Strange log messages
dot at dotat.at
Wed Apr 22 10:27:27 UTC 2020
Lars Kollstedt <lk at man-da.de> wrote:
> what do the following messages in loose combination mean?:
> Apr 22 09:23:01 resolver1 named: validating ip6.arpa/SOA: got insecure
> response; parent indicates it should be secure
This means there is a DS record for ip6.arpa in the .arpa zone, but there
were no RRSIG records in the response to the ip6.arpa SOA query.
> I'm seeing this on all our resolvers and for a longer time already. The BIND
> version I am running is currently 1:9.11.3+dfsg-1ubuntu1.11.
This might be an instance of a bug that Mark mentioned last week:
Older versions of BIND can fall back to non-DNSSEC queries for DNSSEC
zones. This can be more common if there is network disruption (I don't
know if the CenturyLink fibre cut issues have been resolved yet...)
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
German Bight, Humber: East or northeast 4 or 5, occasionally 6 at first.
Moderate. Fair. Good.
More information about the bind-users