9.6.1-P1 log message
David Forrest
drf at maplepark.com
Tue Aug 25 17:29:21 UTC 2009
On Tue, 25 Aug 2009, Jeremy C. Reed wrote:
> On Tue, 25 Aug 2009, David Forrest wrote:
>
>> What do I have to do to correct whatever is causing this log message from
>> named (9.6.1-P1-RedHat-9.6.1-4.P1.fc11)?
>>
>> validating @0x7f9f2c60c200: dns1.registeredsite.com.dlv.isc.org DS: must be
>> secure failure
>
> May need more context for this (like higher debug level for DNSSEC
> category). (I have patches for improving the DNSSEC logging which are
> planned for upcoming BIND release.)
>
> This may be:
>
> "must be secure failure, no DS and this is a delegation"
>
> "must be secure failure, key is insecure, so mark the data as insecure
> also."
>
> "must be secure failure, no supported algorithm/digest (dlv)"
>
> "must be secure failure (DS)"
>
> "must be secure failure, no supported algorithm/digest (DS)"
>
> "must be secure failure, DLV lookup from a DLV subdomain"
>
> "must be secure failure, DLV lookup from a DLV subdomain?"
>
> "must be secure failure, not beneath secure root"
>
> "must be secure failure at '%s', can't fall back to DLV"
>
> "must be secure failure, no DS at zone cut (zone)"
>
> "must be secure failure, is a delegation but no DS at zone cut (cache)"
>
> "must be secure failure, no supported algorithm/digest (%s/DS)"
>
> Sorry this probably doesn't help much.
>
Thanks for the note anyway, Jeremy. I got another response off-list, and
since I'm not really using DNSSEC for anything, I just changed my options
to:
dnssec-enable no;
dnssec-validation no;
and that seems to have done it.
Dave
--
David Forrest
St. Louis, Missouri
More information about the bind-users
mailing list