Insecurity proof failed
Mark Andrews
marka at isc.org
Tue Mar 12 12:36:25 UTC 2024
Have you disabled EDNS to these servers in named.conf? DNSSEC responses are only returned
if DO=1 is set in the request. Named can learn that a server doesn’t support EDNS if it doesn’t
return EDNS responses consistently to EDNS requests. If that happens named will send plain DNS
requests.
Mark
> On 12 Mar 2024, at 22:50, Borja Marcos <borjam at sarenet.es> wrote:
>
> Hi,
>
> This is driving me nuts. I have three BIND 9.18.24 running on FreeBSD. Two of them on FreeBSD 14, one on FreeBSD 13.2.
>
> Just one of the servers is failing to resolve a single domain compared to the other two: checkpoint.com <http://checkpoint.com/>.
>
> I get these errors:
>
> <142>1 2024-03-12T11:36:21.957013+00:00 dnsanycast named 86604 - - insecurity proof failed resolving 'checkpoint.com/A/IN': 198.51.44.65#53
> <142>1 2024-03-12T11:36:21.941389+00:00 dnsanycast named 86604 - - insecurity proof failed resolving 'checkpoint.com/A/IN': 198.51.45.1#53
> <142>1 2024-03-12T11:36:21.924666+00:00 dnsanycast named 86604 - - insecurity proof failed resolving 'checkpoint.com/A/IN': 198.51.45.65#53
> <142>1 2024-03-12T11:36:21.907492+00:00 dnsanycast named 86604 - - insecurity proof failed resolving 'checkpoint.com/A/IN': 198.51.44.1#53
>
> and
> these: validating checkpoint.com/A: got insecure response; parent indicates it should be secure
>
> And ultimately my DNS servers returns a SERVFAIL.
>
> The puzzling thing is, the other two servers work (this is a check on a different server from the same pool).
>
> ; <<>> DiG 9.18.24 <<>> @127.0.0.1 checkpoint.com.
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40171
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: aa16c8ceb3a9eee90100000065f0416206a44938e6d8f2b4 (good)
> ;; QUESTION SECTION:
> ;checkpoint.com. IN A
>
> ;; ANSWER SECTION:
> checkpoint.com. 18 IN A 54.230.112.31
> checkpoint.com. 18 IN A 54.230.112.106
> checkpoint.com. 18 IN A 54.230.112.68
> checkpoint.com. 18 IN A 54.230.112.55
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> ;; WHEN: Tue Mar 12 11:49:54 UTC 2024
> ;; MSG SIZE rcvd: 135
>
>
>
> I have the same configuration, using dnssec-validation set to auto.
>
> Any clue on what might be failing? I am really lost!
>
> Thanks,
>
>
>
>
>
> Borja.
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list