BIND logs "no valid signature found" but returns an answer
Summary
(Summarize the bug encountered concisely.) When DNSSEC validation is activated in BIND v9.16.15 it logs "no valid signature found" for domains that seem to be validated because the answer is returned.
BIND version used
(Paste the output of named -V
.)
BIND 9.16.15-RH (Stable Release) <id:4469e3e>
running on Linux x86_64 3.10.0-1160.21.1.el7.x86_64 #1 SMP Mon Feb 22 18:03:13 EST 2021
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python' '--with-libtool' '--localstatedir=/var' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--with-maxminddb' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-gssapi=yes' '--with-lmdb=no' '--without-libjson' '--with-json-c' '--enable-fixed-rrset' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-44)
compiled with OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with json-c version: 0.11
linked to json-c version: 0.11
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
linked to maxminddb version: 1.2.0
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
Steps to reproduce
(How one can reproduce the issue - this is very important.) For exemple this request can be executed to produce the issue : dig www.lepoint.fr A
This domain is just an example amongst many.
What is the current bug behavior?
(What actually happens.) This message gets logged :
05-May-2021 10:28:00.949 dnssec: info: validating www.lepoint.fr/CNAME: no valid signature found
But the name server returne a result :
; <<>> DiG 9.11.2-P1-RedHat-9.11.2-1.P1.fc26 <<>> @nshcp-p-i-rec02 www.lepoint.fr A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9024
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1f429b5cf0d875740100000060925710293e286eb819c305 (good)
;; QUESTION SECTION:
;www.lepoint.fr. IN A
;; ANSWER SECTION:
www.lepoint.fr. 300 IN CNAME lepoint-rvp-https-vip.sdv.fr.
lepoint-rvp-https-vip.sdv.fr. 22837 IN A 212.95.74.45
;; Query time: 16 msec
;; SERVER: 192.168.2.40#53(192.168.2.40)
;; WHEN: mer. mai 05 10:28:00 CEST 2021
;; MSG SIZE rcvd: 129
What is the expected correct behavior?
(What you should see instead.) As the message "no valid signature found" is documented as being a DNSSEC validation error and that there is apparently no validation error, I would expect no message logged by BIND in this case.
We have a lot of "no valid signature found" messages logged on our recursive name servers for domains that seem to be correctly validated. We'd rather have this messages logged only when "no valid signature" has been found.
Relevant configuration files
(Paste any relevant configuration files - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
named-checkconf -px
.)
logging {
channel "default_log" {
file "log/default" versions 3 size 2097152;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "auth_servers_log" {
file "log/auth_servers" versions 3 size 2097152;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "dnssec_log" {
file "log/dnssec" versions 3 size 2097152;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "zone_transfers_log" {
file "log/zone_transfers" versions 3 size 2097152;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "ddns_log" {
file "log/ddns" versions 3 size 2097152;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "client_security_log" {
file "log/client_security" versions 3 size 2097152;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "rate_limiting_log" {
file "log/rate_limiting" versions 3 size 2097152;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "rpz_log" {
file "log/rpz" versions 3 size 2097152;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "queries_log" {
file "log/queries" versions 100 size 2097152;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel "query-errors_log" {
file "log/query-errors" versions 3 size 2097152;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel "default_debug" {
file "data/named.run" versions 5 size 1048576;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
category "default" {
"default_syslog";
"default_debug";
"default_log";
};
category "resolver" {
"auth_servers_log";
"default_debug";
};
category "delegation-only" {
"auth_servers_log";
"default_debug";
};
category "lame-servers" {
"auth_servers_log";
"default_debug";
};
category "edns-disabled" {
"auth_servers_log";
"default_debug";
};
category "dnssec" {
"dnssec_log";
"default_debug";
};
category "notify" {
"zone_transfers_log";
"default_debug";
};
category "xfer-in" {
"zone_transfers_log";
"default_debug";
};
category "xfer-out" {
"zone_transfers_log";
"default_debug";
};
category "update" {
"ddns_log";
"default_debug";
};
category "update-security" {
"ddns_log";
"default_debug";
};
category "client" {
"client_security_log";
"default_debug";
};
category "security" {
"client_security_log";
"default_debug";
};
category "rate-limit" {
"rate_limiting_log";
"default_debug";
};
category "database" {
"rate_limiting_log";
"default_debug";
};
category "rpz" {
"rpz_log";
"default_debug";
};
category "queries" {
"queries_log";
};
category "query-errors" {
"query-errors_log";
};
};
options {
bindkeys-file "/etc/named.root.key";
cookie-secret "????????????????????????????????";
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
managed-keys-directory "/var/named/dynamic";
memstatistics-file "/var/named/data/named_mem_stats.txt";
pid-file "/run/named/named.pid";
querylog no;
recursing-file "/var/named/data/named.recursing";
recursive-clients 2000;
secroots-file "/var/named/data/named.secroots";
session-keyfile "/run/named/session.key";
statistics-file "/var/named/data/named_stats.txt";
allow-recursion {
"any";
};
dnssec-validation auto;
empty-zones-enable yes;
filter-aaaa-on-v4 yes;
recursion yes;
validate-except {
"msanet";
"soltimfm";
"union.local";
"wpad";
};
allow-query {
"any";
};
};
server ::/0 {
bogus yes;
};
trust-anchors {
"." initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update {
"none";
};
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update {
"none";
};
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update {
"none";
};
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update {
"none";
};
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update {
"none";
};
};
zone "ader.gouv.fr" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "rie.gouv.fr" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "ader.senat.fr" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "rie.senat.fr" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "ader.elysee.fr" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "din.developpement-durable.gouv.fr" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "webconf.numerique.gouv.fr" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "48.161.in-addr.arpa" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "64.100.in-addr.arpa" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "65.100.in-addr.arpa" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "66.100.in-addr.arpa" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "67.100.in-addr.arpa" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "68.100.in-addr.arpa" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "69.100.in-addr.arpa" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "77.100.in-addr.arpa" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "78.100.in-addr.arpa" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "126.100.in-addr.arpa" {
type forward;
forward only;
forwarders {
100.77.2.20;
100.77.2.30;
100.77.6.20;
100.77.6.30;
};
};
zone "airfrance-is.com" {
type forward;
forward only;
forwarders {
193.57.251.253;
193.57.251.254;
};
};
zone "union.local" {
type forward;
forward only;
forwarders {
172.30.204.200;
};
};
zone "sniiram.cnamts.fr" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "esquif.fr" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "soltimfm" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "131.131.in-addr.arpa" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "62.18.172.in-addr.arpa" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "msanet" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "senat.fr" {
type stub;
masters {
172.31.137.20;
172.31.137.21;
};
};
zone "xn--sn-bja.at" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "clubsenat.fr" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "diffusion-senat.fr" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "parlement-ue2008.fr" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "senateurs.fr" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "clubsenat.net" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "use-application-dns.net" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "carrefourlocal.org" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "senateurope.org" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "wpad" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "17.172.in-addr.arpa" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "20.172.in-addr.arpa" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "23.172.in-addr.arpa" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "25.172.in-addr.arpa" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "28.172.in-addr.arpa" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "29.172.in-addr.arpa" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "30.172.in-addr.arpa" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "31.172.in-addr.arpa" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
zone "168.192.in-addr.arpa" {
type static-stub;
server-names {
"ns1-in.senat.fr.";
"ns2-in.senat.fr.";
};
};
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code, as it's very hard to read otherwise.)
05-May-2021 10:28:00.949 dnssec: info: validating www.lepoint.fr/CNAME: no valid signature found
Possible fixes
(If you can, link to the line of code that might be responsible for the problem.)