[dns-operations] DNSSEC Failure w/IPv6 PTRs?
Simon Leinen
simon.leinen at switch.ch
Sun May 15 22:41:00 UTC 2011
Mark Kamichoff writes:
> I'm observing what seems to be a DNSSEC-related problem with resolving
> IPv6 PTRs from DNSSEC validating servers, today. [...]
> Are other folks experiencing these problems, or is it just me?
It's not just you. Earlier today, a colleague complained that SSH
logins to our servers over IPv6 were slow. This turned out to be due to
slow/broken inverse lookups of IPv6 addresses.
> Not sure when this started, but I can replicate it from a view
> different locations.
Log messages about some subzones of ip6.arpa started at around 03:36 UTC
today (our timestamps are in MET DST, UTC+0200):
15-May-2011 05:36:47.793 validating @0x7fd468fc9350: 0.a.2.ip6.arpa DS: no valid signature found
15-May-2011 05:36:47.987 validating @0x7fd470d6ca20: 0.a.2.ip6.arpa DS: no valid signature found
15-May-2011 05:36:48.007 validating @0x7fd4701ba5b0: 0.a.2.ip6.arpa DS: no valid signature found
15-May-2011 05:36:48.362 validating @0x7fd47034fe60: 0.a.2.ip6.arpa DS: no valid signature found
15-May-2011 05:36:48.519 validating @0x7fd4702cbe20: 0.a.2.ip6.arpa DS: no valid signature found
15-May-2011 05:36:48.750 validating @0x7fd468fc9350: 0.a.2.ip6.arpa DS: no valid signature found
15-May-2011 05:36:48.850 validating @0x7fd468fc9350: 0.a.2.ip6.arpa DS: no valid signature found
15-May-2011 05:36:49.076 validating @0x20471a0: 0.a.2.ip6.arpa DS: no valid signature found
15-May-2011 05:36:49.097 validating @0x7fd4701ba5b0: 0.a.2.ip6.arpa DS: no valid signature found
15-May-2011 05:36:49.430 validating @0x7fd470d6ca20: 0.a.2.ip6.arpa DS: no valid signature found
On ip6.arpa proper, the messages started a bit later, around 06:17 UTC:
15-May-2011 08:17:32.581 validating @0x7fd46896e150: ip6.arpa SOA: got insecure response; parent indicates it should be secure
15-May-2011 10:52:03.595 validating @0x7fd468fcd5e0: ip6.arpa SOA: got insecure response; parent indicates it should be secure
15-May-2011 11:23:12.176 validating @0x7fd468becfc0: ip6.arpa DNSKEY: no valid signature found (DS)
15-May-2011 11:23:12.197 validating @0x7fd470e12c50: ip6.arpa DNSKEY: no valid signature found (DS)
15-May-2011 11:23:12.334 validating @0x317bdc0: ip6.arpa DNSKEY: no valid signature found (DS)
15-May-2011 11:23:12.551 validating @0x7fd468becfc0: ip6.arpa DNSKEY: no valid signature found (DS)
15-May-2011 11:23:12.792 validating @0x7fd471903670: ip6.arpa DNSKEY: no valid signature found (DS)
15-May-2011 11:23:13.699 validating @0x2198710: ip6.arpa DNSKEY: no valid signature found (DS)
15-May-2011 11:23:13.720 validating @0x7fd468becfc0: ip6.arpa DNSKEY: no valid signature found (DS)
It would be nice if someone could fix this.
--
Simon.
More information about the dns-operations
mailing list