BIND9 DNSSEC: should I care about occasional "insecure" log messages
The goal of DNSSEC is to add authenticity and integrity to query responses. DNSSEC can't tell you if your query responses are being intercepted, but it can tell you if the responses have been corrupted, tampered with, or are missing their signatures entirely. The messages you are seeing are notifying you of DNSSEC issues with the received responses (lack of signature, invalid signature, etc). If you are validating DNSSEC, these replies will be discarded.
The majority of DNSSEC validation issues are due to misconfiguration.
If they host in question is "important" and you suspect simple misconfiguration by the zone operator you can bypass validation specifically for those zones. That seems to be Google's official policy: https://developers.google.com/speed/public-dns/faq#gdns_validation_failure
Comcast takes the approach of notifying domain owners of DNSSEC issues: http://dns.comcast.net
Related videos on Youtube
![simpleuser](https://i.stack.imgur.com/lw0g6.png?s=256&g=1)
Comments
-
simpleuser almost 2 years
A small number of my forwarded DNS queries cause BIND 9 to log messages such as:
184.in-addr.arpa SOA: got insecure response; parent indicates it should be secure validating @0x7f93140c0870: 100.64-26.75.195.82.in-addr.arpa PTR: no valid signature found validating @0x7f93100c8830: www.nbcnews.com A: no valid signature found validating @0x7f93287f2a00: cabotelecom.com.br NSEC: verify failed due to bad signature (keyid=13661): RRSIG has expired
I am forwarding queries to a server supporting DNSSEC.
So: should I care about these, given that there is nothing I can do about them? If so, what can I really do about them?
-
simpleuser over 10 yearsWell...that's kind at the heart of my question. Given that configuration errors may occur even with the best sites, how much should I worry about occasional errors? It is unlikely someone intercepted one or two DNS queries. But if I set "dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;" are these just informational messages and bind is safely discarding "insecure" responses? Or are these messages warnings that I'm using corrupt DNS data? Or intercepted data? Or ...?
-
Mark Sturgill over 10 years@user1663987 I updated the answer to provide some additional information.