In message <alpine.lfd.2.01.0911191304100.24...@maplepark.com>, David Forrest w rites: > Logged: > Nov 19 12:13:45 maplepark named[23329]: validating @0x17b7980: > dlv.isc.org SOA: got insecure response; parent indicates it should be > secure > > What does this mean?
It means named fellback to making a plain DNS query due to multiple timeouts, or getting a SERVFAIL response to the EDNS queries, or something stipped out the RRSIGs or there was a attempt to poison the cache. The validator then rejected the answer as it knew it should be getting a secure response. In most cases named will re-do the query and get a good answer unless there is a configuration failure. Unfortunately there are nameservers that don't respond to EDNS queries. There are also firewalls that block DNS/UDP responses bigger 512 bytes or block EDNS queries/responses 10 years after the introduction of EDNS. There are also middleware that blocks/drops DNS/UDP responses that are fragmented. All of these things result in DNS lookups timing out which is indistinguishable from plain packet loss. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
