. SOA: got insecure response
Gilles Massen
gilles.massen at restena.lu
Fri Jul 23 13:23:24 UTC 2010
Finally I caught one query/server that produces the ". SOA: got insecure
response; parent indicates it should be secure" log each time:
"dig @ns ladeco.com. MX" does this every time, where ns runs bind
9.7.1-P2, with only the root TA configured.
The server serving that domain returns not exactly RFC-compliant answers:
; <<>> DiG 9.5.0-P2 <<>> @b.gtld-servers.net ladeco.com mx
;; QUESTION SECTION:
;ladeco.com. IN MX
;; AUTHORITY SECTION:
ladeco.com. 172800 IN NS not-renewed.joker.com.
;; ADDITIONAL SECTION:
not-renewed.joker.com. 172800 IN A 194.176.0.3
<<>> DiG 9.5.0-P2 <<>> @194.176.0.3 ladeco.com. MX
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4159
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ladeco.com. IN MX
;; AUTHORITY SECTION:
. 2560 IN SOA nxdomain.nrw.net.
hostmaster. 1279119397 16384 2048 1048576 2560
;; Query time: 22 msec
;; SERVER: 194.176.0.3#53(194.176.0.3)
;; WHEN: Fri Jul 23 15:17:33 2010
;; MSG SIZE rcvd: 89
So bind is right in complaining, but the message is a bit misleading, in
so far that it suggests a more serious issue. What I don't quite
understand is why that obviously rubbish authority section is not
discarded before it even comes near the validator?
Gilles
--
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473
More information about the bind-users
mailing list