dnssec bad cache hit error for bind9.16.13

Sakuma, Koshiro bravo.echo.one at gmail.com
Fri Apr 2 05:24:47 UTC 2021

Hello Team;

I've just finished setup for bind9.16.13 from scratch (source).  But I got
error when I checked with bind function with "dig" command.   The error I
got was as below.

1. dig result;
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: *SERVFAIL,* id: 17070
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

2. named.log
There are many bad cache hit logs.
dnssec: view internal:   validating nikkei225jp.com/SOA: bad cache hit

I tried to dig out for this issue, I found one thing that disable
dnssec-validation option.
After changing, the issue had been fixed.  However, I'm wondering if I can
disable this option for security reason.  Or there is another solution??

Thank you for your support!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210402/d93fd579/attachment.htm>

More information about the bind-users mailing list