Trouble with host and DNSSEC

Timothy Holtzen tah at
Wed Sep 15 16:19:19 UTC 2010

 Thanks Casey! 
     The link to also explains part of why I was getting
confused.  It appears that there are not any DS records at the root
(yet?) for the .gov level.  This explains why when I did a dig with
+sigchase +topdown options it was failing to validate way earlier in the
chain.  I was only using the root trusted key in my /etc/trusted-key.key
file for dig while the server itself is using DLV to validate down the
chain until it gets to the missing DNSKEY record.

On 09/15/2010 10:05 AM, Casey Deccio wrote:
> On Wed, Sep 15, 2010 at 7:34 AM, Timothy Holtzen <tah at> wrote:
>>  I am having trouble resolving the host name which I believe
>> may be dnssec related
> ...
>> in my logs I am getting the messages:
>> validating @0x2ab727eb5810: A: got insecure response; parent
>> indicates it should be secure
>> dnssec: info: validating @0x2ab727eb5810: A: got insecure
>> response; parent indicates it should be secure
>> error (insecurity proof failed) resolving '':
> There are DS RRs for in the parent zone (,
> indicating that should be signed with a DNSKEY
> corresponding to the existing DS RR.  However, is not
> signed, particularly not with the DNSKEY corresponding to the DS RR,
> which DNSKEY doesn't seem to exist in the zone at all.
> To remedy the issue, the administrators should remove the DS RR
> for from the zone, which will make an
> insecure delegation (meaning that it can continue to be unsigned).  If
> desired, the zone can then be resigned, and the appropriate DS RRs
> added to the parent.
> I can send them a note off-list.
> Regards,
> Casey
> _______________________________________________
> bind-users mailing list
> bind-users at

Timothy A. Holtzen
Campus Network Administrator
Nebraska Wesleyan University

More information about the bind-users mailing list