. SOA: got insecure response

Alexander Gall gall at switch.ch
Wed Jul 21 08:02:45 UTC 2010


On Wed, 21 Jul 2010 09:20:21 +0200, Gilles Massen <gilles.massen at restena.lu> said:

> Hello,
> Since enabling the root TA in my resolver, I keep seeing from time to time:

> 21-Jul-2010 08:52:27.929 dnssec: debug 3:   validating @0x134fe7e8: .
> SOA: attempting insecurity proof
> 21-Jul-2010 08:52:27.929 dnssec: debug 3:   validating @0x134fe7e8: .
> SOA: insecurity proof failed
> 21-Jul-2010 08:52:27.929 dnssec: info:   validating @0x134fe7e8: . SOA:
> got insecure response; parent indicates it should be secure

I've seen this for various top-level domains for which I have trust
anchors configure as well. I could never track this down either, but I
suspect it has nothing to do with the authoritative servers.

-- 
Alex

> Otherwise validation just works fine and mostly I see these:
> validating @0x134fe7e8: . SOA: marking as secure, noqname proof not needed

> Following an earlier comment on this list by Mark Andrews (
> http://www.mail-archive.com/bind-users@lists.isc.org/msg04276.html )
> I've checked the answers given by the 13 root instances (ipv4 and 6),
> and all answer to "dig . soa +dnssec" just fine.

> Trying to capture . SOA queries from the resolver (by a crude
> tcpdump/grep) failed to show something useful.

> Any idea what could be the reason for these messages, and how to
> confirm/retrace the events that lead to such messages? Could it be that
> lame auth server with a local (unsigned) copy of the root zone triggers
> this?

> best regards,
> Gilles

> -- 
> Fondation RESTENA - DNS-LU
> 6, rue Coudenhove-Kalergi
> L-1359 Luxembourg
> tel: (+352) 424409
> fax: (+352) 422473
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users





More information about the bind-users mailing list