"*.dlv.isc.org DS: must be secure" warnings [was: Re: 9.6.1-P1 log message]

Chris Thompson cet1 at cam.ac.uk
Sat Sep 26 21:48:40 UTC 2009

Back in August there was some a thread on bind-users about messages
of the shape

  validating @[hex]: [name].dlv.isc.org DS: must be secure failure

(these are category "dnssec" severity "warning") and on 31 August I wrote:

>We have been running two production recursive nameservers validating against
>dlv.isc.org since 9 June, and first saw a batch of messages (for both servers)
>like this on 20 July. We reported them to ISC and got suggestions along the
>lines of Mark's above, along with an admission that current versions of BIND
>give up on EDNS too easily in situations they maybe shouldn't, which may be
>fixed in future releases.
>Since then we have had a trickle of such warning messages in the logs. We
>assume that they are the result of temporary network glitches somewhere,
>but their frequency appears to be increasing, which is somewhat worrying.
>It's also not clear whether any client queries are actually failing as a
>result, or whether BIND is simply trying another dlv.isc.org nameserver
>with better luck.

I have been looking at this again, and in fact there was a step function
on 21 August when the messages rose from almost nil to 15-20 per day, and
then fell back to almost nil after 15 September (we've seen just one since
then). We have been running BIND 9.6.1-P1 throughout.

I would be very interested to know whether other recursive nameserver
operators validating via dlv.isc.org have seen a similar pattern. I am
prepared to believe that the frequency is related to transient network
errors or delays, but I have no idea whether they are likely to be local
or at at the dlv.isc.org server end.

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list