Insecurity proof failed
Borja Marcos
borjam at sarenet.es
Tue Mar 12 11:50:28 UTC 2024
Hi,
This is driving me nuts. I have three BIND 9.18.24 running on FreeBSD. Two of them on FreeBSD 14, one on FreeBSD 13.2.
Just one of the servers is failing to resolve a single domain compared to the other two: checkpoint.com <http://checkpoint.com/>.
I get these errors:
<142>1 2024-03-12T11:36:21.957013+00:00 dnsanycast named 86604 - - insecurity proof failed resolving 'checkpoint.com/A/IN': 198.51.44.65#53
<142>1 2024-03-12T11:36:21.941389+00:00 dnsanycast named 86604 - - insecurity proof failed resolving 'checkpoint.com/A/IN': 198.51.45.1#53
<142>1 2024-03-12T11:36:21.924666+00:00 dnsanycast named 86604 - - insecurity proof failed resolving 'checkpoint.com/A/IN': 198.51.45.65#53
<142>1 2024-03-12T11:36:21.907492+00:00 dnsanycast named 86604 - - insecurity proof failed resolving 'checkpoint.com/A/IN': 198.51.44.1#53
and
these: validating checkpoint.com/A: got insecure response; parent indicates it should be secure
And ultimately my DNS servers returns a SERVFAIL.
The puzzling thing is, the other two servers work (this is a check on a different server from the same pool).
; <<>> DiG 9.18.24 <<>> @127.0.0.1 checkpoint.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40171
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: aa16c8ceb3a9eee90100000065f0416206a44938e6d8f2b4 (good)
;; QUESTION SECTION:
;checkpoint.com. IN A
;; ANSWER SECTION:
checkpoint.com. 18 IN A 54.230.112.31
checkpoint.com. 18 IN A 54.230.112.106
checkpoint.com. 18 IN A 54.230.112.68
checkpoint.com. 18 IN A 54.230.112.55
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Mar 12 11:49:54 UTC 2024
;; MSG SIZE rcvd: 135
I have the same configuration, using dnssec-validation set to auto.
Any clue on what might be failing? I am really lost!
Thanks,
Borja.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240312/6d5a0595/attachment.sig>
More information about the bind-users
mailing list