Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 02-02-2017, 07:43 AM   #1
Registered: Mar 2009
Posts: 54

Rep: Reputation: 15
DNSSEC "passes" the test it should fail at

I'm configuring a DNS Server on RHEL 6.8 with BIND 9.8.2rc1 and testing with DNSSEC with the server set up to intentionally fail DNSSEC ( shows a successful test of DNS. Some help determining the cause would be great.

When running the command below it succeeds as it should:
dig @ A +dnssec +multiline
However, when I run the command below to intentionally get a DNSSEC failure, it also passes (status: NOERROR) when it should actually fail:

 ~]# dig @ A

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> @ A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38725
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 10

;         IN      A

;; ANSWER SECTION:  3535    IN      A  3535    IN      A

;; AUTHORITY SECTION:      82735   IN      NS      82735   IN      NS      82735   IN      NS      82735   IN      NS      82735   IN      NS

;; ADDITIONAL SECTION:     82735   IN      A     82735   IN      AAAA    2001:558:1004:7:68:87:85:132     82735   IN      A     82735   IN      AAAA    2001:558:1014:c:68:87:76:228     82735   IN      A     82735   IN      AAAA    2001:558:100e:5:68:87:72:244     82735   IN      A     82735   IN      AAAA    2001:558:fe23:8:69:252:250:103     82735   IN      A     82735   IN      AAAA    2001:558:100a:5:68:87:68:244

;; Query time: 0 msec
;; WHEN: Wed Feb  1 19:48:25 2017
;; MSG SIZE  rcvd: 407
Any ideas as for what the cause could be for DNSSEC to pass when it should indeed fail? I'm thinking of reconfiguring DNSSEC altogether at this point. Turning it off, then adjusting one setting at a time to determine the root cause.
Old 02-02-2017, 09:21 AM   #2
Registered: Aug 2015
Location: Arlington, VA
Distribution: Slackware
Posts: 60

Rep: Reputation: 44
Did you set any forwarder in your BIND configuration? It seems that the answer that you get comes from Comcast.

I have never been using Comcast and I don't know if their DNS servers are reliable or not, but if your DNS server relies on the ones from Comcast and they are lying... I know that Verizon does this, they provide answers for non-existent domains and redirect people to a "friendly error page".

If you really want to have a DNS server with DNSSEC, your server should be doing all the work itself, not using forwarders if possible.

Last edited by Ellendhel; 02-02-2017 at 03:16 PM. Reason: (minor typos)
Old 02-02-2017, 02:35 PM   #3
Registered: Mar 2009
Posts: 54

Original Poster
Rep: Reputation: 15
After I read your post I looked again at my options section of named.conf and didn't see any forwarders, which I also originally searched for. I've included the options section of named.conf below.

options {
        // Server options
        directory "/var/named";
        auth-nxdomain yes;
        interface-interval 0;
        lame-ttl 900;
        listen-on-v6 { none; };
        version " ";
        zone-statistics yes;
        dump-file "data/named_dump.db";
        statistics-file "data/named.stats";
//      pid-file none;
        pid-file "/var/run/named/";
I'm still searching for other causes. The latest thing I tried was changing dnssec-validation from yes to auto but I saw no change in the failures. The //DNS Security section of the named.conf file is below:

 // DNS Security
        dnssec-enable yes;
        dnssec-validation auto;
        dnssec-lookaside auto;


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
"Failed to claim resource" and "platform device creation failed" when trying to boot Linux from USB on HP laptop Desertman194 Linux - Laptop and Netbook 5 11-10-2016 05:48 PM
[SOLVED] LFS install Linux "From Scratch - Version 7.9" failed test at 5.7. Glibc-2.23 zenopath Linux From Scratch 9 07-11-2016 11:18 AM
rsync: opendir "/db/pluto/test" failed: Permission denied (13) prathamesh7478 Linux - Newbie 4 03-23-2015 02:41 PM
[SOLVED] "net rpc" "failed to connect to ipc$ share on" or "unable to find a suitable server" larieu Linux - General 0 11-09-2014 01:45 AM
Is it possible to "stress test" hard drive to fail kevinbenko Linux - Hardware 13 11-15-2010 08:50 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:16 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration