can't validate existing negative responses (no DS)
Lawrence K. Chen, P.Eng.
lkchen at ksu.edu
Wed Apr 2 20:08:19 UTC 2014
On 04/01/14 19:49, Lawrence K. Chen, P.Eng. wrote:
> Having problems with a particular insecure delegation (most are) from our zone
> file, that is only not working for local users (our caching resolvers running
> BIND 9.9.4-P2 or 9.9.5)
>
> But, everybody else reports its working....its working from my other location
> (FWIW, is the base bind for FreeBSD 9.2 - 9.8.4-P2?)
>
> Can't think of an easy way to tell if its BIND or geography....
>
> In dnssec.log, I'm seeing messages of:
>
> validating @0x8063a2700: click.mail.nacada.ksu.edu A: can't validate existing
> negative responses (no DS)
> validating @0x8089d9800: click.mail.nacada.ksu.edu A: can't validate existing
> negative responses (no DS)
> validating @0x80abc9500: click.mail.nacada.ksu.edu A: can't validate existing
> negative responses (no DS)
> validating @0x8063a2700: click.mail.nacada.ksu.edu A: can't validate existing
> negative responses (no DS)
> validating @0x8089d9800: click.mail.nacada.ksu.edu A: can't validate existing
> negative responses (no DS)
>
> flushing the cache or restarting doesn't help.
>
So, digging into things....I turned up trace. On my 9.9.4-P2 server:
http://pastebin.com/sQKHe15p
On my FreeBSD 9.2 system at home:
http://pastebin.com/JjQMG9CQ
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
More information about the bind-users
mailing list