/speed/public-dns/faq#gdns_validation_failure

Comcast takes the approach of notifying domain owners of DNSSEC issues: http://dns.comcast.net

Share:
5,387

Related videos on Youtube

simpleuser
Author by

simpleuser

Very little is known about me.

Updated on September 18, 2022

Comments

  • simpleuser
    simpleuser almost 2 years

    A small number of my forwarded DNS queries cause BIND 9 to log messages such as:

    184.in-addr.arpa SOA: got insecure response; parent indicates it should be secure
validating @0x7f93140c0870: 100.64-26.75.195.82.in-addr.arpa PTR: no valid signature found
validating @0x7f93100c8830: www.nbcnews.com A: no valid signature found
validating @0x7f93287f2a00: cabotelecom.com.br NSEC: verify failed due to bad signature (keyid=13661): RRSIG has expired

    I am forwarding queries to a server supporting DNSSEC.

    So: should I care about these, given that there is nothing I can do about them? If so, what can I really do about them?

  • simpleuser
    simpleuser over 10 years
    Well...that's kind at the heart of my question. Given that configuration errors may occur even with the best sites, how much should I worry about occasional errors? It is unlikely someone intercepted one or two DNS queries. But if I set "dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;" are these just informational messages and bind is safely discarding "insecure" responses? Or are these messages warnings that I'm using corrupt DNS data? Or intercepted data? Or ...?
  • Mark Sturgill
    Mark Sturgill over 10 years
    @user1663987 I updated the answer to provide some additional information.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

BIND server has tons of "no valid RRSIG" errors
bind9 configure forward zone for local domain without DNSSEC for this zone only
Basic DNSSEC configuration under BIND 9.7?
nsupdate, getting BADKEY error
How to update a zone with auto-dnssec: maintain
How to remove DNSSEC support from a domain?
DNSSEC - Ad Flag not activated
bind9 does not resolve dnssec correctly
can't generate key via dnssec-keygen
Tomcat with https a non-root user - Bind exception 443