DS record in child zone
ryslink@dialtelecom.cz
daniel.ryslink at dialtelecom.cz
Mon Jan 31 10:49:47 UTC 2011
Hello, we have a DNS resolver running the latest 9.7 bind version, and
there is a problem with several zones from these authoritative servers
(frantovo.cz is just and example, the problem prevails in all signed
zones from these authoritative servers):
frantovo.cz. 3111 IN NS ns.forpsi.net.
frantovo.cz. 3111 IN NS ns.forpsi.cz.
frantovo.cz. 3111 IN NS ns.forpsi.it.
Our resolver logis this:
31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
frantovo.cz NS: starting
31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
frantovo.cz NS: attempting insecurity proof
31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
frantovo.cz NS: checking existence of DS at 'cz'
31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
frantovo.cz NS: checking existence of DS at 'frantovo.cz'
31-Jan-2011 11:45:30.837 dnssec: debug 3: validating @0xd69c000:
frantovo.cz NS: insecurity proof failed
31-Jan-2011 11:45:30.837 dnssec: info: validating @0xd69c000:
frantovo.cz NS: got insecure response; parent indicates it should be secure
The problem arises from the fact that all these servers fail to respond
to queries on DS record for their zones:
# dig @ns.forpsi.cz frantovo.cz ds
; <<>> DiG 9.7.2-P2 <<>> @ns.forpsi.cz frantovo.cz ds
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Which is strange, because according to RFCs, the DS record for a given
zone is required only in the parent zone, not the child zone itself.
Does BIND query for the existence of a DS record in the child zone, and
if so, why? Or is the cause of the problem different?
Any advice would be welcome, thanks in advance.
Best Regards
Daniel Ryslink
More information about the bind-users
mailing list