9.6.1-P1 log message

Mark Andrews marka at isc.org
Wed Aug 26 00:12:55 UTC 2009

In message <alpine.LFD.2.01.0908250838190.14151 at maplepark.com>, David Forrest w
> What do I have to do to correct whatever is causing this log message from 
> named (9.6.1-P1-RedHat-9.6.1-4.P1.fc11)?
> validating @0x7f9f2c60c200: dns1.registeredsite.com.dlv.isc.org DS: must be s
> ecure failure

This is ususally because named has fallen back to plain DNS.  Please
ensure that you have a clean EDNS path and any forwarders you use
also have clean EDNS paths.

A clean EDNS path will accept EDNS responses upto 4096 bytes in
size.  Firewalls and DNS proxies in SOHO routers are known devices
which interfere with this.  Sometimes intentionally (firewalls) and
some unintentionally (SOHO routers).

Firewalls must be configured to accept DNS responses bigger than
512 bytes.  They and SOHO routers also need to handle fragmented

A flakey link can also cause fallback to plain EDNS when too many
transactions timeout.

The dlv namespace is marked as "must-be-secure" by named as a side
effect of dnssec-lookaside clause.


> Thanks in advance,
> Dave
> -- 
> David Forrest 
> St. Louis, Missouri
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list