BIND9 DNSSEC: should I care about occasional “insecure” log messages

binddnssec

A small number of my forwarded DNS queries cause BIND 9 to log messages such as:

184.in-addr.arpa SOA: got insecure response; parent indicates it should be secure
validating @0x7f93140c0870: 100.64-26.75.195.82.in-addr.arpa PTR: no valid signature found
validating @0x7f93100c8830: www.nbcnews.com A: no valid signature found
validating @0x7f93287f2a00: cabotelecom.com.br NSEC: verify failed due to bad signature (keyid=13661): RRSIG has expired

I am forwarding queries to a server supporting DNSSEC.

So: should I care about these, given that there is nothing I can do about them? If so, what can I really do about them?

Best Answer

The goal of DNSSEC is to add authenticity and integrity to query responses. DNSSEC can't tell you if your query responses are being intercepted, but it can tell you if the responses have been corrupted, tampered with, or are missing their signatures entirely. The messages you are seeing are notifying you of DNSSEC issues with the received responses (lack of signature, invalid signature, etc). If you are validating DNSSEC, these replies will be discarded.

The majority of DNSSEC validation issues are due to misconfiguration.

If they host in question is "important" and you suspect simple misconfiguration by the zone operator you can bypass validation specifically for those zones. That seems to be Google's official policy: https://developers.google.com/speed/public-dns/faq#gdns_validation_failure

Comcast takes the approach of notifying domain owners of DNSSEC issues: http://dns.comcast.net

Related Topic