Insecurity proof failed

Mark Andrews marka at isc.org
Tue Mar 12 12:36:25 UTC 2024 

Have you disabled EDNS to these servers in named.conf?  DNSSEC responses are only returned
if DO=1 is set in the request.  Named can learn that a server doesn’t support EDNS if it doesn’t
return EDNS responses consistently to EDNS requests.  If that happens named will send plain DNS
requests.

Mark

> On 12 Mar 2024, at 22:50, Borja Marcos <borjam at sarenet.es> wrote:
> 
> Hi,
> 
> This is driving me nuts. I have three BIND 9.18.24 running on FreeBSD. Two of them on FreeBSD 14, one on FreeBSD 13.2.
> 
> Just one of the servers is failing to resolve a single domain compared to the other two: checkpoint.com <http://checkpoint.com/>.
> 
> I get these errors:
> 
> <142>1 2024-03-12T11:36:21.957013+00:00 dnsanycast named 86604 - - insecurity proof failed resolving 'checkpoint.com/A/IN': 198.51.44.65#53
> <142>1 2024-03-12T11:36:21.941389+00:00 dnsanycast named 86604 - - insecurity proof failed resolving 'checkpoint.com/A/IN': 198.51.45.1#53
> <142>1 2024-03-12T11:36:21.924666+00:00 dnsanycast named 86604 - - insecurity proof failed resolving 'checkpoint.com/A/IN': 198.51.45.65#53
> <142>1 2024-03-12T11:36:21.907492+00:00 dnsanycast named 86604 - - insecurity proof failed resolving 'checkpoint.com/A/IN': 198.51.44.1#53
> 
> and 
> these: validating checkpoint.com/A: got insecure response; parent indicates it should be secure
> 
> And ultimately my DNS servers returns a SERVFAIL.
> 
> The puzzling thing is, the other two servers work (this is a check on a different server from the same pool).
> 
> ; <<>> DiG 9.18.24 <<>> @127.0.0.1 checkpoint.com.
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40171
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: aa16c8ceb3a9eee90100000065f0416206a44938e6d8f2b4 (good)
> ;; QUESTION SECTION:
> ;checkpoint.com. IN A
> 
> ;; ANSWER SECTION:
> checkpoint.com. 18 IN A 54.230.112.31
> checkpoint.com. 18 IN A 54.230.112.106
> checkpoint.com. 18 IN A 54.230.112.68
> checkpoint.com. 18 IN A 54.230.112.55
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
> ;; WHEN: Tue Mar 12 11:49:54 UTC 2024
> ;; MSG SIZE  rcvd: 135
> 
> 
> 
> I have the same configuration, using dnssec-validation set to auto.
> 
> Any clue on what might be failing? I am really lost!
> 
> Thanks,
> 
> 
> 
> 
> 
> Borja.
> 
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list