"can't validate existing negative responses (not a zone cut)" messages
Mark Andrews
marka at isc.org
Mon Dec 6 12:25:29 UTC 2010
In message <Prayer.1.3.3.1012061052110.14567 at hermes-2.csi.cam.ac.uk>, Chris Tho
mpson writes:
> On Oct 3 2010, I wrote:
>
> >Since upgrading our main recursive nameservers to BIND 9.7.2-P2 (and
> >using a trust anchor for the root and lookaside via dlv.isc.org) I am
> >seeing a scatter of warning messages like this:
> >
> >Oct 1 19:47:19 dnssec: warning: validating @1c29d580:
> > 115.197.101.95.IN-ADDR.ARPA PTR:
> > can't validate existing negative responses (not a zone cut)
> [...]
> >What do they mean, exactly? And should I be worrying about them?
> >They all seem to refer to PTR records (not all of them for IP
> >addresses in 95.101/16, but many of them are).
>
> There were some followups, but we never got anything from ISC.
>
> After upgrading to BIND 9.7.2-P3, they appear to have gone away, so
> I presume one of the changes (maybe 2970) has fixed them.
It would be part of change 2968.
2968. [security] Named could fail to prove a data set was insecure
before marking it as insecure. One set of conditions
that can trigger this occurs naturally when rolling
DNSKEY algorithms.
CVE-2010-3614, VU#837744. [RT #22309]
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list