"can't validate existing negative responses (not a zone cut)" messages

Chris Thompson cet1 at cam.ac.uk
Sun Oct 24 20:18:41 UTC 2010 

On Oct 22 2010, Tony Finch wrote:

>On Sun, 3 Oct 2010, Chris Thompson wrote:
>>
>> Oct  3 16:53:10 dnssec: warning: validating @14c9cd70:
>>  98.206.101.95.IN-ADDR.ARPA PTR:
>>  can't validate existing negative responses (not a zone cut)
>>
>> What do they mean, exactly? And should I be worrying about them?
>> They all seem to refer to PTR records (not all of them for IP
>> addresses in 95.101/16, but many of them are).
>
>BIND is trying to prove that there is a valid secure -> insecure
>transition. It has found a cached NXDOMAIN response that has not been
>validated. The comment above the logger call says:
>
>	/*
>	 * This shouldn't happen, since the negative
>	 * response should have been validated.  Since
>	 * there's no way of validating existing
>	 * negative response blobs, give up.
>	 */

Thanks for scouring the code for this ...

We are still seeing lots of these messages, and it would be helpful
to know if others are as well, because I don't think there is anything
very unusual about our configuration. (Of course, some official comment
from ISC might be even more welcome.)

We have two main recursive nameservers, hereinafter recdns0 & recdns1.
Their configurations are identical as regards DNSSEC validation (a
trust anchor for the root zone and lookaside via dlv.isc.org) and
they both run BIND 9.7.2-P2. In the last week

  recdns0 logged 3 messages of this type
  recdns1 logged 398 messages of this type

This inequality has become progressively more marked the longer
the servers have been running. The most obvious difference between
the servers is that recdns0 is more heavily loaded, and runs up
against its max-cache-size setting while recdns1 does not. recdns0
also receives a higher proportion of PTR queries (25% vs 18%) and
has a far higher proportion of them in its cache (probably as a
result of being favored by users doing retrospective log analysis).

Looking at the messages for the last week, there is just one each
for (the same) forward zone:

Oct 17 09:51:28 recdns0: dnssec: warning: validating @1bf2b9b8:
  www.labourservative.org AAAA: can't validate existing negative
  responses (not a zone cut)

and all the rest are for PTR requests for reverse IPv4 addresses.
The great majority, if not all of them, are for lookups that should 
receive an NXDOMAIN from the servers for the top-level NNN.in-addr.arpa
domain, and these all seem to be ones owned by RIPE. (The trust
anchors for those are imported into dlv.isc.org, of course.)

-- 
Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list