Insecurity proof failed

2024-03-12 Thread Borja Marcos 
Hi,

This is driving me nuts. I have three BIND 9.18.24 running on FreeBSD. Two of 
them on FreeBSD 14, one on FreeBSD 13.2.

Just one of the servers is failing to resolve a single domain compared to the 
other two: checkpoint.com .

I get these errors:

<142>1 2024-03-12T11:36:21.957013+00:00 dnsanycast named 86604 - - insecurity 
proof failed resolving 'checkpoint.com/A/IN': 198.51.44.65#53
<142>1 2024-03-12T11:36:21.941389+00:00 dnsanycast named 86604 - - insecurity 
proof failed resolving 'checkpoint.com/A/IN': 198.51.45.1#53
<142>1 2024-03-12T11:36:21.924666+00:00 dnsanycast named 86604 - - insecurity 
proof failed resolving 'checkpoint.com/A/IN': 198.51.45.65#53
<142>1 2024-03-12T11:36:21.907492+00:00 dnsanycast named 86604 - - insecurity 
proof failed resolving 'checkpoint.com/A/IN': 198.51.44.1#53

and 
 these: validating checkpoint.com/A: got insecure response; parent indicates it 
should be secure

And ultimately my DNS servers returns a SERVFAIL.

The puzzling thing is, the other two servers work (this is a check on a 
different server from the same pool).

; <<>> DiG 9.18.24 <<>> @127.0.0.1 checkpoint.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40171
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: aa16c8ceb3a9eee9010065f0416206a44938e6d8f2b4 (good)
;; QUESTION SECTION:
;checkpoint.com. IN A

;; ANSWER SECTION:
checkpoint.com. 18 IN A 54.230.112.31
checkpoint.com. 18 IN A 54.230.112.106
checkpoint.com. 18 IN A 54.230.112.68
checkpoint.com. 18 IN A 54.230.112.55

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Mar 12 11:49:54 UTC 2024
;; MSG SIZE  rcvd: 135



I have the same configuration, using dnssec-validation set to auto.

Any clue on what might be failing? I am really lost!

Thanks,





Borja.




signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Insecurity proof failed

2024-03-12 Thread Mark Andrews 
Have you disabled EDNS to these servers in named.conf?  DNSSEC responses are 
only returned
if DO=1 is set in the request.  Named can learn that a server doesn’t support 
EDNS if it doesn’t
return EDNS responses consistently to EDNS requests.  If that happens named 
will send plain DNS
requests.

Mark

> On 12 Mar 2024, at 22:50, Borja Marcos  wrote:
> 
> Hi,
> 
> This is driving me nuts. I have three BIND 9.18.24 running on FreeBSD. Two of 
> them on FreeBSD 14, one on FreeBSD 13.2.
> 
> Just one of the servers is failing to resolve a single domain compared to the 
> other two: checkpoint.com .
> 
> I get these errors:
> 
> <142>1 2024-03-12T11:36:21.957013+00:00 dnsanycast named 86604 - - insecurity 
> proof failed resolving 'checkpoint.com/A/IN': 198.51.44.65#53
> <142>1 2024-03-12T11:36:21.941389+00:00 dnsanycast named 86604 - - insecurity 
> proof failed resolving 'checkpoint.com/A/IN': 198.51.45.1#53
> <142>1 2024-03-12T11:36:21.924666+00:00 dnsanycast named 86604 - - insecurity 
> proof failed resolving 'checkpoint.com/A/IN': 198.51.45.65#53
> <142>1 2024-03-12T11:36:21.907492+00:00 dnsanycast named 86604 - - insecurity 
> proof failed resolving 'checkpoint.com/A/IN': 198.51.44.1#53
> 
> and 
> these: validating checkpoint.com/A: got insecure response; parent indicates 
> it should be secure
> 
> And ultimately my DNS servers returns a SERVFAIL.
> 
> The puzzling thing is, the other two servers work (this is a check on a 
> different server from the same pool).
> 
> ; <<>> DiG 9.18.24 <<>> @127.0.0.1 checkpoint.com.
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40171
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: aa16c8ceb3a9eee9010065f0416206a44938e6d8f2b4 (good)
> ;; QUESTION SECTION:
> ;checkpoint.com. IN A
> 
> ;; ANSWER SECTION:
> checkpoint.com. 18 IN A 54.230.112.31
> checkpoint.com. 18 IN A 54.230.112.106
> checkpoint.com. 18 IN A 54.230.112.68
> checkpoint.com. 18 IN A 54.230.112.55
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> ;; WHEN: Tue Mar 12 11:49:54 UTC 2024
> ;; MSG SIZE  rcvd: 135
> 
> 
> 
> I have the same configuration, using dnssec-validation set to auto.
> 
> Any clue on what might be failing? I am really lost!
> 
> Thanks,
> 
> 
> 
> 
> 
> Borja.
> 
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Insecurity proof failed

2024-03-12 Thread Borja Marcos 


> On 12 Mar 2024, at 13:36, Mark Andrews  wrote:
> 
> Have you disabled EDNS to these servers in named.conf?  DNSSEC responses are 
> only returned
> if DO=1 is set in the request.  Named can learn that a server doesn’t support 
> EDNS if it doesn’t
> return EDNS responses consistently to EDNS requests.  If that happens named 
> will send plain DNS
> requests.

Gosh. YESSS!!

I had added those four DNS servers due to some nonsense with eset.com 
, the AV company. I will review that. 

I had to do that in the past because of authoritative servers that simply do 
not answer (some braindead firewall
involved, probably) to EDNS options or cookies. 


Thank you!




Borja.



signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users