. SOA: got insecure response

[Gilles Massen]

Mark,

> Named has to deal with multually incompatible senarios.  DNSSEC
> which requires EDNS and nameservers and firewalls which drop EDNS
> requests so named has to turn off EDNS to get answers back.
> Occasionally a set of answers will take too long to get back to
> named or are lost due to network problems and named will fallback
> to issuing plain DNS queries which will of course fail validation
> if the zone is secure and you have a trusted path from a trust
> anchor to that zone.  Named will normally re-issue the queries
> and get a answer that can be validated as it tries again to use
> EDNS.
> 
> This will happen more often if you have network equipment that is
> blocking large DNS responses (>512 or network MTU) but still lets
> through EDNS responses.
> 
> If you see this you should also look for congested network paths
> and paths with long delays.

We have a root-server instance in our building, and reach most other
over excellent lines. So while link issues might account for some of
these messages, I don't think it's all of them. Especially as I don't
expect the resolver to query for '. SOA' very often. Or is this
triggered by each (unsigned) response to a question asking for an
unexistent TLD?

Is there a way to get bind to tell the entire story by enabling debug is
specific categories?

Gilles

-- 
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473