Querying directly a nameserver works, while forwarding not

Hauke Lampe lampe at hauke-lampe.de
Wed Dec 5 17:29:22 UTC 2012


On 05.12.2012 14:59, Daniele Imbrogino wrote:

> resolv.conf contains only 127.0.0.1 as nameserver.
>
> The syslog contains a lot of errors as "insecurity proof failed", "no valid
> RRSIG", "got insecure response" that I don't understand.

Your forwarder probably doesn't handle DNSSEC responses well. Therefore 
your BIND cannot validate the answers and returns a failure code.

Either update the forwarder/enable DNSSEC (older versions of BIND 9 
require "dnssec-enable yes;" in the options clause), or disable DNSSEC 
validation in your local BIND (set "dnssec-validation no;").



Hauke




More information about the bind-users mailing list