9.6.1-P1 log message
marka at isc.org
Wed Aug 26 00:12:55 UTC 2009
In message <alpine.LFD.2.01.0908250838190.14151 at maplepark.com>, David Forrest w
> What do I have to do to correct whatever is causing this log message from
> named (9.6.1-P1-RedHat-9.6.1-4.P1.fc11)?
> validating @0x7f9f2c60c200: dns1.registeredsite.com.dlv.isc.org DS: must be s
> ecure failure
This is ususally because named has fallen back to plain DNS. Please
ensure that you have a clean EDNS path and any forwarders you use
also have clean EDNS paths.
A clean EDNS path will accept EDNS responses upto 4096 bytes in
size. Firewalls and DNS proxies in SOHO routers are known devices
which interfere with this. Sometimes intentionally (firewalls) and
some unintentionally (SOHO routers).
Firewalls must be configured to accept DNS responses bigger than
512 bytes. They and SOHO routers also need to handle fragmented
A flakey link can also cause fallback to plain EDNS when too many
The dlv namespace is marked as "must-be-secure" by named as a side
effect of dnssec-lookaside clause.
> Thanks in advance,
> David Forrest
> St. Louis, Missouri
> bind-users mailing list
> bind-users at lists.isc.org
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users