Querying directly a nameserver works, while forwarding not

Hauke Lampe lampe at hauke-lampe.de
Wed Dec 5 17:29:22 UTC 2012

On 05.12.2012 14:59, Daniele Imbrogino wrote:

> resolv.conf contains only as nameserver.
> The syslog contains a lot of errors as "insecurity proof failed", "no valid
> RRSIG", "got insecure response" that I don't understand.

Your forwarder probably doesn't handle DNSSEC responses well. Therefore 
your BIND cannot validate the answers and returns a failure code.

Either update the forwarder/enable DNSSEC (older versions of BIND 9 
require "dnssec-enable yes;" in the options clause), or disable DNSSEC 
validation in your local BIND (set "dnssec-validation no;").


More information about the bind-users mailing list