Insecurity proof failed resolving newsletter.postbank.de - but why?

Mon Jan 20 12:09:52 UTC 2014

Hi List,

I'm seeing a dnssec validation error that I can't pin down, for the 
domain: newsletter.postbank.de.

Neither of http://dnsviz.net/ and 
http://dnssec-debugger.verisignlabs.com/ report finding a problem, but 
two (ubuntu packaged) versions of bind report a failure validating the 
delegation as intentionally insecure.

I've tried versions:

BIND 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1 
(Extended Support Version) <id:d8a6fe8b> built with '--prefix=/usr' 
'--mandir=/usr/share/man' '--infodir=/usr/share/info' 
'--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' 
'--enable-largefile' '--with-libtool' '--enable-shared' 
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' 
'--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' 
'--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
using libxml2 version: 2.9.1

and

BIND 9.8.1-P1 built with '--prefix=/usr' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind' 
'--localstatedir=/var' '--enable-threads' '--enable-largefile' 
'--with-libtool' '--enable-shared' '--enable-static' 
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' 
'--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing 
-DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 
'CPPFLAGS=-D_FORTIFY_SOURCE=2'
using OpenSSL version: OpenSSL 1.0.1 14 Mar 2012
using libxml2 version: 2.7.8

Running with -g 2 (on v9.9.3), I see:

==

20-Jan-2014 11:58:43.779 createfetch: newsletter.postbank.de SOA
20-Jan-2014 11:58:43.780 createfetch: . NS
20-Jan-2014 11:58:43.817 decrement_reference: delete from rbt: 
0x7ff58b51f010 .
20-Jan-2014 11:58:43.817 decrement_reference: delete from rbt: 
0x7ff58b520010 a.root-servers.net
20-Jan-2014 11:58:43.817 decrement_reference: delete from rbt: 
0x7ff58b520010 b.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt: 
0x7ff58b520010 c.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt: 
0x7ff58b520010 d.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt: 
0x7ff58b520010 e.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt: 
0x7ff58b520010 f.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt: 
0x7ff58b520010 g.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt: 
0x7ff58b520010 h.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt: 
0x7ff58b520010 i.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt: 
0x7ff58b520010 j.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt: 
0x7ff58b520010 k.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt: 
0x7ff58b520010 l.root-servers.net
20-Jan-2014 11:58:43.818 decrement_reference: delete from rbt: 
0x7ff58b520010 m.root-servers.net
20-Jan-2014 11:58:43.819 createfetch: . DNSKEY
20-Jan-2014 11:58:43.881 createfetch: ns1.ecircle.de A
20-Jan-2014 11:58:43.882 createfetch: ns1.ecircle.de AAAA
20-Jan-2014 11:58:43.882 createfetch: ns2.ecircle.de A
20-Jan-2014 11:58:43.882 createfetch: ns2.ecircle.de AAAA
20-Jan-2014 11:58:43.905 createfetch: ns3.ecircle.com A
20-Jan-2014 11:58:43.905 createfetch: ns3.ecircle.com AAAA
20-Jan-2014 11:58:43.938 decrement_reference: delete from rbt: 
0x7ff58b52c010 ns3.ecircle.com
20-Jan-2014 11:58:43.939 decrement_reference: delete from rbt: 
0x7ff58b52c010 ns3.ecircle.com
20-Jan-2014 11:58:43.943 decrement_reference: delete from rbt: 
0x7ff58b52c010 ns3.ecircle.com
20-Jan-2014 11:58:43.974 decrement_reference: delete from rbt: 
0x7ff58b52c010 ns3.ecircle.com
20-Jan-2014 11:58:43.974 createfetch: de DS
20-Jan-2014 11:58:44.120 createfetch: postbank.de DS
20-Jan-2014 11:58:44.244 createfetch: de DNSKEY
20-Jan-2014 11:58:44.270 createfetch: newsletter.postbank.de DS
20-Jan-2014 11:58:44.307 createfetch: postbank.de DNSKEY
20-Jan-2014 11:58:44.341 error (insecurity proof failed) resolving 
'newsletter.postbank.de/SOA/IN': 2a01:4f8:140:3482::3#53
20-Jan-2014 11:58:44.373 validating @0x7ff57c017bf0: 
newsletter.postbank.de SOA: got insecure response; parent indicates it 
should be secure
20-Jan-2014 11:58:44.373 error (insecurity proof failed) resolving 
'newsletter.postbank.de/SOA/IN': 195.140.184.21#53
20-Jan-2014 11:58:44.409 validating @0x7ff57c007f00: 
newsletter.postbank.de SOA: got insecure response; parent indicates it 
should be secure
20-Jan-2014 11:58:44.409 error (insecurity proof failed) resolving 
'newsletter.postbank.de/SOA/IN': 46.4.73.157#53
20-Jan-2014 11:58:44.410 client ::1#55009 (newsletter.postbank.de): 
query failed (SERVFAIL) for newsletter.postbank.de/IN/SOA at query.c:7406
20-Jan-2014 11:58:44.410 fetch completed at resolver.c:3044 for 
newsletter.postbank.de/SOA in 0.629817: failure/insecurity proof failed 
[domain:newsletter.postbank.de,referral:3,restart:3,qrysent:3,timeout:0,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:3]

==

But why has the insecurity proof failed (and am I misreading dnsviz & 
co.'s output?)

(I'm not related to the domain in question)

thanks,

Graham