Insecure response BIND 9.7.0b2
Mark Andrews
marka at isc.org
Thu Nov 19 22:27:35 UTC 2009
In message <alpine.LFD.2.01.0911191304100.24071 at maplepark.com>, David Forrest w
rites:
> Logged:
> Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980:
> dlv.isc.org SOA: got insecure response; parent indicates it should be
> secure
>
> What does this mean?
It means named fellback to making a plain DNS query due to multiple
timeouts, or getting a SERVFAIL response to the EDNS queries, or
something stipped out the RRSIGs or there was a attempt to poison
the cache. The validator then rejected the answer as it knew it
should be getting a secure response. In most cases named will re-do
the query and get a good answer unless there is a configuration failure.
Unfortunately there are nameservers that don't respond to EDNS
queries. There are also firewalls that block DNS/UDP responses
bigger 512 bytes or block EDNS queries/responses 10 years after the
introduction of EDNS. There are also middleware that blocks/drops
DNS/UDP responses that are fragmented. All of these things result
in DNS lookups timing out which is indistinguishable from plain
packet loss.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list