I'm seeing strange behavior with a BIND 9.18.24 resolver and
dnssec-failed.org.
With no dnssec-validation line (or with "dnssec-validation auto") in the
.conf, querying for www.dnssec-failed.org returns SERVFAIL, as expected
. . until it doesn't. After several seconds of answering SERVFAIL, I
It a hold down cache on bad lookups. The timeout is 10 minutes. To prove
whether a zone is secure or not DS records at delegations in the chain are
looked up. Sometimes that fails. This cache records that failure.
--
Mark Andrews
> On 17 Apr 2024, at 07:03, John Thurston wrote:
>
>
>
Looking in my logs today, I found a confusing line:
validating cran.rproject.org/SOA: bad cache hit (rproject.org/DS)
I was trying to figure out what was wrong with my cache, and how BIND
might be able to determine that a cache hit is bad. To do that, it would
need to retrieve the current
3 matches
Mail list logo