Querying directly a nameserver works, while forwarding not
Hauke Lampe
lampe at hauke-lampe.de
Wed Dec 5 17:29:22 UTC 2012
On 05.12.2012 14:59, Daniele Imbrogino wrote:
> resolv.conf contains only 127.0.0.1 as nameserver.
>
> The syslog contains a lot of errors as "insecurity proof failed", "no valid
> RRSIG", "got insecure response" that I don't understand.
Your forwarder probably doesn't handle DNSSEC responses well. Therefore
your BIND cannot validate the answers and returns a failure code.
Either update the forwarder/enable DNSSEC (older versions of BIND 9
require "dnssec-enable yes;" in the options clause), or disable DNSSEC
validation in your local BIND (set "dnssec-validation no;").
Hauke
More information about the bind-users
mailing list