Strange log messages

Tony Finch dot at
Wed Apr 22 10:27:27 UTC 2020

Lars Kollstedt <lk at> wrote:
> what do the following messages in loose combination mean?:
> Apr 22 09:23:01 resolver1 named[1201]:   validating got insecure
> response; parent indicates it should be secure

This means there is a DS record for in the .arpa zone, but there
were no RRSIG records in the response to the SOA query.

> I'm seeing this on all our resolvers and for a longer time already. The BIND
> version I am running is currently 1:9.11.3+dfsg-1ubuntu1.11.

This might be an instance of a bug that Mark mentioned last week:

Older versions of BIND can fall back to non-DNSSEC queries for DNSSEC
zones. This can be more common if there is network disruption (I don't
know if the CenturyLink fibre cut issues have been resolved yet...)

f.anthony.n.finch  <dot at>
German Bight, Humber: East or northeast 4 or 5, occasionally 6 at first.
Moderate. Fair. Good.

More information about the bind-users mailing list