"can't validate existing negative responses (not a zone cut)" messages

Mark Andrews marka at isc.org
Mon Dec 6 12:25:29 UTC 2010

In message <Prayer. at hermes-2.csi.cam.ac.uk>, Chris Tho
mpson writes:
> On Oct 3 2010, I wrote:
> >Since upgrading our main recursive nameservers to BIND 9.7.2-P2 (and
> >using a trust anchor for the root and lookaside via dlv.isc.org) I am
> >seeing a scatter of warning messages like this:
> >
> >Oct  1 19:47:19 dnssec: warning: validating @1c29d580:
> > PTR:
> >  can't validate existing negative responses (not a zone cut)
> [...]
> >What do they mean, exactly? And should I be worrying about them?
> >They all seem to refer to PTR records (not all of them for IP
> >addresses in 95.101/16, but many of them are).
> There were some followups, but we never got anything from ISC.
> After upgrading to BIND 9.7.2-P3, they appear to have gone away, so
> I presume one of the changes (maybe 2970) has fixed them.

It would be part of change 2968.

2968.   [security]      Named could fail to prove a data set was insecure
                        before marking it as insecure.  One set of conditions
                        that can trigger this occurs naturally when rolling
                        DNSKEY algorithms.

                        CVE-2010-3614, VU#837744. [RT #22309]

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list