. SOA: got insecure response
Alexander Gall
gall at switch.ch
Wed Jul 21 08:02:45 UTC 2010
On Wed, 21 Jul 2010 09:20:21 +0200, Gilles Massen <gilles.massen at restena.lu> said:
> Hello,
> Since enabling the root TA in my resolver, I keep seeing from time to time:
> 21-Jul-2010 08:52:27.929 dnssec: debug 3: validating @0x134fe7e8: .
> SOA: attempting insecurity proof
> 21-Jul-2010 08:52:27.929 dnssec: debug 3: validating @0x134fe7e8: .
> SOA: insecurity proof failed
> 21-Jul-2010 08:52:27.929 dnssec: info: validating @0x134fe7e8: . SOA:
> got insecure response; parent indicates it should be secure
I've seen this for various top-level domains for which I have trust
anchors configure as well. I could never track this down either, but I
suspect it has nothing to do with the authoritative servers.
--
Alex
> Otherwise validation just works fine and mostly I see these:
> validating @0x134fe7e8: . SOA: marking as secure, noqname proof not needed
> Following an earlier comment on this list by Mark Andrews (
> http://www.mail-archive.com/bind-users@lists.isc.org/msg04276.html )
> I've checked the answers given by the 13 root instances (ipv4 and 6),
> and all answer to "dig . soa +dnssec" just fine.
> Trying to capture . SOA queries from the resolver (by a crude
> tcpdump/grep) failed to show something useful.
> Any idea what could be the reason for these messages, and how to
> confirm/retrace the events that lead to such messages? Could it be that
> lame auth server with a local (unsigned) copy of the root zone triggers
> this?
> best regards,
> Gilles
> --
> Fondation RESTENA - DNS-LU
> 6, rue Coudenhove-Kalergi
> L-1359 Luxembourg
> tel: (+352) 424409
> fax: (+352) 422473
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list