. SOA: got insecure response
Gilles Massen
gilles.massen at restena.lu
Thu Jul 22 14:45:33 UTC 2010
Mark,
> Named has to deal with multually incompatible senarios. DNSSEC
> which requires EDNS and nameservers and firewalls which drop EDNS
> requests so named has to turn off EDNS to get answers back.
> Occasionally a set of answers will take too long to get back to
> named or are lost due to network problems and named will fallback
> to issuing plain DNS queries which will of course fail validation
> if the zone is secure and you have a trusted path from a trust
> anchor to that zone. Named will normally re-issue the queries
> and get a answer that can be validated as it tries again to use
> EDNS.
>
> This will happen more often if you have network equipment that is
> blocking large DNS responses (>512 or network MTU) but still lets
> through EDNS responses.
>
> If you see this you should also look for congested network paths
> and paths with long delays.
We have a root-server instance in our building, and reach most other
over excellent lines. So while link issues might account for some of
these messages, I don't think it's all of them. Especially as I don't
expect the resolver to query for '. SOA' very often. Or is this
triggered by each (unsigned) response to a question asking for an
unexistent TLD?
Is there a way to get bind to tell the entire story by enabling debug is
specific categories?
Gilles
--
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473
More information about the bind-users
mailing list