Trouble with host and DNSSEC

Casey Deccio casey at deccio.net
Wed Sep 15 15:05:53 UTC 2010


On Wed, Sep 15, 2010 at 7:34 AM, Timothy Holtzen <tah at nebrwesleyan.edu> wrote:
>  I am having trouble resolving the host name cod.ed.gov which I believe
> may be dnssec related

...

> in my logs I am getting the messages:
>
> validating @0x2ab727eb5810: cod.ed.gov A: got insecure response; parent
> indicates it should be secure
> dnssec: info: validating @0x2ab727eb5810: cod.ed.gov A: got insecure
> response; parent indicates it should be secure
> error (insecurity proof failed) resolving 'cod.ed.gov/A/IN': 63.150.74.34#53
>

There are DS RRs for cod.ed.gov in the parent zone (ed.gov),
indicating that cod.ed.gov should be signed with a DNSKEY
corresponding to the existing DS RR.  However, cod.ed.gov is not
signed, particularly not with the DNSKEY corresponding to the DS RR,
which DNSKEY doesn't seem to exist in the zone at all.
http://dnsviz.net/d/cod.ed.gov/dnssec/

To remedy the issue, the ed.gov administrators should remove the DS RR
for cod.ed.gov from the ed.gov zone, which will make cod.ed.gov an
insecure delegation (meaning that it can continue to be unsigned).  If
desired, the zone can then be resigned, and the appropriate DS RRs
added to the parent.

I can send them a note off-list.

Regards,
Casey



More information about the bind-users mailing list