. SOA: got insecure response
Gilles Massen
gilles.massen at restena.lu
Wed Jul 21 07:20:21 UTC 2010
Hello,
Since enabling the root TA in my resolver, I keep seeing from time to time:
21-Jul-2010 08:52:27.929 dnssec: debug 3: validating @0x134fe7e8: .
SOA: attempting insecurity proof
21-Jul-2010 08:52:27.929 dnssec: debug 3: validating @0x134fe7e8: .
SOA: insecurity proof failed
21-Jul-2010 08:52:27.929 dnssec: info: validating @0x134fe7e8: . SOA:
got insecure response; parent indicates it should be secure
Otherwise validation just works fine and mostly I see these:
validating @0x134fe7e8: . SOA: marking as secure, noqname proof not needed
Following an earlier comment on this list by Mark Andrews (
http://www.mail-archive.com/bind-users@lists.isc.org/msg04276.html )
I've checked the answers given by the 13 root instances (ipv4 and 6),
and all answer to "dig . soa +dnssec" just fine.
Trying to capture . SOA queries from the resolver (by a crude
tcpdump/grep) failed to show something useful.
Any idea what could be the reason for these messages, and how to
confirm/retrace the events that lead to such messages? Could it be that
lame auth server with a local (unsigned) copy of the root zone triggers
this?
best regards,
Gilles
--
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473
More information about the bind-users
mailing list