Answers for www.dnssec-failed.org with dnssec-validation auto;

I'm seeing strange behavior with a BIND 9.18.24 resolver and dnssec-failed.org. With no dnssec-validation line (or with "dnssec-validation auto") in the .conf, querying for www.dnssec-failed.org returns SERVFAIL, as expected . . until it doesn't. After several seconds of answering SERVFAIL, I

Re: "bad cache-hit" or "bad-cache hit"

It a hold down cache on bad lookups. The timeout is 10 minutes. To prove whether a zone is secure or not DS records at delegations in the chain are looked up. Sometimes that fails. This cache records that failure. -- Mark Andrews > On 17 Apr 2024, at 07:03, John Thurston wrote: > >  >

"bad cache-hit" or "bad-cache hit"

Looking in my logs today, I found a confusing line:     validating cran.rproject.org/SOA: bad cache hit (rproject.org/DS) I was trying to figure out what was wrong with my cache, and how BIND might be able to determine that a cache hit is bad. To do that, it would need to retrieve the current