Discussion:
Z flag is different from 0
Miner, Jonathan W (CSC) (US SSA)
2004-11-30 13:54:12 UTC
Permalink
Hi -

I'm running ISC's bind 9.3.0 on Solaris 9. I have two servers (master =
and secondard), which support a dozen (+/-) domains. We recently =
upgraded our firewall to CheckPoint with thier SmartDefense product. (We =
had been running an older Gauntlet firewall)

My issue is that SmartDefense is alerting on our outgoing DNS queries, =
saying "Bad DNS Headers, Z flag is different from 0". I've looked at =
RFC2929, which says:

--quote--
2.1 One Spare Bit?

There have been ancient DNS implementations for which the Z bit being
on in a query meant that only a response from the primary server for
a zone is acceptable. It is believed that current DNS
implementations ignore this bit.

Assigning a meaning to the Z bit requires an IETF Standards Action.
---------

Should I be looking for a way to configure bind to not set the Z flag? =
Or is there some other solution to this issue?

Thanks in advance.
David Botham
2004-11-30 15:12:10 UTC
Permalink
Post by Miner, Jonathan W (CSC) (US SSA)
Hi -
I'm running ISC's bind 9.3.0 on Solaris 9. I have two servers (master =
and secondard), which support a dozen (+/-) domains. We recently =
upgraded our firewall to CheckPoint with thier SmartDefense product. (We
=
Post by Miner, Jonathan W (CSC) (US SSA)
had been running an older Gauntlet firewall)
I typically turn off the DNS checking in smartdefense.

hth,

dave...
Post by Miner, Jonathan W (CSC) (US SSA)
My issue is that SmartDefense is alerting on our outgoing DNS queries, =
saying "Bad DNS Headers, Z flag is different from 0". I've looked at =
--quote--
2.1 One Spare Bit?
There have been ancient DNS implementations for which the Z bit being
on in a query meant that only a response from the primary server for
a zone is acceptable. It is believed that current DNS
implementations ignore this bit.
Assigning a meaning to the Z bit requires an IETF Standards Action.
---------
Should I be looking for a way to configure bind to not set the Z flag? =
Or is there some other solution to this issue?
Thanks in advance.
Mark Andrews
2004-11-30 21:18:31 UTC
Permalink
Post by Miner, Jonathan W (CSC) (US SSA)
Hi -
I'm running ISC's bind 9.3.0 on Solaris 9. I have two servers (master =
and secondard), which support a dozen (+/-) domains. We recently =
upgraded our firewall to CheckPoint with thier SmartDefense product. (We =
had been running an older Gauntlet firewall)
My issue is that SmartDefense is alerting on our outgoing DNS queries, =
saying "Bad DNS Headers, Z flag is different from 0". I've looked at =
--quote--
2.1 One Spare Bit?
There have been ancient DNS implementations for which the Z bit being
on in a query meant that only a response from the primary server for
a zone is acceptable. It is believed that current DNS
implementations ignore this bit.
Assigning a meaning to the Z bit requires an IETF Standards Action.
---------
Should I be looking for a way to configure bind to not set the Z flag? =
Or is there some other solution to this issue?
Thanks in advance.
BIND 9.3 does not set the final bit. Are you sure it is not
triggering on CD?

dnssec-enable no; // default

07:51:01.130013 192.168.191.236.2498 > 198.6.1.65.53: 16310 [1au] A? ftp.uu.net. (39)
4500 0043 0a63 0000 4011 286b c0a8 bfec
c606 0141 09c2 0035 002f 72bd
3fb6 0000
0001 0000 0000 0001 0366 7470 0275 7503
6e65 7400 0001 0001 0000 2910 0000 0080
0000 00

qr=0, opcode=0, aa=0, tc=0, rd=0, mbz=0, ad=0, cd=0, rcode=0
qr=0, opcode=0, aa=0, tc=0, rd=0, mbz=000 rcode=0 (RFC 1035)

dnssec-enable yes;

07:58:47.055324 192.168.191.236.2498 > 198.6.1.181.53: [udp sum ok] 30669 [1au] A? xx.uu.net. ar: . OPT UDPsize=4096 (38) (ttl 64, id 2712, len 66)
4500 0042 0a98 0000 4011 27c3 c0a8 bfec
c606 01b5 09c2 0035 002e 4a6f
77cd 0010
0001 0000 0000 0001 0278 7802 7575 036e
6574 0000 0100 0100 0029 1000 0000 8000
0000

qr=0, opcode=0, aa=0, tc=0, rd=0, mbz=0, ad=0, cd=1, rcode=0
qr=0, opcode=0, aa=0, tc=0, rd=0, mbz=001 rcode=0 (RFC 1035)
(Note CD is set).

I would be worry about whether your current Firewall is DNSSEC
aware (knows about AD and CD).

Note 9.2.x always has DNSSEC enabled.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
Miner, Jonathan W (CSC) (US SSA)
2004-12-02 15:17:02 UTC
Permalink
Thanks to everyone for the replies both on and off the list.

I've done some packet captures, and so far all the packets I've seen =
have the Z flag set to zero. I'll have to escalate this to the folks at =
CheckPoint and see what they have to say.

For now, (as others suggested), I'm going to turn off SmartDefence for =
DNS.

Thanks again!


-----Original Message-----
From: Mark Andrews [mailto:Mark_Andrews at isc.org]
Sent: Tue 11/30/2004 04:18 PM
To: Miner, Jonathan W (CSC) (US SSA)
Cc: comp-protocols-dns-bind at isc.org
Subject: Re: Z flag is different from 0=20
Post by Miner, Jonathan W (CSC) (US SSA)
Hi -
=20
I'm running ISC's bind 9.3.0 on Solaris 9. I have two servers (master =
=3D
Post by Miner, Jonathan W (CSC) (US SSA)
and secondard), which support a dozen (+/-) domains. We recently =3D
upgraded our firewall to CheckPoint with thier SmartDefense product. =
(We =3D
Post by Miner, Jonathan W (CSC) (US SSA)
had been running an older Gauntlet firewall)
=20
My issue is that SmartDefense is alerting on our outgoing DNS queries, =
=3D
Post by Miner, Jonathan W (CSC) (US SSA)
saying "Bad DNS Headers, Z flag is different from 0". I've looked at =
=3D
Post by Miner, Jonathan W (CSC) (US SSA)
=20
--quote--
2.1 One Spare Bit?
=20
There have been ancient DNS implementations for which the Z bit =
being
Post by Miner, Jonathan W (CSC) (US SSA)
on in a query meant that only a response from the primary server =
for
Post by Miner, Jonathan W (CSC) (US SSA)
a zone is acceptable. It is believed that current DNS
implementations ignore this bit.
=20
Assigning a meaning to the Z bit requires an IETF Standards Action.
---------
=20
Should I be looking for a way to configure bind to not set the Z flag? =
=3D
Post by Miner, Jonathan W (CSC) (US SSA)
Or is there some other solution to this issue?
=20
Thanks in advance.
BIND 9.3 does not set the final bit. Are you sure it is not
triggering on CD?

dnssec-enable no; // default

07:51:01.130013 192.168.191.236.2498 > 198.6.1.65.53: 16310 [1au] A? =
ftp.uu.net. (39)
4500 0043 0a63 0000 4011 286b c0a8 bfec
c606 0141 09c2 0035 002f 72bd
3fb6 0000
0001 0000 0000 0001 0366 7470 0275 7503
6e65 7400 0001 0001 0000 2910 0000 0080
0000 00

qr=3D0, opcode=3D0, aa=3D0, tc=3D0, rd=3D0, mbz=3D0, ad=3D0, cd=3D0, =
rcode=3D0
qr=3D0, opcode=3D0, aa=3D0, tc=3D0, rd=3D0, mbz=3D000 rcode=3D0 (RFC =
1035)

dnssec-enable yes;

07:58:47.055324 192.168.191.236.2498 > 198.6.1.181.53: [udp sum ok] =
30669 [1au] A? xx.uu.net. ar: . OPT UDPsize=3D4096 (38) (ttl 64, id =
2712, len 66)
4500 0042 0a98 0000 4011 27c3 c0a8 bfec
c606 01b5 09c2 0035 002e 4a6f
77cd 0010
0001 0000 0000 0001 0278 7802 7575 036e
6574 0000 0100 0100 0029 1000 0000 8000
0000

qr=3D0, opcode=3D0, aa=3D0, tc=3D0, rd=3D0, mbz=3D0, ad=3D0, cd=3D1, =
rcode=3D0
qr=3D0, opcode=3D0, aa=3D0, tc=3D0, rd=3D0, mbz=3D001 rcode=3D0 (RFC =
1035)
(Note CD is set).

I would be worry about whether your current Firewall is DNSSEC
aware (knows about AD and CD).

Note 9.2.x always has DNSSEC enabled.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
briggs
2004-12-02 15:41:16 UTC
Permalink
Post by Miner, Jonathan W (CSC) (US SSA)
Thanks to everyone for the replies both on and off the list.
I've done some packet captures, and so far all the packets I've seen =
have the Z flag set to zero. I'll have to escalate this to the folks at =
CheckPoint and see what they have to say.
For now, (as others suggested), I'm going to turn off SmartDefence for =
DNS.
Continue reading on narkive:
Loading...