"can't validate existing negative responses (not a zone cut)" messages

Chris Thompson cet1 at cam.ac.uk
Mon Dec 6 10:52:11 UTC 2010

On Oct 3 2010, I wrote:

>Since upgrading our main recursive nameservers to BIND 9.7.2-P2 (and
>using a trust anchor for the root and lookaside via dlv.isc.org) I am
>seeing a scatter of warning messages like this:
>Oct  1 19:47:19 dnssec: warning: validating @1c29d580:
> PTR:
>  can't validate existing negative responses (not a zone cut)
>What do they mean, exactly? And should I be worrying about them?
>They all seem to refer to PTR records (not all of them for IP
>addresses in 95.101/16, but many of them are).

There were some followups, but we never got anything from ISC.

After upgrading to BIND 9.7.2-P3, they appear to have gone away, so
I presume one of the changes (maybe 2970) has fixed them.

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list