can't validate existing negative responses (no DS)

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Wed Apr 2 20:08:19 UTC 2014



On 04/01/14 19:49, Lawrence K. Chen, P.Eng. wrote:
> Having problems with a particular insecure delegation (most are) from our zone
> file, that is only not working for local users (our caching resolvers running
> BIND 9.9.4-P2 or 9.9.5)
> 
> But, everybody else reports its working....its working from my other location
> (FWIW, is the base bind for FreeBSD 9.2 - 9.8.4-P2?)
> 
> Can't think of an easy way to tell if its BIND or geography....
> 
> In dnssec.log, I'm seeing messages of:
> 
> validating @0x8063a2700: click.mail.nacada.ksu.edu A: can't validate existing
> negative responses (no DS)
> validating @0x8089d9800: click.mail.nacada.ksu.edu A: can't validate existing
> negative responses (no DS)
> validating @0x80abc9500: click.mail.nacada.ksu.edu A: can't validate existing
> negative responses (no DS)
> validating @0x8063a2700: click.mail.nacada.ksu.edu A: can't validate existing
> negative responses (no DS)
> validating @0x8089d9800: click.mail.nacada.ksu.edu A: can't validate existing
> negative responses (no DS)
> 
> flushing the cache or restarting doesn't help.
> 

So, digging into things....I turned up trace.  On my 9.9.4-P2 server:

http://pastebin.com/sQKHe15p

On my FreeBSD 9.2 system at home:

http://pastebin.com/JjQMG9CQ

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally


More information about the bind-users mailing list