validation error
Mark Andrews
marka at isc.org
Wed Dec 12 20:45:56 UTC 2012
In message <55592.216.191.251.36.1355342351.squirrel at secure.webcon.ca>, "Robert
Hardy" writes:
> I've got bind 9.8.1-P1 setup as a DNSSEC validating name server.
> af.mil uses DNSSEC and various web based external validation tools seem
> happy with their setup. I've turned up my logging for DNSSEC validation
> and in bind for af.mil/DNSKEY only always fails validation. It seems
> perfectly happy with other records in the domain. When validation fails
> the error below is being logged:
> Dec 11 15:29:12 ahostname named[25509]: error (insecurity proof failed)
> resolving 'af.mil/DNSKEY/IN': 199.252.162.234#53
>
> Would anyone know why this is happening?
The .mil servers are broken. When you fallback to TCP due to TC=1 in the
UDP response you get a empty response.
Mark
; <<>> DiG 9.10.0pre-alpha <<>> af.mil @199.252.154.234 +norec +dnssec dnskey +bufsize=1024 +ignore +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56950
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1024
;; QUESTION SECTION:
;af.mil. IN DNSKEY
;; Query time: 271 msec
;; SERVER: 199.252.154.234#53(199.252.154.234)
;; WHEN: Thu Dec 13 07:44:32 EST 2012
;; MSG SIZE rcvd: 35
> Regards,
> Rob
>
> --
> ---------------------"Happiness is understanding."----------------------
> Robert Hardy C.E.O. Webcon Inc.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list